fix security

src/components/ModalComponent.tsx

@@ -91,6 +91,7 @@ const ModalComponent = (props: Props) => {
       body: JSON.stringify({
         pageToScreenshot: `/project/preview/${e.id}-${e.projectName}`,
         id: e.id,
+        accessToken: props.accessToken,
       }),
     })
     props.setModalLoading(false)
@@ -157,6 +158,7 @@ const ModalComponent = (props: Props) => {
     const data = {
       id: e.id,
       projectName: text as string,
+      accessToken: props.accessToken,
     }
 
     const response = await fetch('/api/project/updateProjectName', {

src/components/editor/ComponentPreview.test.tsx

@@ -96,6 +96,7 @@ test.each(componentsToTest)('Component Preview for %s', componentName => {
   // @ts-ignore
   const store = init(storeConfig)
   store.dispatch.components.addComponent({
+    //@ts-ignore
     parentName: 'root',
     type: componentName,
     rootParentType: componentName,

src/pages/api/project/takeScreenShot.ts

@@ -43,6 +43,7 @@ export default async function TakeScreenshot(
     let screenBodyData = {
       id: req.body.id,
       screen,
+      accessToken: req.body.accessToken,
     }
 
     await fetch(baseUrl + '/api/project/updateScreenShot', {

src/pages/api/project/updateProjectName.ts

@@ -7,19 +7,35 @@ export default async function UpdateProjectName(
 ) {
   let ts = new Date()
   try {
-    await prisma.project.update({
+    const projects = await prisma.session.findUnique({
       where: {
-        id: req.body.id,
-      },
-      data: {
-        projectName: req.body.projectName,
-        updatedAt: ts.toISOString(),
+        accessToken: req.body.accessToken,
       },
     })
-    res.status(201)
-    res.json({
-      success: 'Update project name to database successfully !',
+
+    const userProject = await prisma.project.findUnique({
+      where: {
+        id: req.body.id,
+      },
     })
+    if (userProject?.userId === projects?.userId) {
+      await prisma.project.update({
+        where: {
+          id: req.body.id,
+        },
+        data: {
+          projectName: req.body.projectName,
+          updatedAt: ts.toISOString(),
+        },
+      })
+      res.status(201)
+      res.json({
+        success: 'Update project name to database successfully !',
+      })
+    } else {
+      res.status(500)
+      res.json({ error: 'Sorry this is not your project' })
+    }
   } catch (e) {
     res.status(500)
     res.json({ error: 'Sorry unable to update project name to database' })

src/pages/api/project/updateScreenShot.ts

@@ -8,19 +8,36 @@ export default async function UpdateScreenshot(
   let ts = new Date()
 
   try {
-    await prisma.project.update({
+    const projects = await prisma.session.findUnique({
       where: {
-        id: req.body.id,
-      },
-      data: {
-        thumbnail: `data:image/png;base64, ${req.body.screen}`,
-        updatedAt: ts.toISOString(),
+        accessToken: req.body.accessToken,
       },
     })
-    res.status(201)
-    res.json({
-      success: 'Update project screenshot to database successfully !',
+
+    const userProject = await prisma.project.findUnique({
+      where: {
+        id: req.body.id,
+      },
     })
+
+    if (userProject?.userId === projects?.userId) {
+      await prisma.project.update({
+        where: {
+          id: req.body.id,
+        },
+        data: {
+          thumbnail: `data:image/png;base64, ${req.body.screen}`,
+          updatedAt: ts.toISOString(),
+        },
+      })
+      res.status(201)
+      res.json({
+        success: 'Update project screenshot to database successfully !',
+      })
+    } else {
+      res.status(500)
+      res.json({ error: 'Sorry this is not your project' })
+    }
   } catch (e) {
     res.status(500)
     res.json({ error: 'Sorry unable to update project screenshot to database' })