samuliasmala · anttiasmala · May 17, 2024 · Apr 4, 2024 · Apr 4, 2024 · Apr 4, 2024
diff --git a/.env.example b/.env.example
@@ -1,3 +1 @@
 DATABASE_URL="postgresql://databaseusername:databasepassword@localhost:5432/mydb?schema=public" # README.md's section "Setting the environment variables" will help with this
-POSTGRES_USERNAME="databaseusername" # Postgres database's username. It is same as DATABASE_URL's databaseusername
-POSTGRES_PASSWORD="databasepassword" # Postgres database's password. It is same as DATABASE_URL's databasepassword
diff --git a/backend/auth.ts b/backend/auth.ts
@@ -2,51 +2,50 @@ import { PrismaAdapter } from '@lucia-auth/adapter-prisma';
 import type { IncomingMessage, ServerResponse } from 'http';
 import { Lucia, TimeSpan } from 'lucia';
 import prisma from '~/prisma';
-import type { CreateSession, User } from '~/shared/types';
-import type { Session } from 'lucia';
+import type { PrismaUser, User } from '~/shared/types';
+import type { Session, User as LuciaUser } from 'lucia';
 
 export const adapter = new PrismaAdapter(prisma.session, prisma.user);
 
 export const lucia = new Lucia(adapter, {
-  sessionExpiresIn: new TimeSpan(14, 'd'),
+  sessionExpiresIn: new TimeSpan(1, 'h'),
   sessionCookie: {
     attributes: {
       secure: process.env.NODE_ENV === 'production',
     },
   },
-  getUserAttributes({
-    createdAt,
-    email,
-    firstName,
-    lastName,
-    updatedAt,
-    uuid,
-  }: User): User {
-    return {
-      uuid: uuid,
-      firstName: firstName,
-      lastName: lastName,
-      email: email,
-      createdAt: createdAt,
-      updatedAt: updatedAt,
-    };
+  getUserAttributes(user): User {
+    const { uuid, firstName, lastName, email, createdAt, updatedAt } = user;
+    return { uuid, firstName, lastName, email, createdAt, updatedAt };
+  },
+});
+
+export const luciaLongSession = new Lucia(adapter, {
+  sessionExpiresIn: new TimeSpan(30, 'd'),
+  sessionCookie: {
+    attributes: {
+      secure: process.env.NODE_ENV === 'production',
+    },
+  },
+  getUserAttributes(user): User {
+    const { uuid, firstName, lastName, email, createdAt, updatedAt } = user;
+    return { uuid, firstName, lastName, email, createdAt, updatedAt };
   },
 });
 
 declare module 'lucia' {
   interface Register {
     Lucia: typeof lucia;
-    DatabaseUserAttributes: DatabaseUserAttributes;
-    DatabaseSessionAttributes: DatabaseSessionAttributes;
+    DatabaseUserAttributes: PrismaUser;
   }
 }
-interface DatabaseUserAttributes extends User {}
-interface DatabaseSessionAttributes extends CreateSession {}
 
 export async function validateRequest(
   req: IncomingMessage,
   res: ServerResponse,
-): Promise<{ user: User; session: Session } | { user: null; session: null }> {
+): Promise<
+  { user: LuciaUser; session: Session } | { user: null; session: null }
+> {
   const sessionId = lucia.readSessionCookie(req.headers.cookie ?? '');
   if (!sessionId) {
     return {

diff --git a/pages/api/auth/login.ts b/pages/api/auth/login.ts
@@ -1,21 +1,11 @@
 import type { NextApiRequest, NextApiResponse } from 'next';
-import { adapter, lucia as luciaShortSession } from '~/backend/auth';
+import { luciaLongSession, lucia as luciaShortSession } from '~/backend/auth';
 import { handleError } from '~/backend/handleError';
 import { HttpError } from '~/backend/HttpError';
 import { UserLoginDetails } from '~/shared/types';
 import { verifyPassword } from '~/backend/utils';
 import { isEmailValid, isPasswordValid } from '~/shared/isValidFunctions';
 import prisma from '~/prisma';
-import { Lucia, TimeSpan } from 'lucia';
-
-const luciaLongSession = new Lucia(adapter, {
-  sessionExpiresIn: new TimeSpan(30, 'd'),
-  sessionCookie: {
-    attributes: {
-      secure: process.env.NODE_ENV === 'production',
-    },
-  },
-});
 
 export default async function handleR(
   req: NextApiRequest,

diff --git a/pages/api/gifts/[uuid].ts b/pages/api/gifts/[uuid].ts
@@ -3,11 +3,14 @@ import { NextApiRequest, NextApiResponse } from 'next';
 import prisma from '~/prisma';
 import { handleError } from '~/backend/handleError';
 import { HttpError } from '~/backend/HttpError';
+import { validateRequest } from '~/backend/auth';
+import { User as LuciaUser } from 'lucia';
 
 type HandlerParams<ResponseType = unknown> = {
   req: NextApiRequest;
   res: NextApiResponse<ResponseType>;
-  queryUUID: string;
+  giftUUID: string;
+  userData: LuciaUser;
 };
 
 const HANDLERS: Record<string, (params: HandlerParams) => Promise<void>> = {
@@ -22,13 +25,23 @@ export default async function handlePrisma(
   res: NextApiResponse,
 ) {
   try {
+    const validationRequest = await validateRequest(req, res);
+    if (!validationRequest.session || !validationRequest.user) {
+      throw new HttpError('You are unauthorized!', 401);
+    }
+    const userData = validationRequest.user;
     const reqHandler = req.method !== undefined && HANDLERS[req.method];
     if (reqHandler) {
       if (typeof req.query.uuid !== 'string') {
         throw new HttpError('Invalid ID', 400);
       }
-      const queryUUID = req.query.uuid;
-      await reqHandler({ req, res, queryUUID });
+      const giftUUID = req.query.uuid;
+      await reqHandler({
+        req,
+        res,
+        giftUUID,
+        userData,
+      });
     } else {
       throw new HttpError(
         `${req.method} is not a valid method. GET, PATCH, PUT and DELETE request are valid.`,
@@ -40,10 +53,15 @@ export default async function handlePrisma(
   }
 }
 
