feat: add api key check in api route

2023-12-15 19:18:42 +08:00 · 2023-12-15 19:18:42 +08:00 · 9aa2484872
commit 9aa2484872
parent 72d0364fee
4 changed files with 39 additions and 21 deletions
--- a/web/src/app/api/run/route.ts
+++ b/web/src/app/api/run/route.ts
@ -3,6 +3,7 @@ import { createRun } from "../../../server/createRun";
 import { db } from "@/db/db";
 import { deploymentsTable } from "@/db/schema";
 import { getRunsData } from "@/server/getRunsOutput";
+import { parseJWT } from "@/server/parseJWT";
 import { replaceCDNUrl } from "@/server/resource";
 import { eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
@ -18,6 +19,14 @@ const Request2 = z.object({
 });

 export async function GET(request: Request) {
+  const token = request.headers.get("Authorization")?.split(" ")?.[1]; // Assuming token is sent as "Bearer your_token"
+  const userData = token ? parseJWT(token) : undefined;
+  if (!userData) {
+    return new NextResponse("Invalid or expired token", {
+      status: 401,
+    });
+  }
+
  const [data, error] = await parseDataSafe(Request2, request);
  if (!data || error) return error;

@ -44,6 +53,14 @@ export async function GET(request: Request) {
 }

 export async function POST(request: Request) {
+  const token = request.headers.get("Authorization")?.split(" ")?.[1]; // Assuming token is sent as "Bearer your_token"
+  const userData = token ? parseJWT(token) : undefined;
+  if (!userData) {
+    return new NextResponse("Invalid or expired token", {
+      status: 401,
+    });
+  }
+
  const [data, error] = await parseDataSafe(Request, request);
  if (!data || error) return error;

--- a/web/src/app/api/upload/route.ts
+++ b/web/src/app/api/upload/route.ts
@ -1,3 +1,4 @@
+import { parseJWT } from "../../../server/parseJWT";
 import { db } from "@/db/db";
 import {
  workflowAPIType,
@ -7,7 +8,6 @@ import {
 } from "@/db/schema";
 import { parseDataSafe } from "@/lib/parseDataSafe";
 import { sql } from "drizzle-orm";
-import jwt from "jsonwebtoken";
 import { NextResponse } from "next/server";
 import { z } from "zod";

@ -36,24 +36,6 @@ export async function OPTIONS(request: Request) {
  });
 }

-const APIKeyBodyRequest = z.object({
-  user_id: z.string().optional(),
-  org_id: z.string().optional(),
-  iat: z.number(),
-});
-
-function parseJWT(token: string) {
-  try {
-    // Verify the token - this also decodes it
-    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
-    return APIKeyBodyRequest.parse(decoded);
-  } catch (err) {
-    // Handle error (token is invalid, expired, etc.)
-    console.error(err);
-    return null;
-  }
-}
-
 export async function POST(request: Request) {
  const token = request.headers.get("Authorization")?.split(" ")?.[1]; // Assuming token is sent as "Bearer your_token"
  const userData = token ? parseJWT(token) : undefined;
@ -64,8 +46,6 @@ export async function POST(request: Request) {
    });
  }

-  console.log(userData);
-
  const { user_id, org_id } = userData;

  if (!user_id) return new NextResponse("Invalid user_id", { status: 401 });
--- a/web/src/server/APIKeyBodyRequest.ts
+++ b/web/src/server/APIKeyBodyRequest.ts
@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const APIKeyBodyRequest = z.object({
+  user_id: z.string().optional(),
+  org_id: z.string().optional(),
+  iat: z.number(),
+});
--- a/web/src/server/parseJWT.ts
+++ b/web/src/server/parseJWT.ts
@ -0,0 +1,14 @@
+import { APIKeyBodyRequest } from "@/server/APIKeyBodyRequest";
+import jwt from "jsonwebtoken";
+
+export function parseJWT(token: string) {
+  try {
+    // Verify the token - this also decodes it
+    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
+    return APIKeyBodyRequest.parse(decoded);
+  } catch (err) {
+    // Handle error (token is invalid, expired, etc.)
+    console.error(err);
+    return null;
+  }
+}