Merge pull request #271 from FleetAdmiralJakob/improved-security-of-q…

…ueries
FleetAdmiralJakob · Jun 22, 2024 · 249f4f5 · 249f4f5
2 parents 4bc3a60 + ae3781b
commit 249f4f5
Show file tree

Hide file tree

Showing 8 changed files with 77 additions and 31 deletions.
diff --git a/convex/_generated/api.d.ts b/convex/_generated/api.d.ts
@@ -4,7 +4,7 @@
  *
  * THIS CODE IS AUTOMATICALLY GENERATED.
  *
- * Generated by [email protected].1.
+ * Generated by [email protected].2.
  * To regenerate, run `npx convex dev`.
  * @module
  */

diff --git a/convex/_generated/api.js b/convex/_generated/api.js
@@ -4,7 +4,7 @@
  *
  * THIS CODE IS AUTOMATICALLY GENERATED.
  *
- * Generated by [email protected].1.
+ * Generated by [email protected].2.
  * To regenerate, run `npx convex dev`.
  * @module
  */

diff --git a/convex/_generated/dataModel.d.ts b/convex/_generated/dataModel.d.ts
@@ -4,7 +4,7 @@
  *
  * THIS CODE IS AUTOMATICALLY GENERATED.
  *
- * Generated by [email protected].1.
+ * Generated by [email protected].2.
  * To regenerate, run `npx convex dev`.
  * @module
  */

diff --git a/convex/_generated/server.d.ts b/convex/_generated/server.d.ts
@@ -4,7 +4,7 @@
  *
  * THIS CODE IS AUTOMATICALLY GENERATED.
  *
- * Generated by [email protected].1.
+ * Generated by [email protected].2.
  * To regenerate, run `npx convex dev`.
  * @module
  */

diff --git a/convex/_generated/server.js b/convex/_generated/server.js
@@ -4,7 +4,7 @@
  *
  * THIS CODE IS AUTOMATICALLY GENERATED.
  *
- * Generated by [email protected].1.
+ * Generated by [email protected].2.
  * To regenerate, run `npx convex dev`.
  * @module
  */

diff --git a/convex/chats.ts b/convex/chats.ts
@@ -97,7 +97,7 @@ export const getChats = query({
     const identity = await ctx.auth.getUserIdentity();
 
     if (identity === null) {
-      return null;
+      throw new ConvexError("Unauthenticated call to mutation");
     }
 
     return await ctx
@@ -168,7 +168,7 @@ export const getChatInfoFromId = query({
     const identity = await ctx.auth.getUserIdentity();
 
     if (identity === null) {
-      return null;
+      throw new ConvexError("Unauthenticated call to mutation");
     }
 
     const parsedChatId = ctx.table("privateChats").normalizeId(args.chatId);
@@ -183,13 +183,21 @@ export const getChatInfoFromId = query({
       throw new ConvexError("did not find chat");
     }
 
-    const chatWithUser = {
+    const usersInChat = await chat.edge("users");
+
+    if (
+      !usersInChat.some((user) => user.clerkId === identity.tokenIdentifier)
+    ) {
+      throw new ConvexError(
+        "UNAUTHORIZED REQUEST: User requested chat info from a chat in which he is not in.",
+      );
+    }
+
+    return {
       basicChatInfo: chat,
-      otherUser: (await chat.edge("users")).filter(
+      otherUser: usersInChat.filter(
         (user) => user.clerkId !== identity.tokenIdentifier,
       ),
     };
-
-    return chatWithUser;
   },
 });
diff --git a/convex/messages.ts b/convex/messages.ts
@@ -4,23 +4,37 @@ import { ConvexError, v } from "convex/values";
 export const getMessages = query({
   args: { chatId: v.string() },
   handler: async (ctx, args) => {
+    const identity = await ctx.auth.getUserIdentity();
+
+    if (identity === null) {
+      throw new ConvexError("Unauthenticated call to mutation");
+    }
+
     const parsedChatId = ctx.table("privateChats").normalizeId(args.chatId);
 
