allow adding field via recipient token for signing

2025-11-13 08:13:56 +10:00 · 2023-03-20 15:11:20 +01:00
parent dd67e1a6f0
commit 7d6bd00a22
3 changed files with 32 additions and 13 deletions
--- a/apps/web/components/editor/pdf-signer.tsx
+++ b/apps/web/components/editor/pdf-signer.tsx
@ -173,7 +173,11 @@ export default function PDFSigner(props: any) {
      FieldType.FREE_SIGNATURE
    );
-    createOrUpdateField(props.document, freeSignatureField).then((res) => {
+    createOrUpdateField(
      props.document,
      freeSignatureField,
      recipient.token
    ).then((res) => {
      setFields(fields.concat(res));
      setDialogField(res);
      setOpen(true);
--- a/apps/web/pages/api/documents/[id]/fields/index.ts
+++ b/apps/web/pages/api/documents/[id]/fields/index.ts
@ -36,8 +36,10 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {
 }
 async function postHandler(req: NextApiRequest, res: NextApiResponse) {
-  const user = await getUserFromToken(req, res);
+  const { token: recipientToken } = req.query;
-  const { id: documentId } = req.query;
+  let user = null;
  if (!recipientToken) user = await getUserFromToken(req, res);
  if (!user && !recipientToken) return res.status(401).end();
  const body: {
    id: number;
    type: FieldType;
@ -48,18 +50,30 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
    customText: string;
  } = req.body;
-  if (!user) return;
+  const { id: documentId } = req.query;
  if (!documentId) {
-    res.status(400).send("Missing parameter documentId.");
+    return res.status(400).send("Missing parameter documentId.");
    return;
  }
-  const document: PrismaDocument = await getDocument(+documentId, req, res);
+  if (recipientToken) {
    const recipient = await prisma.recipient.findFirst({
      where: { token: recipientToken?.toString() },
    });
-  // todo entity ownerships checks
+    if (!recipient || recipient?.documentId !== +documentId)
-  if (document.userId !== user.id) {
+      return res
-    return res.status(401).send("User does not have access to this document.");
+        .status(401)
        .send("Recipient does not have access to this document.");
  }
  if (user) {
    const document: PrismaDocument = await getDocument(+documentId, req, res);
    // todo entity ownerships checks
    if (document.userId !== user.id) {
      return res
        .status(401)
        .send("User does not have access to this document.");
    }
  }
  const field = await prisma.field.upsert({
--- a/packages/lib/api/createOrUpdateField.ts
+++ b/packages/lib/api/createOrUpdateField.ts
@ -2,11 +2,12 @@ import toast from "react-hot-toast";
 export const createOrUpdateField = async (
  document: any,
-  field: any
+  field: any,
  recipientToken: string = ""
 ): Promise<any> => {
  try {
    const created = await toast.promise(
-      fetch("/api/documents/" + document.id + "/fields", {
+      fetch("/api/documents/" + document.id + "/fields?token=" + recipientToken, {
        method: "POST",
        headers: {
          "Content-Type": "application/json",