prevent not-owned slugs to be open from domain #18
Conversation
|
|
||
| // Prevent other users' pages to be loaded | ||
| if (url.pathname.includes("loadPageChunk")) { | ||
| if (!body.includes(NOTION_MAIL)) { |
There was a problem hiding this comment.
this is an interesting approach! i like it.
i want to make this more granular though.
loadPageChunk returns several maps: block, space, notion_user, collection_view, and collection. so it's not guaranteed that if the email exists in the response text, the page is created by the user of that email.
but certainly this is on the right track though. i think the correct solution may be (await response.json).recordMap.notion_user.email !== MY_EMAIL. i will look further into this and report back :)
There was a problem hiding this comment.
recordMap can have multiple users with different id's (If you duplicate a page template, that's the situation). On a different scenario, I might have a multiple user Notion page and might have no contribution on some of the pages (hence my email won't even exist on those pages). I'll send my solution to this.
There was a problem hiding this comment.
this is an interesting approach! i like it.
i want to make this more granular though.
loadPageChunkreturns several maps:block,space,notion_user,collection_view, andcollection. so it's not guaranteed that if the email exists in the response text, the page is created by the user of that email.but certainly this is on the right track though. i think the correct solution may be
(await response.json).recordMap.notion_user.email !== MY_EMAIL. i will look further into this and report back :)
I thought parsing JSON would cost a bit, so I just checked plaintext. But this can be improved. I'll think on another solution.
There was a problem hiding this comment.
A bit convoluted, but I've been using the code below, where NOTION_EMAILS is an array of emails that can have pages that the custom domain can map to.
const data = JSON.parse(body)
if (!NOTION_EMAILS.includes(data.recordMap.notion_user[Object.keys(data.recordMap.notion_user)[0]].value.email)) {
throw new Error('page not owned by correct user')
}
There was a problem hiding this comment.
Fyi, as of notion api v3, what I provided no longer works as the recordMap returned by /loadPageChunk no longer contains the notion_user field
There was a problem hiding this comment.
yeah, unfortunately this doesn't work anymore because the space map is no longer in recordMap in the response of loadPageChunk.
would appreciate it if anyone has a better idea in terms of how to fix it.
No description provided.