API security updates.

pages/api/website/[id]/events.js

@@ -1,21 +1,28 @@
 import moment from 'moment-timezone';
 import { getEvents } from 'lib/queries';
-import { ok, badRequest } from 'lib/response';
+import { ok, badRequest, methodNotAllowed } from 'lib/response';
+import { useAuth } from 'lib/middleware';
 
 const unitTypes = ['month', 'hour', 'day'];
 
 export default async (req, res) => {
-  const { id, start_at, end_at, unit, tz } = req.query;
+  await useAuth(req, res);
 
-  if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
-    return badRequest(res);
+  if (req.method === 'GET') {
+    const { id, start_at, end_at, unit, tz } = req.query;
+
+    if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
+      return badRequest(res);
+    }
+
+    const websiteId = +id;
+    const startDate = new Date(+start_at);
+    const endDate = new Date(+end_at);
+
+    const events = await getEvents(websiteId, startDate, endDate, tz, unit);
+
+    return ok(res, events);
   }
 
-  const websiteId = +id;
-  const startDate = new Date(+start_at);
-  const endDate = new Date(+end_at);
-
-  const events = await getEvents(websiteId, startDate, endDate, tz, unit);
-
-  return ok(res, events);
+  return methodNotAllowed(res);
 };