     if (!parsedChatId) {
       throw new ConvexError("chatId was invalid");
     }
 
-    return ctx
-      .table("privateChats")
-      .getX(parsedChatId)
-      .edge("messages")
-      .map(async (message) => ({
-        ...message,
-        userId: undefined,
-        from: await ctx.table("users").getX(message.userId),
-        readBy: await message.edge("readBy"),
-        sent: true,
-      }));
+    const chat = ctx.table("privateChats").getX(parsedChatId);
+
+    const usersInChat = await chat.edge("users");
+
+    if (
+      !usersInChat.some((user) => user.clerkId === identity.tokenIdentifier)
+    ) {
+      throw new ConvexError(
+        "UNAUTHORIZED REQUEST: User requested messages from a chat in which he is not in.",
+      );
+    }
+
+    return chat.edge("messages").map(async (message) => ({
+      ...message,
+      userId: undefined,
+      from: await ctx.table("users").getX(message.userId),
+      readBy: await message.edge("readBy"),
+      sent: true,
+    }));
   },
 });
 
@@ -30,7 +44,7 @@ export const createMessage = mutation({
     const identity = await ctx.auth.getUserIdentity();
 
     if (identity === null) {
-      return null;
+      throw new ConvexError("Unauthenticated call to mutation");
     }
 
     const convexUser = await ctx
@@ -49,6 +63,19 @@ export const createMessage = mutation({
       );
     }
 
+    const usersInChat = await ctx
+      .table("privateChats")
+      .getX(parsedChatId)
+      .edge("users");
+
+    if (
+      !usersInChat.some((user) => user.clerkId === identity.tokenIdentifier)
+    ) {
+      throw new ConvexError(
+        "UNAUTHORIZED REQUEST: User tried to send a message in a chat in which he is not in.",
+      );
+    }
+
     if (args.content.trim() === "") throw new Error("Post cannot be empty");
 
     await ctx.table("messages").insert({
@@ -64,6 +91,12 @@ export const createMessage = mutation({
 export const deleteMessage = mutation({
   args: { messageId: v.string() },
   handler: async (ctx, args) => {
+    const identity = await ctx.auth.getUserIdentity();
+
+    if (identity === null) {
+      throw new ConvexError("Unauthenticated call to mutation");
+    }
+
     const parsedMessageId = ctx.table("messages").normalizeId(args.messageId);
 
     if (!parsedMessageId) {
@@ -73,14 +106,18 @@ export const deleteMessage = mutation({
     const message = await ctx.table("messages").getX(parsedMessageId);
     const chatId = message.privateChatId;
     const chat = await ctx.table("privateChats").getX(chatId);
-    const users = await chat.edge("users");
+    const usersInChat = await chat.edge("users");
+
+    if ((await message.edge("user")).clerkId !== identity.tokenIdentifier) {
+      throw new ConvexError(
+        "UNAUTHORIZED REQUEST: User tried to delete a message from another person.",
+      );
+    }
 
-    await (
-      await ctx.table("messages").getX(parsedMessageId)
-    ).patch({
+    await message.patch({
       content: "",
       deleted: true,
-      readBy: { add: users.map((user) => user._id) },
+      readBy: { add: usersInChat.map((user) => user._id) },
     });
   },
 });
@@ -91,7 +128,7 @@ export const markMessageRead = mutation({
     const identity = await ctx.auth.getUserIdentity();
 
     if (identity === null) {
-      return null;
+      throw new ConvexError("Unauthenticated call to mutation");
     }
 
     const convexUser = await ctx

diff --git a/convex/users.ts b/convex/users.ts
@@ -1,11 +1,12 @@
 import { query } from "./lib/functions";
+import { ConvexError } from "convex/values";
 
 export const getUserData = query({
-  handler: async (ctx, args) => {
+  handler: async (ctx) => {
     const identity = await ctx.auth.getUserIdentity();
 
     if (identity === null) {
-      return null;
+      throw new ConvexError("Unauthenticated call to mutation");
     }
 
     return ctx.table("users").getX("clerkId", identity.tokenIdentifier);