feat: add authorization for api calls

2025-11-13 16:23:06 +10:00 · 2023-11-30 14:39:31 +02:00
parent 76800674ee
commit 6be4b7ae90
4 changed files with 107 additions and 7 deletions
--- a/apps/web/src/pages/api/v1/[...ts-rest].tsx
+++ b/apps/web/src/pages/api/v1/[...ts-rest].tsx
@ -1,16 +1,38 @@
 import type { NextApiRequest, NextApiResponse } from 'next';

+import { deleteDraftDocument } from '@documenso/lib/server-only/document/delete-draft-document';
 import { getDocumentById } from '@documenso/lib/server-only/document/get-document-by-id';
 import { getDocuments } from '@documenso/lib/server-only/public-api/get-documents';
+import { checkUserFromToken } from '@documenso/lib/server-only/public-api/get-user-by-token';
 import { contract } from '@documenso/trpc/api-contract/contract';
 import { createNextRoute, createNextRouter } from '@documenso/trpc/server/public-api/ts-rest';

+const validateUserToken = async (token: string) => {
+  try {
+    return await checkUserFromToken({ token });
+  } catch (e) {
+    return null;
+  }
+};
+
 const router = createNextRoute(contract, {
  getDocuments: async (args) => {
    const page = Number(args.query.page) || 1;
    const perPage = Number(args.query.perPage) || 10;
+    const { authorization } = args.headers;

-    const { documents, totalPages } = await getDocuments({ page, perPage });
+    const user = await validateUserToken(authorization);
+
+    if (!user) {
+      return {
+        status: 401,
+        body: {
+          message: 'Unauthorized',
+        },
+      };
+    }
+
+    const { documents, totalPages } = await getDocuments({ page, perPage, userId: user.id });

    return {
      status: 200,
@ -21,12 +43,66 @@ const router = createNextRoute(contract, {
    };
  },
  getDocument: async (args) => {
-    const document = await getDocumentById(args.params.id);
+    const { id: documentId } = args.params;
+    const { authorization } = args.headers;

-    return {
-      status: 200,
-      body: document,
-    };
+    const user = await validateUserToken(authorization);
+
+    if (!user) {
+      return {
+        status: 401,
+        body: {
+          message: 'Unauthorized',
+        },
+      };
+    }
+
+    try {
+      const document = await getDocumentById({ id: Number(documentId), userId: user.id });
+
+      return {
+        status: 200,
+        body: document,
+      };
+    } catch (e) {
+      return {
+        status: 404,
+        body: {
+          message: 'Document not found',
+        },
+      };
+    }
+  },
+  deleteDocument: async (args) => {
+    const { id: documentId } = args.params;
+    const { authorization } = args.headers;
+
+    const user = await validateUserToken(authorization);
+
+    if (!user) {
+      return {
+        status: 401,
+        body: {
+          message: 'Unauthorized',
+        },
+      };
+    }
+
+    try {
+      const document = await deleteDraftDocument({ id: Number(documentId), userId: user.id });
+
+      return {
+        status: 200,
+        body: document,
+      };
+    } catch (e) {
+      return {
+        status: 404,
+        body: {
+          message: 'Document not found',
+        },
+      };
+    }
  },
 });

--- a/packages/lib/server-only/public-api/get-documents.ts
+++ b/packages/lib/server-only/public-api/get-documents.ts
@ -3,11 +3,15 @@ import { prisma } from '@documenso/prisma';
 type GetDocumentsProps = {
  page: number;
  perPage: number;
+  userId: number;
 };

-export const getDocuments = async ({ page = 1, perPage = 10 }: GetDocumentsProps) => {
+export const getDocuments = async ({ page = 1, perPage = 10, userId }: GetDocumentsProps) => {
  const [documents, count] = await Promise.all([
    await prisma.document.findMany({
+      where: {
+        userId,
+      },
      take: perPage,
      skip: Math.max(page - 1, 0) * perPage,
    }),
--- a/packages/lib/server-only/public-api/get-user-by-token.ts
+++ b/packages/lib/server-only/public-api/get-user-by-token.ts
@ -0,0 +1,15 @@
+import { prisma } from '@documenso/prisma';
+
+export const checkUserFromToken = async ({ token }: { token: string }) => {
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      ApiToken: {
+        some: {
+          token: token,
+        },
+      },
+    },
+  });
+
+  return user;
+};
--- a/packages/trpc/api-contract/contract.ts
+++ b/packages/trpc/api-contract/contract.ts
@ -40,6 +40,8 @@ export const contract = c.router(
      query: GetDocumentsQuerySchema,
      responses: {
        200: SuccessfulResponseSchema,
+        401: UnsuccessfulResponseSchema,
+        404: UnsuccessfulResponseSchema,
      },
      summary: 'Get all documents',
    },
@ -48,6 +50,8 @@ export const contract = c.router(
      path: `/documents/:id`,
      responses: {
        200: DocumentSchema,
+        401: UnsuccessfulResponseSchema,
+        404: UnsuccessfulResponseSchema,
      },
      summary: 'Get a single document',
    },
@ -57,6 +61,7 @@ export const contract = c.router(
      body: z.string(),
      responses: {
        200: DocumentSchema,
+        401: UnsuccessfulResponseSchema,
        404: UnsuccessfulResponseSchema,
      },
      summary: 'Delete a document',