m/umami
1
0
Fork 0
mirror of https://github.com/kremalicious/umami.git synced 2024-12-18 15:23:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

API security updates.

Browse Source
This commit is contained in:
Mike Cao 2020-09-11 13:49:43 -07:00
parent 01432266ef
commit 8e3286179a
7 changed files with 115 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pages/api/account/[id].js
View File

@ -9,25 +9,21 @@ export default async (req, res) => {
const { id } = req.query;
const user_id = +id;
if (req.method === 'GET') {
if (is_admin) {
return unauthorized(res);
}
if (req.method === 'GET') {
const account = await getAccountById(user_id);
return ok(res, account);
}
return unauthorized(res);
}
if (req.method === 'DELETE') {
if (is_admin) {
await deleteAccount(user_id);
return ok(res);
}
return unauthorized(res);
}
return methodNotAllowed(res);
};

8
pages/api/account/password.js
View File

@ -1,14 +1,18 @@
import { getAccountById, updateAccount } from 'lib/queries';
import { useAuth } from 'lib/middleware';
import { badRequest, methodNotAllowed, ok } from 'lib/response';
import { badRequest, methodNotAllowed, ok, unauthorized } from 'lib/response';
import { checkPassword, hashPassword } from 'lib/crypto';
export default async (req, res) => {
await useAuth(req, res);
const { user_id } = req.auth;
const { user_id, is_admin } = req.auth;
const { current_password, new_password } = req.body;
if (is_admin) {
return unauthorized(res);
}
if (req.method === 'POST') {
const account = await getAccountById(user_id);
const valid = await checkPassword(current_password, account.password);

9
pages/api/website/[id]/active.js
View File

@ -1,11 +1,18 @@
import { getActiveVisitors } from 'lib/queries';
import { ok } from 'lib/response';
import { methodNotAllowed, ok } from 'lib/response';
import { useAuth } from 'lib/middleware';
export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id } = req.query;
const website_id = +id;
const result = await getActiveVisitors(website_id);
return ok(res, result);
}
return methodNotAllowed(res);
};

9
pages/api/website/[id]/events.js
View File

@ -1,10 +1,14 @@
import moment from 'moment-timezone';
import { getEvents } from 'lib/queries';
import { ok, badRequest } from 'lib/response';
import { ok, badRequest, methodNotAllowed } from 'lib/response';
import { useAuth } from 'lib/middleware';
const unitTypes = ['month', 'hour', 'day'];
export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, start_at, end_at, unit, tz } = req.query;
if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
@ -18,4 +22,7 @@ export default async (req, res) => {
const events = await getEvents(websiteId, startDate, endDate, tz, unit);
return ok(res, events);
}
return methodNotAllowed(res);
};

9
pages/api/website/[id]/metrics.js
View File

@ -1,7 +1,11 @@
import { getMetrics } from 'lib/queries';
import { ok } from 'lib/response';
import { methodNotAllowed, ok } from 'lib/response';
import { useAuth } from 'lib/middleware';
export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, start_at, end_at } = req.query;
const websiteId = +id;
const startDate = new Date(+start_at);
@ -15,4 +19,7 @@ export default async (req, res) => {
}, {});
return ok(res, stats);
}
return methodNotAllowed(res);
};

9
pages/api/website/[id]/pageviews.js
View File

@ -1,10 +1,14 @@
import moment from 'moment-timezone';
import { getPageviews } from 'lib/queries';
import { ok, badRequest } from 'lib/response';
import { ok, badRequest, methodNotAllowed } from 'lib/response';
import { useAuth } from 'lib/middleware';
const unitTypes = ['month', 'hour', 'day'];
export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, start_at, end_at, unit, tz } = req.query;
if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
@ -21,4 +25,7 @@ export default async (req, res) => {
]);
return ok(res, { pageviews, uniques });
}
return methodNotAllowed(res);
};

11
pages/api/website/[id]/rankings.js
View File

@ -1,6 +1,7 @@
import { getRankings } from 'lib/queries';
import { ok, badRequest } from 'lib/response';
import { DOMAIN_REGEX } from '../../../../lib/constants';
import { ok, badRequest, methodNotAllowed } from 'lib/response';
import { DOMAIN_REGEX } from 'lib/constants';
import { useAuth } from 'lib/middleware';
const sessionColumns = ['browser', 'os', 'device', 'country'];
const pageviewColumns = ['url', 'referrer'];
@ -25,6 +26,9 @@ function getColumn(type) {
}
export default async (req, res) => {
await useAuth(req, res);
if (req.method === 'GET') {
const { id, type, start_at, end_at, domain } = req.query;
const websiteId = +id;
const startDate = new Date(+start_at);
@ -50,4 +54,7 @@ export default async (req, res) => {
);
return ok(res, rankings);
}
return methodNotAllowed(res);
};