Merge pull request #493 from hxdy-1/Adds-validation-on-API-routes

Added request input validation on API routes

src/app/api/admin/course/route.ts

@@ -1,7 +1,28 @@
 import { NextRequest, NextResponse } from 'next/server';
 import db from '@/db';
+import { z } from 'zod';
+
+const requestBodySchema = z.object({
+  adminSecret: z.string(),
+  title: z.string(),
+  description: z.string(),
+  imageUrl: z.string().url().or(z.string()),
+  id: z.string(),
+  slug: z.string(),
+  appxCourseId: z.string(),
+  discordRoleId: z.string(),
+});
 
 export async function POST(req: NextRequest) {
+  const parseResult = requestBodySchema.safeParse(await req.json());
+
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+
   const {
     adminSecret,
     title,
@@ -11,7 +32,7 @@ export async function POST(req: NextRequest) {
     slug,
     appxCourseId,
     discordRoleId,
-  } = await req.json();
+  } = parseResult.data;
 
   if (adminSecret !== process.env.ADMIN_SECRET) {
     return NextResponse.json({}, { status: 401 });

src/app/api/admin/discord/refresh/route.ts

@@ -1,8 +1,22 @@
 import db from '@/db';
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+
+const requestBodySchema = z.object({
+  adminSecret: z.string(),
+  email: z.string().email(),
+});
 
 export async function POST(req: NextRequest) {
-  const { adminSecret, email } = await req.json();
+  const parseResult = requestBodySchema.safeParse(await req.json());
+
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+  const { adminSecret, email } = parseResult.data;
 
   if (adminSecret !== process.env.ADMIN_SECRET) {
     return NextResponse.json({}, { status: 401 });
@@ -15,7 +29,7 @@ export async function POST(req: NextRequest) {
   });
 
   if (!user) {
-    return NextResponse.json({ msg: 'User not found' }, { status: 440 });
+    return NextResponse.json({ msg: 'User not found' }, { status: 404 });
   }
 
   await db.discordConnect.delete({

src/app/api/admin/discord/route.ts

@@ -1,8 +1,22 @@
 import db from '@/db';
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+
+const requestBodySchema = z.object({
+  adminSecret: z.string(),
+  email: z.string().email(),
+});
 
 export async function POST(req: NextRequest) {
-  const { adminSecret, email } = await req.json();
+  const parseResult = requestBodySchema.safeParse(await req.json());
+
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+  const { adminSecret, email } = parseResult.data;
 
   if (adminSecret !== process.env.ADMIN_SECRET) {
     return NextResponse.json({}, { status: 401 });
@@ -15,7 +29,7 @@ export async function POST(req: NextRequest) {
   });
 
   if (!user) {
-    return NextResponse.json({ msg: 'User not found' }, { status: 440 });
+    return NextResponse.json({ msg: 'User not found' }, { status: 404 });
   }
 
   const response = await db.discordConnect.findFirst({

src/app/api/admin/drm/route.ts

@@ -1,8 +1,23 @@
 import db from '@/db';
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+
+const requestBodySchema = z.object({
+  adminSecret: z.string(),
+  email: z.string().email(),
+  disableDrm: z.boolean(),
+});
 
 export async function POST(req: NextRequest) {
-  const { adminSecret, email, disableDrm } = await req.json();
+  const parseResult = requestBodySchema.safeParse(await req.json());
+
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+  const { adminSecret, email, disableDrm } = parseResult.data;
 
   if (adminSecret !== process.env.ADMIN_SECRET) {
     return NextResponse.json({}, { status: 401 });
@@ -15,7 +30,7 @@ export async function POST(req: NextRequest) {
   });
 
   if (!user) {
-    return NextResponse.json({ msg: 'User not found' }, { status: 440 });
+    return NextResponse.json({ msg: 'User not found' }, { status: 404 });
   }
 
   const response = await db.user.update({

src/app/api/admin/segments/route.ts

@@ -1,8 +1,22 @@
 import db from '@/db';
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+
+const requestBodySchema = z.object({
+  adminSecret: z.string(),
+  contentId: z.number(),
+  segmentsJson: z.unknown(),
+});
 
 export async function POST(req: NextRequest) {
-  const { adminSecret, contentId, segmentsJson } = await req.json();
+  const parseResult = requestBodySchema.safeParse(await req.json());
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+  const { adminSecret, contentId, segmentsJson } = parseResult.data;
 
   if (adminSecret !== process.env.ADMIN_SECRET) {
     return NextResponse.json({}, { status: 401 });

src/app/api/course/videoProgress/markAsCompleted/route.ts

@@ -2,9 +2,22 @@ import { NextRequest, NextResponse } from 'next/server';
 import db from '@/db';
 import { getServerSession } from 'next-auth';
 import { authOptions } from '@/lib/auth';
+import { z } from 'zod';
+
+const requestBodySchema = z.object({
+  contentId: z.number(),
+  markAsCompleted: z.boolean(),
+});
 
 export async function POST(req: NextRequest) {
-  const { contentId, markAsCompleted } = await req.json();
+  const parseResult = requestBodySchema.safeParse(req.json());
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+  const { contentId, markAsCompleted } = parseResult.data;
   const session = await getServerSession(authOptions);
   if (!session || !session?.user) {
     return NextResponse.json({}, { status: 401 });

src/app/api/course/videoProgress/route.ts

@@ -3,6 +3,7 @@ import db from '@/db';
 import { getServerSession } from 'next-auth';
 import { authOptions } from '@/lib/auth';
 import { revalidatePath } from 'next/cache';
+import { z } from 'zod';
 
 export async function GET(req: NextRequest) {
   const url = new URL(req.url);
@@ -26,8 +27,21 @@ export async function GET(req: NextRequest) {
   });
 }
 
+const requestBodySchema = z.object({
+  contentId: z.number(),
+  currentTimestamp: z.number(),
+});
+
 export async function POST(req: NextRequest) {
-  const { contentId, currentTimestamp } = await req.json();
+  const parseResult = requestBodySchema.safeParse(req.json());
+  if (!parseResult.success) {
+    return NextResponse.json(
+      { error: parseResult.error.message },
+      { status: 400 },
+    );
+  }
+  const { contentId, currentTimestamp } = parseResult.data;
+
   const session = await getServerSession(authOptions);
   if (!session || !session?.user) {
     return NextResponse.json({}, { status: 401 });