fix: keys setting vulns (#2718)

* fix: keys setting vulns * fix: check workspace ownership * fix: check workspace ownership --------- Co-authored-by: chronark <[email protected]>
unkeyed · Dec 6, 2024 · c1af9a3 · c1af9a3
1 parent bca5871
commit c1af9a3
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 24 deletions.
diff --git a/apps/dashboard/app/(app)/apis/[apiId]/settings/default-bytes.tsx b/apps/dashboard/app/(app)/apis/[apiId]/settings/default-bytes.tsx
@@ -19,7 +19,6 @@ import { useForm } from "react-hook-form";
 import { z } from "zod";
 const formSchema = z.object({
   keyAuthId: z.string(),
-  workspaceId: z.string(),
   defaultBytes: z
     .number()
     .min(8, "Byte size needs to be at least 8")
@@ -30,7 +29,6 @@ const formSchema = z.object({
 type Props = {
   keyAuth: {
     id: string;
-    workspaceId: string;
     defaultBytes: number | undefined | null;
   };
 };
@@ -42,7 +40,6 @@ export const DefaultBytes: React.FC<Props> = ({ keyAuth }) => {
     defaultValues: {
       defaultBytes: keyAuth.defaultBytes ?? undefined,
       keyAuthId: keyAuth.id,
-      workspaceId: keyAuth.workspaceId,
     },
   });
 
@@ -78,7 +75,6 @@ export const DefaultBytes: React.FC<Props> = ({ keyAuth }) => {
         </CardHeader>
         <CardContent>
           <div className="flex flex-col space-y-2">
-            <input type="hidden" name="workspaceId" value={keyAuth.workspaceId} />
             <input type="hidden" name="keyAuthId" value={keyAuth.id} />
             <label className="hidden sr-only">Default Bytes</label>
             <FormField

diff --git a/apps/dashboard/app/(app)/apis/[apiId]/settings/default-prefix.tsx b/apps/dashboard/app/(app)/apis/[apiId]/settings/default-prefix.tsx
@@ -17,16 +17,15 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { useRouter } from "next/navigation";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
+
 const formSchema = z.object({
   keyAuthId: z.string(),
-  workspaceId: z.string(),
   defaultPrefix: z.string(),
 });
 
 type Props = {
   keyAuth: {
     id: string;
-    workspaceId: string;
     defaultPrefix: string | undefined | null;
   };
 };
@@ -38,7 +37,6 @@ export const DefaultPrefix: React.FC<Props> = ({ keyAuth }) => {
     defaultValues: {
       defaultPrefix: keyAuth.defaultPrefix ?? undefined,
       keyAuthId: keyAuth.id,
-      workspaceId: keyAuth.workspaceId,
     },
   });
 
@@ -71,7 +69,6 @@ export const DefaultPrefix: React.FC<Props> = ({ keyAuth }) => {
         </CardHeader>
         <CardContent>
           <div className="flex flex-col space-y-2">
-            <input type="hidden" name="workspaceId" value={keyAuth.workspaceId} />
             <input type="hidden" name="keyAuthId" value={keyAuth.id} />
             <label className="hidden sr-only">Default Prefix</label>
             <FormField