-async function handleGET({ res, queryUUID }: HandlerParams<Gift>) {
+async function handleGET({ res, giftUUID, userData }: HandlerParams<Gift>) {
   const gift = await prisma.gift.findUniqueOrThrow({
     where: {
-      uuid: queryUUID,
+      uuid: giftUUID,
+      AND: {
+        user: {
+          uuid: userData.uuid,
+        },
+      },
-      AND: {
-        user: {
-          uuid: userData.uuid,
-        },
-      },
+      userUUID: userData.uuid,
-      AND: {
-        user: {
-          uuid: userData.uuid,
-        },
-      },
+      userUUID: userData.uuid,
     },
     select: {
       createdAt: true,
@@ -56,12 +74,22 @@ async function handleGET({ res, queryUUID }: HandlerParams<Gift>) {
   return res.status(200).json(gift);
 }
 
-async function handlePATCH({ req, res, queryUUID }: HandlerParams<Gift>) {
+async function handlePATCH({
+  req,
+  res,
+  giftUUID,
+  userData,
+}: HandlerParams<Gift>) {
   const newGiftData = req.body as Gift;
 
   const updatedGift = await prisma.gift.update({
     where: {
-      uuid: queryUUID,
+      uuid: giftUUID,
+      AND: {
+        user: {
+          uuid: userData.uuid,
+        },
+      },
     },
     data: {
       receiver: newGiftData.receiver,
@@ -79,12 +107,22 @@ async function handlePATCH({ req, res, queryUUID }: HandlerParams<Gift>) {
   return res.status(200).json(updatedGift);
 }
 
-async function handlePUT({ req, res, queryUUID }: HandlerParams<Gift>) {
+async function handlePUT({
+  req,
+  res,
+  giftUUID,
+  userData,
+}: HandlerParams<Gift>) {
   const newGiftData = req.body as Gift;
 
   const updatedGift = await prisma.gift.update({
     where: {
-      uuid: queryUUID,
+      uuid: giftUUID,
+      AND: {
+        user: {
+          uuid: userData.uuid,
+        },
+      },
     },
     data: newGiftData,
     select: {
@@ -99,10 +137,15 @@ async function handlePUT({ req, res, queryUUID }: HandlerParams<Gift>) {
   return res.status(200).json(updatedGift);
 }
 
-async function handleDELETE({ res, queryUUID }: HandlerParams) {
+async function handleDELETE({ res, giftUUID, userData }: HandlerParams) {
   await prisma.gift.delete({
     where: {
-      uuid: queryUUID,
+      uuid: giftUUID,
+      AND: {
+        user: {
+          uuid: userData.uuid,
+        },
+      },
     },
   });
 

diff --git a/pages/api/gifts/index.ts b/pages/api/gifts/index.ts
@@ -3,10 +3,16 @@ import { CreateGift, Gift } from '~/shared/types';
 import prisma from '~/prisma';
 import { handleError } from '~/backend/handleError';
 import { HttpError } from '~/backend/HttpError';
+import { validateRequest } from '~/backend/auth';
+import { User as LuciaUser } from 'lucia';
 
 const HANDLER: Record<
   string,
-  (req: NextApiRequest, res: NextApiResponse) => Promise<void>
+  (
+    req: NextApiRequest,
+    res: NextApiResponse,
+    userData: LuciaUser,
+  ) => Promise<void>
 > = {
   GET: handleGET,
   POST: handlePOST,
@@ -17,9 +23,13 @@ export default async function handlePrisma(
   res: NextApiResponse,
 ) {
   try {
+    const validationRequest = await validateRequest(req, res);
+    if (!validationRequest.session || !validationRequest.user) {
+      throw new HttpError('You are unauthorized!', 401);
+    }
     const reqHandler = req.method !== undefined && HANDLER[req.method];
     if (reqHandler) {
-      await reqHandler(req, res);
+      await reqHandler(req, res, validationRequest.user);
     } else {
       throw new HttpError(
         `${req.method} is not a valid method. Only GET and POST requests are valid!`,
@@ -31,7 +41,11 @@ export default async function handlePrisma(
   }
 }
 
-async function handleGET(req: NextApiRequest, res: NextApiResponse<Gift[]>) {
+async function handleGET(
+  req: NextApiRequest,
+  res: NextApiResponse<Gift[]>,
+  userData: LuciaUser,
+) {
   const gifts = await prisma.gift.findMany({
     select: {
       createdAt: true,
@@ -40,17 +54,29 @@ async function handleGET(req: NextApiRequest, res: NextApiResponse<Gift[]>) {
       updatedAt: true,
       uuid: true,
     },
+    where: {
+      userUUID: userData.uuid,
+    },
   });
 
   return res.status(200).json(gifts);
 }
 
-async function handlePOST(req: NextApiRequest, res: NextApiResponse<Gift>) {
+async function handlePOST(
+  req: NextApiRequest,
+  res: NextApiResponse<Gift>,
+  userData: LuciaUser,
+) {
   const giftData = req.body as CreateGift;
   const addedGift = await prisma.gift.create({
     data: {
       gift: giftData.gift,
       receiver: giftData.receiver,
+      user: {
+        connect: {
+          uuid: userData.uuid,
+        },
+      },
     },
     select: {
       createdAt: true,