security: enforce session-derived user identity on API routes (#186)

* security: enforce session user on api routes * test: harden auth guard failure path
2026-03-26 15:47:43 +03:00 · 2026-02-24 11:47:29 +05:30
parent f28ac8fa09
commit 6a548e3dac
24 changed files with 334 additions and 201 deletions
--- a/src/pages/api/sync/index.ts
+++ b/src/pages/api/sync/index.ts
@@ -12,14 +12,12 @@ import {
 import { jsonResponse, createSecureErrorResponse } from "@/lib/utils";
 import { mergeGitReposPreferStarred, calcBatchSizeForInsert } from "@/lib/repo-utils";
 import { getDecryptedGitHubToken } from "@/lib/utils/config-encryption";
+import { requireAuthenticatedUserId } from "@/lib/auth-guards";

-export const POST: APIRoute = async ({ request }) => {
-  const url = new URL(request.url);
-  const userId = url.searchParams.get("userId");
-
-  if (!userId) {
-    return jsonResponse({ data: { error: "Missing userId" }, status: 400 });
-  }
+export const POST: APIRoute = async ({ request, locals }) => {
+  const authResult = await requireAuthenticatedUserId({ request, locals });
+  if ("response" in authResult) return authResult.response;
+  const userId = authResult.userId;

  try {
    const [config] = await db
--- a/src/pages/api/sync/organization.ts
+++ b/src/pages/api/sync/organization.ts
@@ -10,15 +10,20 @@ import type { RepositoryVisibility, RepoStatus } from "@/types/Repository";
 import { v4 as uuidv4 } from "uuid";
 import { decryptConfigTokens } from "@/lib/utils/config-encryption";
 import { createGitHubClient } from "@/lib/github";
+import { requireAuthenticatedUserId } from "@/lib/auth-guards";

-export const POST: APIRoute = async ({ request }) => {
+export const POST: APIRoute = async ({ request, locals }) => {
  try {
-    const body: AddOrganizationApiRequest = await request.json();
-    const { role, org, userId, force = false } = body;
+    const authResult = await requireAuthenticatedUserId({ request, locals });
+    if ("response" in authResult) return authResult.response;
+    const userId = authResult.userId;

-    if (!org || !userId || !role) {
+    const body: AddOrganizationApiRequest = await request.json();
+    const { role, org, force = false } = body;
+
+    if (!org || !role) {
      return jsonResponse({
-        data: { success: false, error: "Missing org, role or userId" },
+        data: { success: false, error: "Missing org or role" },
        status: 400,
      });
    }
--- a/src/pages/api/sync/repository.ts
+++ b/src/pages/api/sync/repository.ts
@@ -11,17 +11,22 @@ import type {
  RepositoryVisibility,
 } from "@/types/Repository";
 import { createMirrorJob } from "@/lib/helpers";
+import { requireAuthenticatedUserId } from "@/lib/auth-guards";

-export const POST: APIRoute = async ({ request }) => {
+export const POST: APIRoute = async ({ request, locals }) => {
  try {
-    const body: AddRepositoriesApiRequest = await request.json();
-    const { owner, repo, userId, force = false } = body;
+    const authResult = await requireAuthenticatedUserId({ request, locals });
+    if ("response" in authResult) return authResult.response;
+    const userId = authResult.userId;

-    if (!owner || !repo || !userId) {
+    const body: AddRepositoriesApiRequest = await request.json();
+    const { owner, repo, force = false } = body;
+
+    if (!owner || !repo) {
      return new Response(
        JSON.stringify({
          success: false,
-          error: "Missing owner, repo, or userId",
+          error: "Missing owner or repo",
        }),
        { status: 400 }
      );
@@ -34,7 +39,7 @@ export const POST: APIRoute = async ({ request }) => {
      return jsonResponse({
        data: {
          success: false,
-          error: "Missing owner, repo, or userId",
+          error: "Missing owner or repo",
        },
        status: 400,
      });