fix: Authorize upload by userId check

becem-gharbi · becem-gharbi · commit ce986fd10705 · 2023-11-08T08:58:44.000+01:00
diff --git a/server/middleware/s3.ts b/server/middleware/s3.ts
@@ -1,10 +1,11 @@
 // @ts-nocheck
 export default defineEventHandler((event) => {
-  const isS3Mutation = getRequestURL(event).pathname.includes('s3/mutation')
-  const isS3Query = getRequestURL(event).pathname.includes('s3/query')
+  const { pathname } = getRequestURL(event)
+  const isS3Mutation = pathname.startsWith('/api/s3/mutation')
+  const isS3Query = pathname.startsWith('/api/s3/query')
 
   if (isS3Mutation) {
-    checkUser(event)
+    checkUpload(event)
 
     // https://github.com/unjs/nitro/issues/1719
     const isBase64 = (value: string) => {
diff --git a/server/utils/auth.ts b/server/utils/auth.ts
@@ -1,5 +1,6 @@
 import type { H3Event } from 'h3'
 import { compareSync } from '#auth'
+import { getKey } from '#s3'
 
 export async function checkDevice (event: H3Event) {
   const deviceId = event.context.params?.id
@@ -29,3 +30,15 @@ export function checkUser (event: H3Event) {
   }
   throw createUnauthorizedError()
 }
+
+export function checkUpload (event: H3Event) {
+  const { userId } = checkUser(event)
+
+  const key = getKey(event)
+
+  const userIdFromKey = key.split('/')[0]
+
+  if (userId !== userIdFromKey) {
+    throw createUnauthorizedError()
+  }
+}
