Fix bug where unauthorized user could get detailed planet data

This commit is contained in:
Aelita4 2024-06-18 22:19:42 +02:00
parent 46ad28bc1b
commit 90f53ab230
Signed by: Aelita4
GPG Key ID: E44490C2025906C1
2 changed files with 29 additions and 2 deletions

View File

@ -42,9 +42,14 @@ export const createPlanet = async (options: { name: string, owner?: User, ownerI
export const getPlanetById = async (id: ObjectId) => { export const getPlanetById = async (id: ObjectId) => {
const planets = await Planets(); const planets = await Planets();
return planets.findOne({ const planet = await planets.findOne({
_id: id _id: id
}) as Promise<Planet | null>; });
if(!planet) return null;
planet.owner = await getUserById(planet.owner);
return planet as Planet;
} }
export const createOrUpgradeBuilding = async (planetId: ObjectId, building: Building) => { export const createOrUpgradeBuilding = async (planetId: ObjectId, building: Building) => {

View File

@ -3,8 +3,23 @@ import { getPlanetById } from "../../../../lib/db/planets";
import { ObjectId } from "mongodb"; import { ObjectId } from "mongodb";
import Planet from "../../../../types/Planet"; import Planet from "../../../../types/Planet";
import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager"; import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
import validateAccessToken from "../../../../lib/utils/validateAccessToken";
import { getUserByAccessToken } from "../../../../lib/db/users";
export const GET: APIRoute = async ({ params, request }) => { export const GET: APIRoute = async ({ params, request }) => {
const response = await validateAccessToken(request);
if(response instanceof Response) return response;
const user = await getUserByAccessToken(response);
if(user === null) {
return new Response(
JSON.stringify({
code: 401,
message: "Unauthorized"
}), { status: 401 }
)
}
const planetId = params['planetId']; const planetId = params['planetId'];
if(!planetId) return new Response( if(!planetId) return new Response(
JSON.stringify({ JSON.stringify({
@ -32,6 +47,13 @@ export const GET: APIRoute = async ({ params, request }) => {
); );
} }
if(planet.owner._id !== user._id) return new Response(
JSON.stringify({
code: 403,
message: "Forbidden"
}), { status: 403 }
);
await calculateCurrentAvailableResources(planet._id); await calculateCurrentAvailableResources(planet._id);
return new Response( return new Response(