Fix bug where unauthorized user could get detailed planet data

This commit is contained in:
Aelita4 2024-06-18 22:19:42 +02:00
parent 46ad28bc1b
commit ac9ce7dcf2
Signed by: Aelita4
GPG Key ID: E44490C2025906C1
1 changed files with 22 additions and 0 deletions

View File

@ -3,8 +3,23 @@ import { getPlanetById } from "../../../../lib/db/planets";
import { ObjectId } from "mongodb"; import { ObjectId } from "mongodb";
import Planet from "../../../../types/Planet"; import Planet from "../../../../types/Planet";
import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager"; import { calculateCurrentAvailableResources } from "../../../../lib/utils/resourceManager";
import validateAccessToken from "../../../../lib/utils/validateAccessToken";
import { getUserByAccessToken } from "../../../../lib/db/users";
export const GET: APIRoute = async ({ params, request }) => { export const GET: APIRoute = async ({ params, request }) => {
const response = await validateAccessToken(request);
if(response instanceof Response) return response;
const user = await getUserByAccessToken(response);
if(user === null) {
return new Response(
JSON.stringify({
code: 401,
message: "Unauthorized"
}), { status: 401 }
)
}
const planetId = params['planetId']; const planetId = params['planetId'];
if(!planetId) return new Response( if(!planetId) return new Response(
JSON.stringify({ JSON.stringify({
@ -32,6 +47,13 @@ export const GET: APIRoute = async ({ params, request }) => {
); );
} }
if(planet.owner._id !== user._id) return new Response(
JSON.stringify({
code: 403,
message: "Forbidden"
}), { status: 403 }
);
await calculateCurrentAvailableResources(planet._id); await calculateCurrentAvailableResources(planet._id);
return new Response( return new Response(