feat: Add throwIfNoAccessToApiKey guard function (boxyhq#1366)

ukrocks007 · web-flow · commit d51cf6b263ed · 2024-05-20T11:52:40.000+01:00
diff --git a/lib/guards/team-api-key.ts b/lib/guards/team-api-key.ts
@@ -0,0 +1,20 @@
+import { getApiKeyById } from 'models/apiKey';
+import { ApiError } from '../errors';
+
+export const throwIfNoAccessToApiKey = async (
+  apiKeyId: string,
+  teamId: string
+) => {
+  const apiKey = await getApiKeyById(apiKeyId);
+
+  if (!apiKey) {
+    throw new ApiError(404, 'API key not found');
+  }
+
+  if (teamId !== apiKey.teamId) {
+    throw new ApiError(
+      403,
+      'You do not have permission to delete this API key'
+    );
+  }
+};
diff --git a/models/apiKey.ts b/models/apiKey.ts
@@ -64,3 +64,15 @@ export const getApiKey = async (apiKey: string) => {
     },
   });
 };
+
+export const getApiKeyById = async (id: string) => {
+  return prisma.apiKey.findUnique({
+    where: {
+      id,
+    },
+    select: {
+      id: true,
+      teamId: true,
+    },
+  });
+};
diff --git a/pages/api/teams/[slug]/api-keys/[apiKeyId].ts b/pages/api/teams/[slug]/api-keys/[apiKeyId].ts
@@ -6,6 +6,7 @@ import { recordMetric } from '@/lib/metrics';
 import env from '@/lib/env';
 import { ApiError } from '@/lib/errors';
 import { deleteApiKeySchema, validateWithSchema } from '@/lib/zod';
+import { throwIfNoAccessToApiKey } from '@/lib/guards/team-api-key';
 
 export default async function handler(
   req: NextApiRequest,
@@ -44,6 +45,8 @@ const handleDELETE = async (req: NextApiRequest, res: NextApiResponse) => {
 
   const { apiKeyId } = validateWithSchema(deleteApiKeySchema, req.query);
 
+  await throwIfNoAccessToApiKey(apiKeyId, user.team.id);
+
   await deleteApiKey(apiKeyId);
 
   recordMetric('apikey.removed');
diff --git a/pages/api/teams/[slug]/webhooks/[endpointId].ts b/pages/api/teams/[slug]/webhooks/[endpointId].ts
@@ -38,8 +38,8 @@ export default async function handler(
         });
     }
   } catch (err: any) {
-    const message = err.message || 'Something went wrong';
-    const status = err.status || 500;
+    const message = err?.body?.detail || err.message || 'Something went wrong';
+    const status = err.status || err.code || 500;
 
     res.status(status).json({ error: { message } });
   }
@@ -98,6 +98,8 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => {
   if (eventTypes.length > 0) {
     data['filterTypes'] = eventTypes;
   }
+  // Checks if the webhook exists or throws an error
+  await findWebhook(app.id, endpointId);
 
   const webhook = await updateWebhook(app.id, endpointId, data);
 

Original file line number	Diff line number	Diff line change
`@@ -38,8 +38,8 @@ export default async function handler(`
`38`	`38`	`});`
`39`	`39`	`}`
`40`	`40`	`} catch (err: any) {`
`41`		`- const message = err.message \|\| 'Something went wrong';`
`42`		`- const status = err.status \|\| 500;`
	`41`	`+ const message = err?.body?.detail \|\| err.message \|\| 'Something went wrong';`
	`42`	`+ const status = err.status \|\| err.code \|\| 500;`
`43`	`43`
`44`	`44`	`res.status(status).json({ error: { message } });`
`45`	`45`	`}`
`@@ -98,6 +98,8 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => {`
`98`	`98`	`if (eventTypes.length > 0) {`
`99`	`99`	`data['filterTypes'] = eventTypes;`
`100`	`100`	`}`
	`101`	`+ // Checks if the webhook exists or throws an error`
	`102`	`+ await findWebhook(app.id, endpointId);`
`101`	`103`
`102`	`104`	`const webhook = await updateWebhook(app.id, endpointId, data);`
`103`	`105`