From 1d712758e3162e581290d6ff6f0d53d59b169574 Mon Sep 17 00:00:00 2001 From: Nickita Khylkouski <90287684+nickita-khylkouski@users.noreply.github.com> Date: Sun, 10 May 2026 23:52:01 -0700 Subject: [PATCH] fix admin api session auth --- app/api/admin/post/[id]/route.ts | 20 +++--------- app/api/admin/post/route.ts | 52 ++++++++------------------------ app/api/admin/route.ts | 39 ++++++------------------ lib/admin-auth.ts | 36 ++++++++++++++++++++++ middleware.ts | 28 +++++------------ 5 files changed, 69 insertions(+), 106 deletions(-) create mode 100644 lib/admin-auth.ts diff --git a/app/api/admin/post/[id]/route.ts b/app/api/admin/post/[id]/route.ts index ed366f2..bc8eed4 100644 --- a/app/api/admin/post/[id]/route.ts +++ b/app/api/admin/post/[id]/route.ts @@ -1,24 +1,12 @@ import { NextResponse } from 'next/server'; +import { getAdminUser } from '@/lib/admin-auth'; import { db } from '@/lib/db'; export async function DELETE(req: Request) { try { - const token = req.headers.get('Authorization'); - if (!token) - return NextResponse.json( - { - message: 'Invalid User', - }, - { status: 403 }, - ); - const user = await db.user.findUnique({ where: { username: token } }); - if (!user) - return NextResponse.json( - { - message: 'No user found with that token', - }, - { status: 404 }, - ); + const auth = await getAdminUser(); + if (auth.response) return auth.response; + const id = Number(req.url.split('post/')[1]); await db.post.delete({ diff --git a/app/api/admin/post/route.ts b/app/api/admin/post/route.ts index 2f07c6d..85e6b55 100644 --- a/app/api/admin/post/route.ts +++ b/app/api/admin/post/route.ts @@ -1,17 +1,12 @@ import { NextResponse } from 'next/server'; import { Prisma } from '@prisma/client'; +import { getAdminUser } from '@/lib/admin-auth'; import { db } from '@/lib/db'; export async function POST(req: Request) { try { - const token = req.headers.get('Authorization'); - if (!token) - return NextResponse.json( - { - message: 'Invalid User', - }, - { status: 403 }, - ); + const auth = await getAdminUser(); + if (auth.response) return auth.response; const body = await req.json(); const post = await db.post.create({ @@ -37,22 +32,9 @@ export async function POST(req: Request) { export async function PUT(req: Request) { try { - const token = req.headers.get('Authorization'); - if (!token) - return NextResponse.json( - { - message: 'Invalid User', - }, - { status: 403 }, - ); - const user = await db.user.findUnique({ where: { username: token } }); - if (!user) - return NextResponse.json( - { - message: 'No user found with that token', - }, - { status: 404 }, - ); + const auth = await getAdminUser(); + if (auth.response) return auth.response; + const body = await req.json(); const id = Number(body.id); const updatedPost = await db.post.update({ @@ -79,6 +61,9 @@ export async function PUT(req: Request) { } export async function GET(req: Request) { try { + const auth = await getAdminUser(); + if (auth.response) return auth.response; + const url = new URL(req.url); const page = Number(url.searchParams.get('page')); const limit = Number(url.searchParams.get('limit')); @@ -132,22 +117,9 @@ export async function GET(req: Request) { } export async function DELETE(req: Request) { try { - const token = req.headers.get('Authorization'); - if (!token) - return NextResponse.json( - { - message: 'Invalid User', - }, - { status: 403 }, - ); - const user = await db.user.findUnique({ where: { username: token } }); - if (!user) - return NextResponse.json( - { - message: 'No user found with that token', - }, - { status: 404 }, - ); + const auth = await getAdminUser(); + if (auth.response) return auth.response; + const body = await req.json(); const ids = body.ids; await db.post.deleteMany({ diff --git a/app/api/admin/route.ts b/app/api/admin/route.ts index c26c66d..ffd97c6 100644 --- a/app/api/admin/route.ts +++ b/app/api/admin/route.ts @@ -1,20 +1,13 @@ import { NextResponse } from 'next/server'; +import { getAdminUser } from '@/lib/admin-auth'; import { db } from '@/lib/db'; -export async function GET(req: Request) { +export async function GET() { try { - const token = req.headers.get('Authorization'); - if (!token) - return NextResponse.json( - { - message: 'Invalid User', - }, - { status: 403 }, - ); + const auth = await getAdminUser(); + if (auth.response) return auth.response; - const user = await db.user.findUnique({ where: { username: token } }); - - return NextResponse.json({ status: 'success', user }, { status: 200 }); + return NextResponse.json({ status: 'success', user: auth.user }, { status: 200 }); } catch (error) { return NextResponse.json( { @@ -27,28 +20,16 @@ export async function GET(req: Request) { } export async function PUT(req: Request) { try { - const token = req.headers.get('Authorization'); - if (!token) - return NextResponse.json( - { - message: 'Invalid User', - }, - { status: 403 }, - ); - const user = await db.user.findUnique({ where: { username: token } }); - if (!user) - return NextResponse.json( - { - message: 'No user found with that token', - }, - { status: 404 }, - ); + const auth = await getAdminUser(); + if (auth.response) return auth.response; + + const user = auth.user; const body = await req.json(); let isUsernameChange = false; if (user.username !== body.username) isUsernameChange = true; const updatedUser = await db.user.update({ - where: { username: token }, + where: { username: user.username }, data: { username: body.username, email: body.email, diff --git a/lib/admin-auth.ts b/lib/admin-auth.ts new file mode 100644 index 0000000..4bee702 --- /dev/null +++ b/lib/admin-auth.ts @@ -0,0 +1,36 @@ +import { User } from '@prisma/client'; +import { getServerSession } from 'next-auth'; +import { NextResponse } from 'next/server'; +import { authOptions } from '@/lib/auth'; +import { db } from '@/lib/db'; + +type AdminAuthResult = + | { + response: NextResponse; + user?: never; + } + | { + response?: never; + user: User; + }; + +export async function getAdminUser(): Promise { + const session = await getServerSession(authOptions); + const username = session?.user?.username; + + if (!username) { + return { + response: NextResponse.json({ message: 'Invalid User' }, { status: 403 }), + }; + } + + const user = await db.user.findUnique({ where: { username } }); + + if (!user) { + return { + response: NextResponse.json({ message: 'No user found with that token' }, { status: 404 }), + }; + } + + return { user }; +} diff --git a/middleware.ts b/middleware.ts index 08c3c6d..d01d576 100644 --- a/middleware.ts +++ b/middleware.ts @@ -1,25 +1,11 @@ -import { NextRequest, NextResponse } from "next/server"; +import { withAuth } from 'next-auth/middleware'; -export function middleware(req: NextRequest) { - const token = req.headers.get("Authorization"); - if (req.nextUrl.pathname.startsWith("/admin")) { - const url = req.nextUrl.clone(); - url.pathname = "/login"; - NextResponse.redirect(url); - } - - if (token == null || token == "") { - return NextResponse.json( - { - message: "Unauthorized", - }, - { status: 403 } - ); - } - - return NextResponse.next(); -} +export default withAuth({ + pages: { + signIn: '/login', + }, +}); export const config = { - matcher: ["/api/admin/:path*"], + matcher: ['/admin/:path*'], };