Fix bug where unauthorized user could get detailed planet data
This commit is contained in:
parent
46ad28bc1b
commit
25b7a01bd6
|
@ -42,9 +42,14 @@ export const createPlanet = async (options: { name: string, owner?: User, ownerI
|
||||||
|
|
||||||
export const getPlanetById = async (id: ObjectId) => {
|
export const getPlanetById = async (id: ObjectId) => {
|
||||||
const planets = await Planets();
|
const planets = await Planets();
|
||||||
return planets.findOne({
|
const planet = await planets.findOne({
|
||||||
_id: id
|
_id: id
|
||||||
}) as Promise<Planet | null>;
|
});
|
||||||
|
|
||||||
|
if(!planet) return null;
|
||||||
|
|
||||||
|
planet.owner = await getUserById(planet.owner);
|
||||||
|
return planet as Planet;
|
||||||
}
|
}
|
||||||
|
|
||||||
export const createOrUpgradeBuilding = async (planetId: ObjectId, building: Building) => {
|
export const createOrUpgradeBuilding = async (planetId: ObjectId, building: Building) => {
|
||||||
|
|
|
@ -3,8 +3,23 @@ import { getPlanetById } from "../../../../lib/db/planets";
|
||||||
import { ObjectId } from "mongodb";
|
import { ObjectId } from "mongodb";
|
||||||
import Planet from "../../../../types/Planet";
|
import Planet from "../../../../types/Planet";
|
||||||
import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
|
import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
|
||||||
|
import validateAccessToken from "../../../../lib/utils/validateAccessToken";
|
||||||
|
import { getUserByAccessToken } from "../../../../lib/db/users";
|
||||||
|
|
||||||
export const GET: APIRoute = async ({ params, request }) => {
|
export const GET: APIRoute = async ({ params, request }) => {
|
||||||
|
const response = await validateAccessToken(request);
|
||||||
|
if(response instanceof Response) return response;
|
||||||
|
|
||||||
|
const user = await getUserByAccessToken(response);
|
||||||
|
if(user === null) {
|
||||||
|
return new Response(
|
||||||
|
JSON.stringify({
|
||||||
|
code: 401,
|
||||||
|
message: "Unauthorized"
|
||||||
|
}), { status: 401 }
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
const planetId = params['planetId'];
|
const planetId = params['planetId'];
|
||||||
if(!planetId) return new Response(
|
if(!planetId) return new Response(
|
||||||
JSON.stringify({
|
JSON.stringify({
|
||||||
|
@ -32,8 +47,18 @@ export const GET: APIRoute = async ({ params, request }) => {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(planet.owner._id.toString() !== user._id.toString()) return new Response(
|
||||||
|
JSON.stringify({
|
||||||
|
code: 403,
|
||||||
|
message: "Forbidden"
|
||||||
|
}), { status: 403 }
|
||||||
|
);
|
||||||
|
|
||||||
await calculateCurrentAvailableResources(planet._id);
|
await calculateCurrentAvailableResources(planet._id);
|
||||||
|
|
||||||
|
//@ts-ignore
|
||||||
|
delete planet.owner.password;
|
||||||
|
|
||||||
return new Response(
|
return new Response(
|
||||||
JSON.stringify({
|
JSON.stringify({
|
||||||
code: 200,
|
code: 200,
|
||||||
|
|
Loading…
Reference in New Issue