diff --git a/apps/webservice/src/app/api/v1/[workspace]/job/agent/name/route.ts b/apps/webservice/src/app/api/v1/[workspace]/job/agent/name/route.ts index dcef838c..681079e7 100644 --- a/apps/webservice/src/app/api/v1/[workspace]/job/agent/name/route.ts +++ b/apps/webservice/src/app/api/v1/[workspace]/job/agent/name/route.ts @@ -6,6 +6,8 @@ import { eq, takeFirst, takeFirstOrNull } from "@ctrlplane/db"; import { db } from "@ctrlplane/db/client"; import { jobAgent, workspace } from "@ctrlplane/db/schema"; +import { getUser } from "~/app/api/v1/auth"; + const bodySchema = z.object({ type: z.string(), name: z.string() }); export const PATCH = async ( @@ -21,6 +23,12 @@ export const PATCH = async ( if (ws == null) return NextResponse.json({ error: "Workspace not found" }, { status: 404 }); + const canAccess = await getUser(req).then((u) => + u.access.workspace.id(ws.id), + ); + if (!canAccess) + return NextResponse.json({ error: "Permission denied" }, { status: 403 }); + const response = await req.json(); const body = bodySchema.parse(response); diff --git a/apps/webservice/src/app/api/v1/[workspace]/target-provider/[providerId]/set/route.ts b/apps/webservice/src/app/api/v1/[workspace]/target-provider/[providerId]/set/route.ts index 2e77767e..dc6b77be 100644 --- a/apps/webservice/src/app/api/v1/[workspace]/target-provider/[providerId]/set/route.ts +++ b/apps/webservice/src/app/api/v1/[workspace]/target-provider/[providerId]/set/route.ts @@ -11,6 +11,8 @@ import { workspace, } from "@ctrlplane/db/schema"; +import { getUser } from "~/app/api/v1/auth"; + const bodySchema = z.object({ targets: z.array(createTarget.omit({ providerId: true })), }); @@ -30,6 +32,12 @@ export const PATCH = async ( if (provider == null) return NextResponse.json({ error: "Provider not found" }, { status: 404 }); + const canAccess = await getUser(req).then((u) => + u.access.workspace.targetProvider.id(provider.id), + ); + if (!canAccess) + return NextResponse.json({ error: "Permission denied" }, { status: 403 }); + const response = await req.json(); const body = bodySchema.parse(response); diff --git a/apps/webservice/src/app/api/v1/[workspace]/target-provider/name/[name]/route.ts b/apps/webservice/src/app/api/v1/[workspace]/target-provider/name/[name]/route.ts index 4672ab0f..eb8a373a 100644 --- a/apps/webservice/src/app/api/v1/[workspace]/target-provider/name/[name]/route.ts +++ b/apps/webservice/src/app/api/v1/[workspace]/target-provider/name/[name]/route.ts @@ -5,8 +5,10 @@ import { eq, takeFirst, takeFirstOrNull } from "@ctrlplane/db"; import { db } from "@ctrlplane/db/client"; import { targetProvider, workspace } from "@ctrlplane/db/schema"; +import { getUser } from "~/app/api/v1/auth"; + export const GET = async ( - _: NextRequest, + req: NextRequest, { params }: { params: { workspace: string; name: string } }, ) => { const ws = await db @@ -18,6 +20,12 @@ export const GET = async ( if (!ws) return NextResponse.json({ error: "Workspace not found" }, { status: 404 }); + const canAccess = await getUser(req).then((u) => + u.access.workspace.id(ws.id), + ); + if (!canAccess) + return NextResponse.json({ error: "Permission denied" }, { status: 403 }); + const tp = await db .insert(targetProvider) .values({ name: params.name, workspaceId: ws.id }) diff --git a/apps/webservice/src/app/api/v1/auth.ts b/apps/webservice/src/app/api/v1/auth.ts new file mode 100644 index 00000000..21842d25 --- /dev/null +++ b/apps/webservice/src/app/api/v1/auth.ts @@ -0,0 +1,13 @@ +import type { NextRequest } from "next/server"; + +import { + accessQuery, + getUser as getUserFromApiKey, +} from "@ctrlplane/auth/utils"; +import { db } from "@ctrlplane/db/client"; + +export const getUser = async (req: NextRequest) => { + const apiKey = req.headers.get("x-api-key"); + if (apiKey == null) return { access: accessQuery(db) }; + return getUserFromApiKey(apiKey); +};