Fix bug where unauthorized user could get detailed planet data

2024-06-18 22:19:42 +02:00 · 2024-06-18 22:19:42 +02:00 · 25b7a01bd6
parent 46ad28bc1b
commit 25b7a01bd6
2 changed files with 32 additions and 2 deletions
--- a/src/lib/db/planets.ts
+++ b/src/lib/db/planets.ts
@ -42,9 +42,14 @@ export const createPlanet = async (options: { name: string, owner?: User, ownerI

 export const getPlanetById = async (id: ObjectId) => {
    const planets = await Planets();
-    return planets.findOne({
+    const planet = await planets.findOne({
        _id: id
-    }) as Promise<Planet | null>;
+    });
+
+    if(!planet) return null;
+
+    planet.owner = await getUserById(planet.owner);
+    return planet as Planet;
 }

 export const createOrUpgradeBuilding = async (planetId: ObjectId, building: Building) => {
--- a/src/pages/api/planets/getPlanet/[planetId].ts
+++ b/src/pages/api/planets/getPlanet/[planetId].ts
@ -3,8 +3,23 @@ import { getPlanetById } from "../../../../lib/db/planets";
 import { ObjectId } from "mongodb";
 import Planet from "../../../../types/Planet";
 import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
+import validateAccessToken from "../../../../lib/utils/validateAccessToken";
+import { getUserByAccessToken } from "../../../../lib/db/users";

 export const GET: APIRoute = async ({ params, request }) => {
+    const response = await validateAccessToken(request);
+    if(response instanceof Response) return response;
+
+    const user = await getUserByAccessToken(response);
+    if(user === null) {
+        return new Response(
+            JSON.stringify({
+                code: 401,
+                message: "Unauthorized"
+            }), { status: 401 }
+        )
+    }
+
    const planetId = params['planetId'];
    if(!planetId) return new Response(
        JSON.stringify({
@ -32,8 +47,18 @@ export const GET: APIRoute = async ({ params, request }) => {
        );
    }

+    if(planet.owner._id.toString() !== user._id.toString()) return new Response(
+        JSON.stringify({
+            code: 403,
+            message: "Forbidden"
+        }), { status: 403 }
+    );
+
    await calculateCurrentAvailableResources(planet._id);

+    //@ts-ignore
+    delete planet.owner.password;
+
    return new Response(
        JSON.stringify({
            code: 200,