aldrichdev / neatf2p-nextjs

Next.js project/website for Neat F2P.

https://neatf2p-nextjs.vercel.app

0 stars 1 forks source link

F2P-137 | What can we do to protect submitNewsPost calls? #101

Closed aldrichdev closed 5 months ago

aldrichdev commented 5 months ago

What's Changed

Added code to prevent any authenticated user from submitting news posts by checking if they are an admin in the query
Added function comment to shouldBlockApiCall explaining what it does

How Has This Been Tested?

Tested the submitNewsPost API endpoint in Postman:

With session cookie and user ID of admin user specified in the request, the news post is created.
With session cookie and user ID of a non-admin user specified, Error: Unauthorized is returned.
If the userId provided is an admin user but the session cookie does not match the session of this userId, the request will be blocked (existing functionality) with the error Forbidden.

vercel[bot] commented 5 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
neatf2p-nextjs	✅ Ready (Inspect)	Visit Preview	Apr 4, 2024 1:32am