2022-11-12 16:06:23 -08:00
|
|
|
import { withMethods } from "@lib/api-middleware/with-methods"
|
|
|
|
import { parseQueryParam } from "@lib/server/parse-query-param"
|
2022-12-18 18:18:32 -08:00
|
|
|
import { getPostById } from "@lib/server/prisma"
|
2022-11-12 16:06:23 -08:00
|
|
|
import type { NextApiRequest, NextApiResponse } from "next"
|
2023-01-07 13:02:52 -08:00
|
|
|
import { prisma } from "src/lib/server/prisma"
|
2022-11-12 16:06:23 -08:00
|
|
|
import * as crypto from "crypto"
|
2023-01-12 20:50:56 -08:00
|
|
|
import { getSession } from "@lib/server/session"
|
|
|
|
import { verifyApiUser } from "@lib/server/verify-api-user"
|
2022-11-12 16:06:23 -08:00
|
|
|
|
2022-12-18 18:18:32 -08:00
|
|
|
async function handleGet(req: NextApiRequest, res: NextApiResponse<unknown>) {
|
2022-11-12 16:06:23 -08:00
|
|
|
const id = parseQueryParam(req.query.id)
|
|
|
|
|
|
|
|
if (!id) {
|
|
|
|
return res.status(400).json({ error: "Missing id" })
|
|
|
|
}
|
|
|
|
|
2022-11-14 01:28:40 -08:00
|
|
|
const post = await getPostById(id, {
|
2022-12-17 16:22:29 -08:00
|
|
|
include: {
|
|
|
|
files: true,
|
|
|
|
author: true
|
|
|
|
}
|
2022-11-14 01:28:40 -08:00
|
|
|
})
|
2022-11-12 16:06:23 -08:00
|
|
|
|
|
|
|
if (!post) {
|
|
|
|
return res.status(404).json({ message: "Post not found" })
|
|
|
|
}
|
|
|
|
|
|
|
|
if (post.visibility === "public") {
|
|
|
|
res.setHeader("Cache-Control", "s-maxage=86400, stale-while-revalidate")
|
|
|
|
return res.json(post)
|
|
|
|
} else if (post.visibility === "unlisted") {
|
|
|
|
res.setHeader("Cache-Control", "s-maxage=1, stale-while-revalidate")
|
|
|
|
}
|
|
|
|
|
2023-01-12 20:50:56 -08:00
|
|
|
const userId = await verifyApiUser(req, res)
|
2022-11-12 16:06:23 -08:00
|
|
|
|
|
|
|
// the user can always go directly to their own post
|
2023-01-12 20:50:56 -08:00
|
|
|
if (userId === post.authorId) {
|
2022-12-17 17:15:21 -08:00
|
|
|
return res.json({
|
2022-12-29 13:50:49 -05:00
|
|
|
post: post,
|
|
|
|
password: undefined
|
2022-12-17 17:15:21 -08:00
|
|
|
})
|
2022-11-12 16:06:23 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (post.visibility === "protected") {
|
|
|
|
const password = parseQueryParam(req.query.password)
|
|
|
|
const hash = crypto
|
|
|
|
.createHash("sha256")
|
|
|
|
.update(password?.toString() || "")
|
|
|
|
.digest("hex")
|
|
|
|
.toString()
|
|
|
|
|
|
|
|
if (hash === post.password) {
|
2022-12-17 17:15:21 -08:00
|
|
|
return res.json({
|
2022-12-29 13:50:49 -05:00
|
|
|
post,
|
|
|
|
password: undefined
|
2022-12-17 17:15:21 -08:00
|
|
|
})
|
2022-11-12 16:06:23 -08:00
|
|
|
} else {
|
2022-12-25 20:00:26 -08:00
|
|
|
return res.json({
|
2022-11-12 16:06:23 -08:00
|
|
|
isProtected: true,
|
|
|
|
post: {
|
|
|
|
id: post.id,
|
|
|
|
visibility: post.visibility,
|
2023-01-07 14:52:27 -08:00
|
|
|
authorId: post.authorId
|
2022-11-12 16:06:23 -08:00
|
|
|
}
|
2022-12-25 20:00:26 -08:00
|
|
|
})
|
2022-11-12 16:06:23 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return res.status(404).json({ message: "Post not found" })
|
|
|
|
}
|
|
|
|
|
|
|
|
// PUT is for adjusting visibility and password
|
