Merge branch 'master' into db-merge-test

pages/api/accounts/[id]/password.js

@@ -17,7 +17,7 @@ export default async (req, res) => {
   const { current_password, new_password } = req.body;
   const { id: accountUuid } = req.query;
 
-  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+  if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
     return unauthorized(res);
   }
 

pages/api/collect.js

@@ -1,7 +1,7 @@
 const { Resolver } = require('dns').promises;
 import isbot from 'isbot';
 import ipaddr from 'ipaddr.js';
-import { createToken, unauthorized, send, badRequest, forbidden } from 'next-basics';
+import { createToken, ok, send, badRequest, forbidden } from 'next-basics';
 import { savePageView, saveEvent } from 'queries';
 import { useCors, useSession } from 'lib/middleware';
 import { getJsonBody, getIpAddress } from 'lib/request';
@@ -11,7 +11,7 @@ export default async (req, res) => {
   await useCors(req, res);
 
   if (isbot(req.headers['user-agent']) && !process.env.DISABLE_BOT_CHECK) {
-    return unauthorized(res);
+    return ok(res);
   }
 
   const ignoreIps = process.env.IGNORE_IP;

pages/api/realtime/init.js

@@ -1,5 +1,5 @@
 import { subMinutes } from 'date-fns';
-import { ok, methodNotAllowed, createToken } from 'next-basics';
+import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
 import { useAuth } from 'lib/middleware';
 import { getUserWebsites, getRealtimeData } from 'queries';
 import { secret } from 'lib/crypto';
@@ -10,6 +10,10 @@ export default async (req, res) => {
   if (req.method === 'GET') {
     const { userId } = req.auth;
 
+    if (!userId) {
+      return unauthorized(res);
+    }
+
     const websites = await getUserWebsites({ userId });
     const ids = websites.map(({ websiteUuid }) => websiteUuid);
     const token = createToken({ websites: ids }, secret());

pages/api/websites/[id]/index.js

@@ -10,17 +10,21 @@ export default async (req, res) => {
 
   const { id: websiteUuid } = req.query;
 
-  if (!(await allowQuery(req, TYPE_WEBSITE))) {
-    return unauthorized(res);
-  }
-
   if (req.method === 'GET') {
+    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+      return unauthorized(res);
+    }
+
     const website = await getWebsite({ websiteUuid });
 
     return ok(res, website);
   }
 
   if (req.method === 'POST') {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
+      return unauthorized(res);
+    }
+
     const { name, domain, owner, enableShareUrl, shareId } = req.body;
     const { accountUuid } = req.auth;
 
@@ -43,7 +47,7 @@ export default async (req, res) => {
         {
           name,
           domain,
-          shareId: shareId ? shareId : newShareId,
+          shareId: shareId && enableShareUrl === undefined ? shareId : newShareId,
           userId: +owner || account.id,
         },
         { websiteUuid },
@@ -58,7 +62,7 @@ export default async (req, res) => {
   }
 
   if (req.method === 'DELETE') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
       return unauthorized(res);
     }
 

pages/api/websites/[id]/reset.js

@@ -11,7 +11,7 @@ export default async (req, res) => {
   const { id: websiteId } = req.query;
 
   if (req.method === 'POST') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
       return unauthorized(res);
     }
 

pages/api/websites/index.js

@@ -7,6 +7,7 @@ export default async (req, res) => {
   await useAuth(req, res);
 
   const { user_id, include_all } = req.query;
+
   const { userId: currentUserId, isAdmin } = req.auth;
   const accountUuid = user_id || req.auth.accountUuid;
   let account;
@@ -18,7 +19,7 @@ export default async (req, res) => {
   const userId = account ? account.id : user_id;
 
   if (req.method === 'GET') {
-    if (userId && userId !== currentUserId && !isAdmin) {
+    if (!userId || (userId !== currentUserId && !isAdmin)) {
       return unauthorized(res);
     }