From e0ca74b9f38a9e82cdb52c99f6cdd2c261f4a23f Mon Sep 17 00:00:00 2001
From: Nick Kosarev <hmbanan666@hotmail.com>
Date: Tue, 7 Jan 2025 20:43:36 +0200
Subject: [PATCH] chore: securing updates (#392)

---
 .../api/profile/[id]/streamer/index.post.ts   | 19 ---------------
 apps/website/server/middleware/01.auth.ts     | 24 +++++++++++++++----
 2 files changed, 19 insertions(+), 24 deletions(-)
 delete mode 100644 apps/website/server/api/profile/[id]/streamer/index.post.ts

diff --git a/apps/website/server/api/profile/[id]/streamer/index.post.ts b/apps/website/server/api/profile/[id]/streamer/index.post.ts
deleted file mode 100644
index 3e32f3be..00000000
--- a/apps/website/server/api/profile/[id]/streamer/index.post.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-import type { StreamerUpdateResponse } from '@chat-game/types'
-import type { EventHandlerRequest } from 'h3'
-
-export default defineEventHandler<EventHandlerRequest, Promise<StreamerUpdateResponse>>(
-  async (event) => {
-    const profileId = getRouterParam(event, 'id')
-
-    await prisma.profile.update({
-      where: { id: profileId },
-      data: {
-        isStreamer: true,
-      },
-    })
-
-    return {
-      ok: true,
-    }
-  },
-)
diff --git a/apps/website/server/middleware/01.auth.ts b/apps/website/server/middleware/01.auth.ts
index 5ce59e78..f678a604 100644
--- a/apps/website/server/middleware/01.auth.ts
+++ b/apps/website/server/middleware/01.auth.ts
@@ -1,9 +1,4 @@
 export default defineEventHandler(async (event) => {
-  // Payment webhook dont need auth
-  if (event.path.startsWith('/api/payment/webhook')) {
-    return
-  }
-
   if (event.method === 'OPTIONS') {
     event.headers.set('Access-Control-Allow-Origin', '*')
     event.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS')
@@ -13,5 +8,24 @@ export default defineEventHandler(async (event) => {
   const session = await getUserSession(event)
   if (session?.user) {
     // Already authenticated
+    return
+  }
+
+  // Payment webhook dont need auth
+  if (event.path.startsWith('/api/payment/webhook')) {
+    return
+  }
+
+  // Telegram routes dont need basic auth
+  if (event.path.startsWith('/api/telegram')) {
+    return
+  }
+
+  if (event.method !== 'GET') {
+    // Secured, but without auth
+    return createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized',
+    })
   }
 })