allow adding field via recipient token for signing

2025-11-13 08:13:56 +10:00 · 2023-03-20 15:11:20 +01:00
parent dd67e1a6f0
commit 7d6bd00a22
3 changed files with 32 additions and 13 deletions
--- a/apps/web/components/editor/pdf-signer.tsx
+++ b/apps/web/components/editor/pdf-signer.tsx
@ -173,7 +173,11 @@ export default function PDFSigner(props: any) {
      FieldType.FREE_SIGNATURE
    );

-    createOrUpdateField(props.document, freeSignatureField).then((res) => {
+    createOrUpdateField(
+      props.document,
+      freeSignatureField,
+      recipient.token
+    ).then((res) => {
      setFields(fields.concat(res));
      setDialogField(res);
      setOpen(true);
--- a/apps/web/pages/api/documents/[id]/fields/index.ts
+++ b/apps/web/pages/api/documents/[id]/fields/index.ts
@ -36,8 +36,10 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function postHandler(req: NextApiRequest, res: NextApiResponse) {
-  const user = await getUserFromToken(req, res);
-  const { id: documentId } = req.query;
+  const { token: recipientToken } = req.query;
+  let user = null;
+  if (!recipientToken) user = await getUserFromToken(req, res);
+  if (!user && !recipientToken) return res.status(401).end();
  const body: {
    id: number;
    type: FieldType;
@ -48,18 +50,30 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
    customText: string;
  } = req.body;

-  if (!user) return;
-
+  const { id: documentId } = req.query;
  if (!documentId) {
-    res.status(400).send("Missing parameter documentId.");
-    return;
+    return res.status(400).send("Missing parameter documentId.");
  }

-  const document: PrismaDocument = await getDocument(+documentId, req, res);
+  if (recipientToken) {
+    const recipient = await prisma.recipient.findFirst({
+      where: { token: recipientToken?.toString() },
+    });

+    if (!recipient || recipient?.documentId !== +documentId)
+      return res
+        .status(401)
+        .send("Recipient does not have access to this document.");
+  }
+
+  if (user) {
+    const document: PrismaDocument = await getDocument(+documentId, req, res);
    // todo entity ownerships checks
    if (document.userId !== user.id) {
-    return res.status(401).send("User does not have access to this document.");
+      return res
+        .status(401)
+        .send("User does not have access to this document.");
+    }
  }

  const field = await prisma.field.upsert({
--- a/packages/lib/api/createOrUpdateField.ts
+++ b/packages/lib/api/createOrUpdateField.ts
@ -2,11 +2,12 @@ import toast from "react-hot-toast";

 export const createOrUpdateField = async (
  document: any,
-  field: any
+  field: any,
+  recipientToken: string = ""
 ): Promise<any> => {
  try {
    const created = await toast.promise(
-      fetch("/api/documents/" + document.id + "/fields", {
+      fetch("/api/documents/" + document.id + "/fields?token=" + recipientToken, {
        method: "POST",
        headers: {
          "Content-Type": "application/json",