From c1af9a3c5c879f03eee22f71b7adf0d562f26756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?O=C4=9Fuzhan=20Olguncu?= <21091016+ogzhanolguncu@users.noreply.github.com> Date: Fri, 6 Dec 2024 22:54:58 +0300 Subject: [PATCH] fix: keys setting vulns (#2718) * fix: keys setting vulns * fix: check workspace ownership * fix: check workspace ownership --------- Co-authored-by: chronark --- .../apis/[apiId]/settings/default-bytes.tsx | 4 ---- .../apis/[apiId]/settings/default-prefix.tsx | 5 +---- .../lib/trpc/routers/api/setDefaultBytes.ts | 19 ++++++++++------- .../lib/trpc/routers/api/setDefaultPrefix.ts | 21 ++++++++++++------- 4 files changed, 25 insertions(+), 24 deletions(-) diff --git a/apps/dashboard/app/(app)/apis/[apiId]/settings/default-bytes.tsx b/apps/dashboard/app/(app)/apis/[apiId]/settings/default-bytes.tsx index 995d3b6572..92a7b7f77a 100644 --- a/apps/dashboard/app/(app)/apis/[apiId]/settings/default-bytes.tsx +++ b/apps/dashboard/app/(app)/apis/[apiId]/settings/default-bytes.tsx @@ -19,7 +19,6 @@ import { useForm } from "react-hook-form"; import { z } from "zod"; const formSchema = z.object({ keyAuthId: z.string(), - workspaceId: z.string(), defaultBytes: z .number() .min(8, "Byte size needs to be at least 8") @@ -30,7 +29,6 @@ const formSchema = z.object({ type Props = { keyAuth: { id: string; - workspaceId: string; defaultBytes: number | undefined | null; }; }; @@ -42,7 +40,6 @@ export const DefaultBytes: React.FC = ({ keyAuth }) => { defaultValues: { defaultBytes: keyAuth.defaultBytes ?? undefined, keyAuthId: keyAuth.id, - workspaceId: keyAuth.workspaceId, }, }); @@ -78,7 +75,6 @@ export const DefaultBytes: React.FC = ({ keyAuth }) => {
- = ({ keyAuth }) => { defaultValues: { defaultPrefix: keyAuth.defaultPrefix ?? undefined, keyAuthId: keyAuth.id, - workspaceId: keyAuth.workspaceId, }, }); @@ -71,7 +69,6 @@ export const DefaultPrefix: React.FC = ({ keyAuth }) => {
- { const keyAuth = await db.query.keyAuth .findFirst({ - where: (table, { eq }) => eq(table.id, input.keyAuthId), + where: (table, { eq, and, isNull }) => + and(eq(table.id, input.keyAuthId), isNull(table.deletedAt)), + with: { + workspace: true, + }, }) .catch((_err) => { throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", message: - "We were unable to find the KeyAuth. Please try again or contact support@unkey.dev.", + "We were unable to update the key auth. Please try again or contact support@unkey.dev", }); }); - if (!keyAuth || keyAuth.workspaceId !== input.workspaceId) { + if (!keyAuth || keyAuth.workspace.tenantId !== ctx.tenant.id) { throw new TRPCError({ code: "NOT_FOUND", message: - "We are unable to find the correct keyAuth. Please try again or contact support@unkey.dev", + "We are unable to find the correct key auth. Please try again or contact support@unkey.dev.", }); } await db @@ -44,7 +47,7 @@ export const setDefaultApiBytes = t.procedure .set({ defaultBytes: input.defaultBytes, }) - .where(eq(schema.keyAuth.id, input.keyAuthId)) + .where(eq(schema.keyAuth.id, keyAuth.id)) .catch((_err) => { throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", @@ -53,13 +56,13 @@ export const setDefaultApiBytes = t.procedure }); }); await insertAuditLogs(tx, { - workspaceId: keyAuth.workspaceId, + workspaceId: keyAuth.workspace.id, actor: { type: "user", id: ctx.user.id, }, event: "api.update", - description: `Changed ${keyAuth.workspaceId} default byte size for keys from ${keyAuth.defaultBytes} to ${input.defaultBytes}`, + description: `Changed ${keyAuth.id} default byte size for keys from ${keyAuth.defaultBytes} to ${input.defaultBytes}`, resources: [ { type: "keyAuth", diff --git a/apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts b/apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts index b28406dc8e..d5f6feeeae 100644 --- a/apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts +++ b/apps/dashboard/lib/trpc/routers/api/setDefaultPrefix.ts @@ -11,27 +11,32 @@ export const setDefaultApiPrefix = t.procedure z.object({ defaultPrefix: z.string().max(8, "Prefix can be a maximum of 8 characters"), keyAuthId: z.string(), - workspaceId: z.string(), }), ) .mutation(async ({ ctx, input }) => { const keyAuth = await db.query.keyAuth .findFirst({ - where: (table, { eq }) => eq(table.id, input.keyAuthId), + where: (table, { eq, and, isNull }) => + and(eq(table.id, input.keyAuthId), isNull(table.deletedAt)), + with: { + workspace: true, + }, }) .catch((_err) => { throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", - message: "We were unable to find KeyAuth. Please try again or contact support@unkey.dev.", + message: + "We were unable to update the key auth. Please try again or contact support@unkey.dev", }); }); - if (!keyAuth || keyAuth.workspaceId !== input.workspaceId) { + if (!keyAuth || keyAuth.workspace.tenantId !== ctx.tenant.id) { throw new TRPCError({ code: "NOT_FOUND", message: - "We are unable to find the correct keyAuth. Please try again or contact support@unkey.dev", + "We are unable to find the correct key auth. Please try again or contact support@unkey.dev.", }); } + await db .transaction(async (tx) => { await tx @@ -39,7 +44,7 @@ export const setDefaultApiPrefix = t.procedure .set({ defaultPrefix: input.defaultPrefix, }) - .where(eq(schema.keyAuth.id, input.keyAuthId)) + .where(eq(schema.keyAuth.id, keyAuth.id)) .catch((_err) => { throw new TRPCError({ code: "INTERNAL_SERVER_ERROR", @@ -48,13 +53,13 @@ export const setDefaultApiPrefix = t.procedure }); }); await insertAuditLogs(tx, { - workspaceId: keyAuth.workspaceId, + workspaceId: keyAuth.workspace.id, actor: { type: "user", id: ctx.user.id, }, event: "api.update", - description: `Changed ${keyAuth.workspaceId} default prefix from ${keyAuth.defaultPrefix} to ${input.defaultPrefix}`, + description: `Changed ${keyAuth.id} default prefix from ${keyAuth.defaultPrefix} to ${input.defaultPrefix}`, resources: [ { type: "keyAuth",