API security updates.

This commit is contained in:
Mike Cao 2020-09-11 13:49:43 -07:00
parent 01432266ef
commit 8e3286179a
7 changed files with 115 additions and 80 deletions

View File

@ -9,25 +9,21 @@ export default async (req, res) => {
const { id } = req.query; const { id } = req.query;
const user_id = +id; const user_id = +id;
if (req.method === 'GET') {
if (is_admin) { if (is_admin) {
return unauthorized(res);
}
if (req.method === 'GET') {
const account = await getAccountById(user_id); const account = await getAccountById(user_id);
return ok(res, account); return ok(res, account);
} }
return unauthorized(res);
}
if (req.method === 'DELETE') { if (req.method === 'DELETE') {
if (is_admin) {
await deleteAccount(user_id); await deleteAccount(user_id);
return ok(res); return ok(res);
} }
return unauthorized(res);
}
return methodNotAllowed(res); return methodNotAllowed(res);
}; };

View File

@ -1,14 +1,18 @@
import { getAccountById, updateAccount } from 'lib/queries'; import { getAccountById, updateAccount } from 'lib/queries';
import { useAuth } from 'lib/middleware'; import { useAuth } from 'lib/middleware';
import { badRequest, methodNotAllowed, ok } from 'lib/response'; import { badRequest, methodNotAllowed, ok, unauthorized } from 'lib/response';
import { checkPassword, hashPassword } from 'lib/crypto'; import { checkPassword, hashPassword } from 'lib/crypto';
export default async (req, res) => { export default async (req, res) => {
await useAuth(req, res); await useAuth(req, res);
const { user_id } = req.auth; const { user_id, is_admin } = req.auth;
const { current_password, new_password } = req.body; const { current_password, new_password } = req.body;
if (is_admin) {
return unauthorized(res);
}
if (req.method === 'POST') { if (req.method === 'POST') {
const account = await getAccountById(user_id); const account = await getAccountById(user_id);
const valid = await checkPassword(current_password, account.password); const valid = await checkPassword(current_password, account.password);

View File

@ -1,11 +1,18 @@
import { getActiveVisitors } from 'lib/queries'; import { getActiveVisitors } from 'lib/queries';
import { ok } from 'lib/response'; import { methodNotAllowed, ok } from 'lib/response';
import { useAuth } from 'lib/middleware';
export default async (req, res) => { export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id } = req.query; const { id } = req.query;
const website_id = +id; const website_id = +id;
const result = await getActiveVisitors(website_id); const result = await getActiveVisitors(website_id);
return ok(res, result); return ok(res, result);
}
return methodNotAllowed(res);
}; };

View File

@ -1,10 +1,14 @@
import moment from 'moment-timezone'; import moment from 'moment-timezone';
import { getEvents } from 'lib/queries'; import { getEvents } from 'lib/queries';
import { ok, badRequest } from 'lib/response'; import { ok, badRequest, methodNotAllowed } from 'lib/response';
import { useAuth } from 'lib/middleware';
const unitTypes = ['month', 'hour', 'day']; const unitTypes = ['month', 'hour', 'day'];
export default async (req, res) => { export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, start_at, end_at, unit, tz } = req.query; const { id, start_at, end_at, unit, tz } = req.query;
if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) { if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
@ -18,4 +22,7 @@ export default async (req, res) => {
const events = await getEvents(websiteId, startDate, endDate, tz, unit); const events = await getEvents(websiteId, startDate, endDate, tz, unit);
return ok(res, events); return ok(res, events);
}
return methodNotAllowed(res);
}; };

View File

@ -1,7 +1,11 @@
import { getMetrics } from 'lib/queries'; import { getMetrics } from 'lib/queries';
import { ok } from 'lib/response'; import { methodNotAllowed, ok } from 'lib/response';
import { useAuth } from 'lib/middleware';
export default async (req, res) => { export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, start_at, end_at } = req.query; const { id, start_at, end_at } = req.query;
const websiteId = +id; const websiteId = +id;
const startDate = new Date(+start_at); const startDate = new Date(+start_at);
@ -15,4 +19,7 @@ export default async (req, res) => {
}, {}); }, {});
return ok(res, stats); return ok(res, stats);
}
return methodNotAllowed(res);
}; };

View File

@ -1,10 +1,14 @@
import moment from 'moment-timezone'; import moment from 'moment-timezone';
import { getPageviews } from 'lib/queries'; import { getPageviews } from 'lib/queries';
import { ok, badRequest } from 'lib/response'; import { ok, badRequest, methodNotAllowed } from 'lib/response';
import { useAuth } from 'lib/middleware';
const unitTypes = ['month', 'hour', 'day']; const unitTypes = ['month', 'hour', 'day'];
export default async (req, res) => { export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, start_at, end_at, unit, tz } = req.query; const { id, start_at, end_at, unit, tz } = req.query;
if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) { if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
@ -21,4 +25,7 @@ export default async (req, res) => {
]); ]);
return ok(res, { pageviews, uniques }); return ok(res, { pageviews, uniques });
}
return methodNotAllowed(res);
}; };

View File

@ -1,6 +1,7 @@
import { getRankings } from 'lib/queries'; import { getRankings } from 'lib/queries';
import { ok, badRequest } from 'lib/response'; import { ok, badRequest, methodNotAllowed } from 'lib/response';
import { DOMAIN_REGEX } from '../../../../lib/constants'; import { DOMAIN_REGEX } from 'lib/constants';
import { useAuth } from 'lib/middleware';
const sessionColumns = ['browser', 'os', 'device', 'country']; const sessionColumns = ['browser', 'os', 'device', 'country'];
const pageviewColumns = ['url', 'referrer']; const pageviewColumns = ['url', 'referrer'];
@ -25,6 +26,9 @@ function getColumn(type) {
} }
export default async (req, res) => { export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, type, start_at, end_at, domain } = req.query; const { id, type, start_at, end_at, domain } = req.query;
const websiteId = +id; const websiteId = +id;
const startDate = new Date(+start_at); const startDate = new Date(+start_at);
@ -50,4 +54,7 @@ export default async (req, res) => {
); );
return ok(res, rankings); return ok(res, rankings);
}
return methodNotAllowed(res);
}; };