Add api validations.

pages/api/users/[id]/index.ts

@@ -1,9 +1,10 @@
-import { NextApiRequestQueryBody, Role, User } from 'lib/types';
 import { canDeleteUser, canUpdateUser, canViewUser } from 'lib/auth';
-import { useAuth } from 'lib/middleware';
+import { useAuth, useValidate } from 'lib/middleware';
+import { NextApiRequestQueryBody, Role, User } from 'lib/types';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { deleteUser, getUserById, getUserByUsername, updateUser } from 'queries';
+import * as yup from 'yup';
 
 export interface UserRequestQuery {
   id: string;
@@ -15,12 +16,27 @@ export interface UserRequestBody {
   role: Role;
 }
 
+const schema = {
+  GET: yup.object().shape({
+    id: yup.string().uuid().required(),
+  }),
+  POST: yup.object().shape({
+    id: yup.string().uuid().required(),
+    username: yup.string().max(255),
+    password: yup.string(),
+    role: yup.string().matches(/admin|user|view-only/i),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<UserRequestQuery, UserRequestBody>,
   res: NextApiResponse<User>,
 ) => {
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   const {
     user: { id: userId, isAdmin },
   } = req.auth;

pages/api/users/[id]/teams.ts

@@ -1,9 +1,10 @@
-import { useAuth, useCors } from 'lib/middleware';
+import { useAuth, useCors, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody, SearchFilter, TeamSearchFilterType } from 'lib/types';
+import { getFilterValidation } from 'lib/yup';
 import { NextApiResponse } from 'next';
 import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { getTeamsByUserId } from 'queries';
-
+import * as yup from 'yup';
 export interface UserTeamsRequestQuery extends SearchFilter<TeamSearchFilterType> {
   id: string;
 }
@@ -14,6 +15,13 @@ export interface UserTeamsRequestBody {
   shareId: string;
 }
 
+const schema = {
+  GET: yup.object().shape({
+    id: yup.string().uuid().required(),
+    ...getFilterValidation('/All|Name|Owner/i'),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<any, UserTeamsRequestBody>,
   res: NextApiResponse,
@@ -21,6 +29,9 @@ export default async (
   await useCors(req, res);
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   const { user } = req.auth;
   const { id: userId } = req.query;
 

pages/api/users/[id]/usage.ts

@@ -1,8 +1,9 @@
-import { useAuth, useCors } from 'lib/middleware';
+import { useAuth, useCors, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
 import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { getEventDataUsage, getEventUsage, getUserWebsites } from 'queries';
+import * as yup from 'yup';
 
 export interface UserUsageRequestQuery {
   id: string;
@@ -21,6 +22,14 @@ export interface UserUsageRequestResponse {
   }[];
 }
 
+const schema = {
+  GET: yup.object().shape({
+    id: yup.string().uuid().required(),
+    startAt: yup.number().integer().required(),
+    endAt: yup.number().integer().moreThan(yup.ref('startAt')).required(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<UserUsageRequestQuery>,
   res: NextApiResponse<UserUsageRequestResponse>,
@@ -28,6 +37,9 @@ export default async (
   await useCors(req, res);
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   const { user } = req.auth;
 
   if (req.method === 'GET') {

pages/api/users/[id]/websites.ts

@@ -1,25 +1,36 @@
-import { useAuth, useCors } from 'lib/middleware';
+import { useAuth, useCors, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody, SearchFilter, WebsiteSearchFilterType } from 'lib/types';
+import { getFilterValidation } from 'lib/yup';
 import { NextApiResponse } from 'next';
 import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { getWebsitesByUserId } from 'queries';
+import * as yup from 'yup';
 
 export interface UserWebsitesRequestQuery extends SearchFilter<WebsiteSearchFilterType> {
   id: string;
-}
-export interface UserWebsitesRequestBody {
-  name: string;
-  domain: string;
-  shareId: string;
+  includeTeams?: boolean;
+  onlyTeams?: boolean;
 }
 
+const schema = {
+  GET: yup.object().shape({
+    id: yup.string().uuid().required(),
+    includeTeams: yup.boolean(),
+    onlyTeams: yup.boolean(),
+    ...getFilterValidation(/All|Name|Domain/i),
+  }),
+};
+
 export default async (
-  req: NextApiRequestQueryBody<any, UserWebsitesRequestBody>,
+  req: NextApiRequestQueryBody<UserWebsitesRequestQuery>,
   res: NextApiResponse,
 ) => {
   await useCors(req, res);
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   const { user } = req.auth;
   const { id: userId, page, filter, pageSize, includeTeams, onlyTeams } = req.query;
 

pages/api/users/index.ts

@@ -1,8 +1,9 @@
 import { canCreateUser, canViewUsers } from 'lib/auth';
 import { ROLES } from 'lib/constants';
 import { uuid } from 'lib/crypto';
-import { useAuth } from 'lib/middleware';
+import { useAuth, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody, Role, SearchFilter, User, UserSearchFilterType } from 'lib/types';
+import { getFilterValidation } from 'lib/yup';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createUser, getUserByUsername, getUsers } from 'queries';
@@ -15,12 +16,31 @@ export interface UsersRequestBody {
   role?: Role;
 }
 
+import * as yup from 'yup';
+const schema = {
+  GET: yup.object().shape({
+    ...getFilterValidation(/All|Username/i),
+  }),
+  POST: yup.object().shape({
+    username: yup.string().max(255).required(),
+    password: yup.string().required(),
+    id: yup.string().uuid(),
+    role: yup
+      .string()
+      .matches(/admin|user|view-only/i)
+      .required(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<UsersRequestQuery, UsersRequestBody>,
   res: NextApiResponse<User[] | User>,
 ) => {
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   if (req.method === 'GET') {
     if (!(await canViewUsers(req.auth))) {
       return unauthorized(res);
@@ -28,7 +48,7 @@ export default async (
 
     const { page, filter, pageSize } = req.query;
 
-    const users = await getUsers({ page, filter, pageSize: +pageSize || null });
+    const users = await getUsers({ page, filter, pageSize: pageSize ? +pageSize : null });
 
     return ok(res, users);
   }