Add api validations.

2026-02-13 09:05:36 +01:00 · 2023-08-19 22:23:15 -07:00 · 2023-08-19 22:23:15 -07:00 · 7a7233ead4
commit 7a7233ead4
parent 7d5a24044a
41 changed files with 690 additions and 180 deletions
--- a/pages/api/teams/[id]/users/[userId].ts
+++ b/pages/api/teams/[id]/users/[userId].ts
@ -1,18 +1,28 @@
 import { canDeleteTeamUser } from 'lib/auth';
-import { useAuth } from 'lib/middleware';
+import { useAuth, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
 import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { deleteTeamUser } from 'queries';
-
+import * as yup from 'yup';
 export interface TeamUserRequestQuery {
  id: string;
  userId: string;
 }

+const schema = {
+  DELETE: yup.object().shape({
+    id: yup.string().uuid().required(),
+    userId: yup.string().uuid().required(),
+  }),
+};
+
 export default async (req: NextApiRequestQueryBody<TeamUserRequestQuery>, res: NextApiResponse) => {
  await useAuth(req, res);

+  req.yup = schema;
+  await useValidate(req, res);
+
  if (req.method === 'DELETE') {
    const { id: teamId, userId } = req.query;

--- a/pages/api/teams/[id]/users/index.ts
+++ b/pages/api/teams/[id]/users/index.ts
@ -1,9 +1,9 @@
-import { canUpdateTeam, canViewTeam } from 'lib/auth';
+import { canViewTeam } from 'lib/auth';
 import { useAuth } from 'lib/middleware';
 import { NextApiRequestQueryBody, SearchFilter, TeamSearchFilterType } from 'lib/types';
 import { NextApiResponse } from 'next';
-import { badRequest, methodNotAllowed, ok, unauthorized } from 'next-basics';
-import { createTeamUser, getUserByUsername, getUsersByTeamId } from 'queries';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { getUsersByTeamId } from 'queries';

 export interface TeamUserRequestQuery extends SearchFilter<TeamSearchFilterType> {
  id: string;
@ -38,24 +38,5 @@ export default async (
    return ok(res, users);
  }

-  if (req.method === 'POST') {
-    if (!(await canUpdateTeam(req.auth, teamId))) {
-      return unauthorized(res, 'You must be the owner of this team.');
-    }
-
-    const { email, roleId: roleId } = req.body;
-
-    // Check for User
-    const user = await getUserByUsername(email);
-
-    if (!user) {
-      return badRequest(res, 'The User does not exists.');
-    }
-
-    const updated = await createTeamUser(user.id, teamId, roleId);
-
-    return ok(res, updated);
-  }
-
  return methodNotAllowed(res);
 };