2022-12-18 18:18:32 -08:00
|
|
|
async function handlePut(req: NextApiRequest, res: NextApiResponse<unknown>) {
|
2022-11-12 16:06:23 -08:00
|
|
|
const { password, visibility } = req.body
|
|
|
|
const id = parseQueryParam(req.query.id)
|
|
|
|
|
|
|
|
if (!id) {
|
|
|
|
return res.status(400).json({ error: "Missing id" })
|
|
|
|
}
|
|
|
|
|
2022-11-14 17:24:35 -08:00
|
|
|
const post = await getPostById(id)
|
2022-11-12 16:06:23 -08:00
|
|
|
|
|
|
|
if (!post) {
|
|
|
|
return res.status(404).json({ message: "Post not found" })
|
|
|
|
}
|
|
|
|
|
2023-01-12 20:50:56 -08:00
|
|
|
const session = await getSession({ req, res })
|
|
|
|
const isAuthor = session?.user?.id === post.authorId
|
2022-11-12 16:06:23 -08:00
|
|
|
|
|
|
|
if (!isAuthor) {
|
|
|
|
return res.status(403).json({ message: "Unauthorized" })
|
|
|
|
}
|
|
|
|
|
|
|
|
if (visibility === "protected" && !password) {
|
|
|
|
return res.status(400).json({ message: "Missing password" })
|
|
|
|
}
|
|
|
|
|
|
|
|
const hashedPassword = crypto
|
|
|
|
.createHash("sha256")
|
|
|
|
.update(password?.toString() || "")
|
|
|
|
.digest("hex")
|
|
|
|
.toString()
|
|
|
|
|
|
|
|
const updatedPost = await prisma.post.update({
|
|
|
|
where: {
|
|
|
|
id
|
|
|
|
},
|
|
|
|
data: {
|
|
|
|
visibility,
|
|
|
|
password: visibility === "protected" ? hashedPassword : null
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
res.json({
|
|
|
|
id: updatedPost.id,
|
|
|
|
visibility: updatedPost.visibility
|
|
|
|
})
|
|
|
|
}
|
2022-11-13 23:02:31 -08:00
|
|
|
|
2022-12-18 18:18:32 -08:00
|
|
|
async function handleDelete(
|
|
|
|
req: NextApiRequest,
|
|
|
|
res: NextApiResponse<unknown>
|
|
|
|
) {
|
2022-11-13 23:02:31 -08:00
|
|
|
const id = parseQueryParam(req.query.id)
|
|
|
|
|
|
|
|
if (!id) {
|
|
|
|
return res.status(400).json({ error: "Missing id" })
|
|
|
|
}
|
|
|
|
|
2022-11-14 17:24:35 -08:00
|
|
|
const post = await getPostById(id)
|
2022-11-13 23:02:31 -08:00
|
|
|
|
|
|
|
if (!post) {
|
|
|
|
return res.status(404).json({ message: "Post not found" })
|
|
|
|
}
|
|
|
|
|
2023-01-12 20:50:56 -08:00
|
|
|
const session = await getSession({ req, res })
|
2022-11-13 23:02:31 -08:00
|
|
|
|
2023-01-12 20:50:56 -08:00
|
|
|
const isAuthor = session?.user?.id === post.authorId
|
|
|
|
const isAdmin = session?.user?.role === "admin"
|
2022-11-13 23:02:31 -08:00
|
|
|
|
|
|
|
if (!isAuthor && !isAdmin) {
|
|
|
|
return res.status(403).json({ message: "Unauthorized" })
|
|
|
|
}
|
|
|
|
|
|
|
|
await prisma.post.delete({
|
|
|
|
where: {
|
|
|
|
id
|
2022-11-13 23:28:51 -08:00
|
|
|
},
|
|
|
|
include: {
|
|
|
|
files: true
|
2022-11-13 23:02:31 -08:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
res.json({ message: "Post deleted" })
|
|
|
|
}
|
2023-01-12 20:50:56 -08:00
|
|
|
|
|
|
|
const handler = async (req: NextApiRequest, res: NextApiResponse) => {
|
|
|
|
if (req.method === "GET") return handleGet(req, res)
|
|
|
|
else if (req.method === "PUT") return handlePut(req, res)
|
|
|
|
else if (req.method === "DELETE") return handleDelete(req, res)
|
|
|
|
}
|
|
|
|
|
|
|
|
export default withMethods(["GET", "PUT", "DELETE"], handler)
|