feat: add authorization for api calls

2025-11-13 16:23:06 +10:00 · 2023-11-30 14:39:31 +02:00
parent 76800674ee
commit 6be4b7ae90
4 changed files with 107 additions and 7 deletions
--- a/apps/web/src/pages/api/v1/[...ts-rest].tsx
+++ b/apps/web/src/pages/api/v1/[...ts-rest].tsx
@ -1,16 +1,38 @@
 import type { NextApiRequest, NextApiResponse } from 'next';

+import { deleteDraftDocument } from '@documenso/lib/server-only/document/delete-draft-document';
 import { getDocumentById } from '@documenso/lib/server-only/document/get-document-by-id';
 import { getDocuments } from '@documenso/lib/server-only/public-api/get-documents';
+import { checkUserFromToken } from '@documenso/lib/server-only/public-api/get-user-by-token';
 import { contract } from '@documenso/trpc/api-contract/contract';
 import { createNextRoute, createNextRouter } from '@documenso/trpc/server/public-api/ts-rest';

+const validateUserToken = async (token: string) => {
+  try {
+    return await checkUserFromToken({ token });
+  } catch (e) {
+    return null;
+  }
+};
+
 const router = createNextRoute(contract, {
  getDocuments: async (args) => {
    const page = Number(args.query.page) || 1;
    const perPage = Number(args.query.perPage) || 10;
+    const { authorization } = args.headers;

-    const { documents, totalPages } = await getDocuments({ page, perPage });
+    const user = await validateUserToken(authorization);
+
+    if (!user) {
+      return {
+        status: 401,
+        body: {
+          message: 'Unauthorized',
+        },
+      };
+    }
+
+    const { documents, totalPages } = await getDocuments({ page, perPage, userId: user.id });

    return {
      status: 200,
@ -21,12 +43,66 @@ const router = createNextRoute(contract, {
    };
  },
  getDocument: async (args) => {
-    const document = await getDocumentById(args.params.id);
+    const { id: documentId } = args.params;
+    const { authorization } = args.headers;

-    return {
-      status: 200,
-      body: document,
-    };
+    const user = await validateUserToken(authorization);
+
+    if (!user) {
+      return {
+        status: 401,
+        body: {
+          message: 'Unauthorized',
+        },
+      };
+    }
+
+    try {
+      const document = await getDocumentById({ id: Number(documentId), userId: user.id });
+
+      return {
+        status: 200,
+        body: document,
+      };
+    } catch (e) {
+      return {
+        status: 404,
+        body: {
+          message: 'Document not found',
+        },
+      };
+    }
+  },
+  deleteDocument: async (args) => {
+    const { id: documentId } = args.params;
+    const { authorization } = args.headers;
+
+    const user = await validateUserToken(authorization);
+
+    if (!user) {
+      return {
+        status: 401,
+        body: {
+          message: 'Unauthorized',
+        },
+      };
+    }
+
+    try {
+      const document = await deleteDraftDocument({ id: Number(documentId), userId: user.id });
+
+      return {
+        status: 200,
+        body: document,
+      };
+    } catch (e) {
+      return {
+        status: 404,
+        body: {
+          message: 'Document not found',
+        },
+      };
+    }
  },
 });