feat: Security
This commit is contained in:
@@ -4,6 +4,7 @@ import {
|
||||
listDeviceTokensForUser,
|
||||
upsertDeviceToken
|
||||
} from '../services/push-dispatch.service';
|
||||
import { requireAuth } from '../middleware/require-auth';
|
||||
|
||||
export interface DeviceTokenRecord {
|
||||
userId: string;
|
||||
@@ -14,6 +15,8 @@ export interface DeviceTokenRecord {
|
||||
|
||||
const router = Router();
|
||||
|
||||
router.use(requireAuth);
|
||||
|
||||
router.post('/', async (req, res) => {
|
||||
const { userId, platform, token } = req.body as Partial<DeviceTokenRecord>;
|
||||
|
||||
@@ -21,12 +24,20 @@ router.post('/', async (req, res) => {
|
||||
return res.status(400).json({ error: 'Missing or invalid userId/platform/token' });
|
||||
}
|
||||
|
||||
if (userId !== req.authUserId) {
|
||||
return res.status(403).json({ error: 'Not authorized', errorCode: 'NOT_AUTHORIZED' });
|
||||
}
|
||||
|
||||
await upsertDeviceToken({ userId, platform, token });
|
||||
|
||||
res.status(201).json({ ok: true });
|
||||
});
|
||||
|
||||
router.get('/:userId', async (req, res) => {
|
||||
if (req.params.userId !== req.authUserId) {
|
||||
return res.status(403).json({ error: 'Not authorized', errorCode: 'NOT_AUTHORIZED' });
|
||||
}
|
||||
|
||||
const records = await listDeviceTokensForUser(req.params.userId);
|
||||
|
||||
res.json({
|
||||
@@ -40,6 +51,10 @@ router.get('/:userId', async (req, res) => {
|
||||
});
|
||||
|
||||
router.post('/:userId/dispatch', async (req, res) => {
|
||||
if (req.params.userId !== req.authUserId) {
|
||||
return res.status(403).json({ error: 'Not authorized', errorCode: 'NOT_AUTHORIZED' });
|
||||
}
|
||||
|
||||
const { title, body, data } = req.body as {
|
||||
title?: string;
|
||||
body?: string;
|
||||
|
||||
Reference in New Issue
Block a user