diff --git a/apps/dashboard/lib/trpc/routers/api/setDefaultBytes.ts b/apps/dashboard/lib/trpc/routers/api/setDefaultBytes.ts
@@ -15,26 +15,29 @@ export const setDefaultApiBytes = t.procedure
         .max(255, "Byte size cannot exceed 255")
         .optional(),
       keyAuthId: z.string(),
-      workspaceId: z.string(),
     }),
   )
   .mutation(async ({ ctx, input }) => {
     const keyAuth = await db.query.keyAuth
       .findFirst({
-        where: (table, { eq }) => eq(table.id, input.keyAuthId),
+        where: (table, { eq, and, isNull }) =>
+          and(eq(table.id, input.keyAuthId), isNull(table.deletedAt)),
+        with: {
+          workspace: true,
+        },
       })
       .catch((_err) => {
         throw new TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message:
-            "We were unable to find the KeyAuth. Please try again or contact [email protected].",
+            "We were unable to update the key auth. Please try again or contact [email protected]",
         });
       });
-    if (!keyAuth || keyAuth.workspaceId !== input.workspaceId) {
+    if (!keyAuth || keyAuth.workspace.tenantId !== ctx.tenant.id) {
       throw new TRPCError({
         code: "NOT_FOUND",
         message:
-          "We are unable to find the correct keyAuth. Please try again or contact [email protected]",
+          "We are unable to find the correct key auth. Please try again or contact [email protected].",
       });
     }
     await db
@@ -44,7 +47,7 @@ export const setDefaultApiBytes = t.procedure
           .set({
             defaultBytes: input.defaultBytes,
           })
-          .where(eq(schema.keyAuth.id, input.keyAuthId))
+          .where(eq(schema.keyAuth.id, keyAuth.id))
           .catch((_err) => {
             throw new TRPCError({
               code: "INTERNAL_SERVER_ERROR",
@@ -53,13 +56,13 @@ export const setDefaultApiBytes = t.procedure
             });
           });
         await insertAuditLogs(tx, {
-          workspaceId: keyAuth.workspaceId,
+          workspaceId: keyAuth.workspace.id,
           actor: {
             type: "user",
             id: ctx.user.id,
           },
           event: "api.update",
-          description: `Changed ${keyAuth.workspaceId} default byte size for keys from ${keyAuth.defaultBytes} to ${input.defaultBytes}`,
+          description: `Changed ${keyAuth.id} default byte size for keys from ${keyAuth.defaultBytes} to ${input.defaultBytes}`,
           resources: [
             {
               type: "keyAuth",

diff --git a/apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts b/apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts
@@ -11,35 +11,40 @@ export const setDefaultApiPrefix = t.procedure
     z.object({
       defaultPrefix: z.string().max(8, "Prefix can be a maximum of 8 characters"),
       keyAuthId: z.string(),
-      workspaceId: z.string(),
     }),
   )
   .mutation(async ({ ctx, input }) => {
     const keyAuth = await db.query.keyAuth
       .findFirst({
-        where: (table, { eq }) => eq(table.id, input.keyAuthId),
+        where: (table, { eq, and, isNull }) =>
+          and(eq(table.id, input.keyAuthId), isNull(table.deletedAt)),
+        with: {
+          workspace: true,
+        },
       })
       .catch((_err) => {
         throw new TRPCError({
           code: "INTERNAL_SERVER_ERROR",
-          message: "We were unable to find KeyAuth. Please try again or contact [email protected].",
+          message:
+            "We were unable to update the key auth. Please try again or contact [email protected]",
         });
       });
-    if (!keyAuth || keyAuth.workspaceId !== input.workspaceId) {
+    if (!keyAuth || keyAuth.workspace.tenantId !== ctx.tenant.id) {
       throw new TRPCError({
         code: "NOT_FOUND",
         message:
-          "We are unable to find the correct keyAuth. Please try again or contact [email protected]",
+          "We are unable to find the correct key auth. Please try again or contact [email protected].",
       });
     }
+
     await db
       .transaction(async (tx) => {
         await tx
           .update(schema.keyAuth)
           .set({
             defaultPrefix: input.defaultPrefix,
           })
-          .where(eq(schema.keyAuth.id, input.keyAuthId))
+          .where(eq(schema.keyAuth.id, keyAuth.id))
           .catch((_err) => {
             throw new TRPCError({
               code: "INTERNAL_SERVER_ERROR",
@@ -48,13 +53,13 @@ export const setDefaultApiPrefix = t.procedure
             });
           });
         await insertAuditLogs(tx, {
-          workspaceId: keyAuth.workspaceId,
+          workspaceId: keyAuth.workspace.id,
           actor: {
             type: "user",
             id: ctx.user.id,
           },
           event: "api.update",
-          description: `Changed ${keyAuth.workspaceId} default prefix from ${keyAuth.defaultPrefix} to ${input.defaultPrefix}`,
+          description: `Changed ${keyAuth.id} default prefix from ${keyAuth.defaultPrefix} to ${input.defaultPrefix}`,
           resources: [
             {
               type: "keyAuth",