chore: securing updates (#392)

chat-game · Jan 7, 2025 · e0ca74b · e0ca74b
1 parent 717dfef
commit e0ca74b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 24 deletions.
diff --git a/apps/website/server/api/profile/[id]/streamer/index.post.ts b/apps/website/server/api/profile/[id]/streamer/index.post.ts
diff --git a/apps/website/server/middleware/01.auth.ts b/apps/website/server/middleware/01.auth.ts
@@ -1,9 +1,4 @@
 export default defineEventHandler(async (event) => {
-  // Payment webhook dont need auth
-  if (event.path.startsWith('/api/payment/webhook')) {
-    return
-  }
-
   if (event.method === 'OPTIONS') {
     event.headers.set('Access-Control-Allow-Origin', '*')
     event.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS')
@@ -13,5 +8,24 @@ export default defineEventHandler(async (event) => {
   const session = await getUserSession(event)
   if (session?.user) {
     // Already authenticated
+    return
+  }
+
+  // Payment webhook dont need auth
+  if (event.path.startsWith('/api/payment/webhook')) {
+    return
+  }
+
+  // Telegram routes dont need basic auth
+  if (event.path.startsWith('/api/telegram')) {
+    return
+  }
+
+  if (event.method !== 'GET') {
+    // Secured, but without auth
+    return createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized',
+    })
   }
 })