Fixed share token check.

lib/auth.js

@@ -50,12 +50,9 @@ export function isValidToken(token, validation) {
 export async function allowQuery(req, type) {
   const { id } = req.query;
 
-  const {
+  const { user, shareToken } = req.auth;
-    user: { id: userId, isAdmin },
-    shareToken,
-  } = req.auth;
 
-  if (isAdmin) {
+  if (user?.isAdmin) {
     return true;
   }
 
@@ -63,11 +60,11 @@ export async function allowQuery(req, type) {
     return isValidToken(shareToken, { id });
   }
 
-  if (userId) {
+  if (user?.id) {
     if (type === TYPE_WEBSITE) {
       const website = await getWebsite({ id });
 
-      return website && website.userId === userId;
+      return website && website.userId === user.id;
     } else if (type === TYPE_USER) {
       const user = await getUser({ id });
 

lib/middleware.js

@@ -29,12 +29,12 @@ export const useAuth = createMiddleware(async (req, res, next) => {
   const payload = parseSecureToken(token, secret());
   const shareToken = await parseShareToken(req);
 
-  let user;
+  let user = null;
   const { userId, key } = payload || {};
 
   if (validate(userId)) {
     user = await getUser({ id: userId });
-  } else if (redis.enabled) {
+  } else if (redis.enabled && key) {
     user = await redis.get(key);
   }