add some apikey auth to openapi endpoints

ctrlplanedev · Sep 5, 2024 · d68b4c4 · d68b4c4
1 parent 61eac57
commit d68b4c4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 1 deletion.
diff --git a/apps/webservice/src/app/api/v1/[workspace]/job/agent/name/route.ts b/apps/webservice/src/app/api/v1/[workspace]/job/agent/name/route.ts
@@ -6,6 +6,8 @@ import { eq, takeFirst, takeFirstOrNull } from "@ctrlplane/db";
 import { db } from "@ctrlplane/db/client";
 import { jobAgent, workspace } from "@ctrlplane/db/schema";
 
+import { getUser } from "~/app/api/v1/auth";
+
 const bodySchema = z.object({ type: z.string(), name: z.string() });
 
 export const PATCH = async (
@@ -21,6 +23,12 @@ export const PATCH = async (
   if (ws == null)
     return NextResponse.json({ error: "Workspace not found" }, { status: 404 });
 
+  const canAccess = await getUser(req).then((u) =>
+    u.access.workspace.id(ws.id),
+  );
+  if (!canAccess)
+    return NextResponse.json({ error: "Permission denied" }, { status: 403 });
+
   const response = await req.json();
   const body = bodySchema.parse(response);
 

diff --git a/apps/webservice/src/app/api/v1/[workspace]/target-provider/[providerId]/set/route.ts b/apps/webservice/src/app/api/v1/[workspace]/target-provider/[providerId]/set/route.ts
@@ -11,6 +11,8 @@ import {
   workspace,
 } from "@ctrlplane/db/schema";
 
+import { getUser } from "~/app/api/v1/auth";
+
 const bodySchema = z.object({
   targets: z.array(createTarget.omit({ providerId: true })),
 });
@@ -30,6 +32,12 @@ export const PATCH = async (
   if (provider == null)
     return NextResponse.json({ error: "Provider not found" }, { status: 404 });
 
+  const canAccess = await getUser(req).then((u) =>
+    u.access.workspace.targetProvider.id(provider.id),
+  );
+  if (!canAccess)
+    return NextResponse.json({ error: "Permission denied" }, { status: 403 });
+
   const response = await req.json();
   const body = bodySchema.parse(response);
 

diff --git a/apps/webservice/src/app/api/v1/[workspace]/target-provider/name/[name]/route.ts b/apps/webservice/src/app/api/v1/[workspace]/target-provider/name/[name]/route.ts
@@ -5,8 +5,10 @@ import { eq, takeFirst, takeFirstOrNull } from "@ctrlplane/db";
 import { db } from "@ctrlplane/db/client";
 import { targetProvider, workspace } from "@ctrlplane/db/schema";
 
+import { getUser } from "~/app/api/v1/auth";
+
 export const GET = async (
-  _: NextRequest,
+  req: NextRequest,
   { params }: { params: { workspace: string; name: string } },
 ) => {
   const ws = await db
@@ -18,6 +20,12 @@ export const GET = async (
   if (!ws)
     return NextResponse.json({ error: "Workspace not found" }, { status: 404 });
 
+  const canAccess = await getUser(req).then((u) =>
+    u.access.workspace.id(ws.id),
+  );
+  if (!canAccess)
+    return NextResponse.json({ error: "Permission denied" }, { status: 403 });
+
   const tp = await db
     .insert(targetProvider)
     .values({ name: params.name, workspaceId: ws.id })

diff --git a/apps/webservice/src/app/api/v1/auth.ts b/apps/webservice/src/app/api/v1/auth.ts
@@ -0,0 +1,13 @@
+import type { NextRequest } from "next/server";
+
+import {
+  accessQuery,
+  getUser as getUserFromApiKey,
+} from "@ctrlplane/auth/utils";
+import { db } from "@ctrlplane/db/client";
+
+export const getUser = async (req: NextRequest) => {
+  const apiKey = req.headers.get("x-api-key");
+  if (apiKey == null) return { access: accessQuery(db) };
+  return getUserFromApiKey(apiKey);
+};