Use token authentication for API requests.

pages/api/share/[id].js

@@ -1,5 +1,6 @@
 import { getWebsiteByShareId } from 'lib/queries';
 import { ok, notFound, methodNotAllowed } from 'lib/response';
+import { createToken } from 'lib/crypto';
 
 export default async (req, res) => {
   const { id } = req.query;
@@ -8,7 +9,10 @@ export default async (req, res) => {
     const website = await getWebsiteByShareId(id);
 
     if (website) {
-      return ok(res, website);
+      const websiteId = website.website_id;
+      const token = await createToken({ website_id: websiteId });
+
+      return ok(res, { websiteId, token });
     }
 
     return notFound(res);

pages/api/website/[id]/active.js

@@ -1,12 +1,18 @@
 import { getActiveVisitors } from 'lib/queries';
-import { methodNotAllowed, ok } from 'lib/response';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+import { allowQuery } from 'lib/auth';
 
 export default async (req, res) => {
   if (req.method === 'GET') {
-    const { id } = req.query;
-    const website_id = +id;
+    if (!(await allowQuery(req))) {
+      return unauthorized(res);
+    }
 
-    const result = await getActiveVisitors(website_id);
+    const { id } = req.query;
+
+    const websiteId = +id;
+
+    const result = await getActiveVisitors(websiteId);
 
     return ok(res, result);
   }

pages/api/website/[id]/events.js

@@ -1,11 +1,16 @@
 import moment from 'moment-timezone';
 import { getEvents } from 'lib/queries';
-import { ok, badRequest, methodNotAllowed } from 'lib/response';
+import { ok, badRequest, methodNotAllowed, unauthorized } from 'lib/response';
+import { allowQuery } from 'lib/auth';
 
 const unitTypes = ['year', 'month', 'hour', 'day'];
 
 export default async (req, res) => {
   if (req.method === 'GET') {
+    if (!(await allowQuery(req))) {
+      return unauthorized(res);
+    }
+
     const { id, start_at, end_at, unit, tz } = req.query;
 
     if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {

pages/api/website/[id]/index.js

@@ -1,30 +1,30 @@
 import { deleteWebsite, getWebsiteById } from 'lib/queries';
-import { useAuth } from 'lib/middleware';
 import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+import { allowQuery } from 'lib/auth';
 
 export default async (req, res) => {
-  await useAuth(req, res);
+  const { id } = req.query;
 
-  const { user_id, is_admin } = req.auth;
-  const { id, share_id } = req.query;
   const websiteId = +id;
 
-  const website = await getWebsiteById(websiteId);
-
   if (req.method === 'GET') {
-    if (is_admin || website.user_id === user_id || (share_id && website.share_id === share_id)) {
-      return ok(res, website);
+    if (!(await allowQuery(req))) {
+      return unauthorized(res);
     }
-    return unauthorized(res);
+
+    const website = await getWebsiteById(websiteId);
+
+    return ok(res, website);
   }
 
   if (req.method === 'DELETE') {
-    if (is_admin || website.user_id === user_id) {
-      await deleteWebsite(websiteId);
-
-      return ok(res);
+    if (!(await allowQuery(req, true))) {
+      return unauthorized(res);
     }
-    return unauthorized(res);
+
+    await deleteWebsite(websiteId);
+
+    return ok(res);
   }
 
   return methodNotAllowed(res);

pages/api/website/[id]/metrics.js

@@ -1,9 +1,15 @@
 import { getMetrics } from 'lib/queries';
-import { methodNotAllowed, ok } from 'lib/response';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+import { allowQuery } from 'lib/auth';
 
 export default async (req, res) => {
   if (req.method === 'GET') {
+    if (!(await allowQuery(req))) {
+      return unauthorized(res);
+    }
+
     const { id, start_at, end_at } = req.query;
+
     const websiteId = +id;
     const startDate = new Date(+start_at);
     const endDate = new Date(+end_at);

pages/api/website/[id]/pageviews.js

@@ -1,21 +1,26 @@
 import moment from 'moment-timezone';
 import { getPageviews } from 'lib/queries';
-import { ok, badRequest, methodNotAllowed } from 'lib/response';
+import { ok, badRequest, methodNotAllowed, unauthorized } from 'lib/response';
+import { allowQuery } from 'lib/auth';
 
 const unitTypes = ['year', 'month', 'hour', 'day'];
 
 export default async (req, res) => {
   if (req.method === 'GET') {
-    const { id, start_at, end_at, unit, tz } = req.query;
-
-    if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
-      return badRequest(res);
+    if (!(await allowQuery(req))) {
+      return unauthorized(res);
     }
 
+    const { id, start_at, end_at, unit, tz } = req.query;
+
     const websiteId = +id;
     const startDate = new Date(+start_at);
     const endDate = new Date(+end_at);
 
+    if (!moment.tz.zone(tz) || !unitTypes.includes(unit)) {
+      return badRequest(res);
+    }
+
     const [pageviews, uniques] = await Promise.all([
       getPageviews(websiteId, startDate, endDate, tz, unit, '*'),
       getPageviews(websiteId, startDate, endDate, tz, unit, 'distinct session_id'),

pages/api/website/[id]/rankings.js

@@ -1,6 +1,7 @@
 import { getRankings } from 'lib/queries';
-import { ok, badRequest, methodNotAllowed } from 'lib/response';
+import { ok, badRequest, methodNotAllowed, unauthorized } from 'lib/response';
 import { DOMAIN_REGEX } from 'lib/constants';
+import { allowQuery } from 'lib/auth';
 
 const sessionColumns = ['browser', 'os', 'device', 'country'];
 const pageviewColumns = ['url', 'referrer'];
@@ -26,7 +27,12 @@ function getColumn(type) {
 
 export default async (req, res) => {
   if (req.method === 'GET') {
+    if (!(await allowQuery(req))) {
+      return unauthorized(res);
+    }
+
     const { id, type, start_at, end_at, domain } = req.query;
+
     const websiteId = +id;
     const startDate = new Date(+start_at);
     const endDate = new Date(+end_at);

pages/api/website/index.js

@@ -15,21 +15,21 @@ export default async (req, res) => {
     if (website_id) {
       const website = await getWebsiteById(website_id);
 
-      if (website.user_id === user_id || is_admin) {
-        let { share_id } = website;
-
-        if (enable_share_url) {
-          share_id = share_id ? share_id : getRandomChars(8);
-        } else {
-          share_id = null;
-        }
-
-        await updateWebsite(website_id, { name, domain, share_id });
-
-        return ok(res);
+      if (website.user_id !== user_id && !is_admin) {
+        return unauthorized(res);
       }
 
-      return unauthorized(res);
+      let { share_id } = website;
+
+      if (enable_share_url) {
+        share_id = share_id ? share_id : getRandomChars(8);
+      } else {
+        share_id = null;
+      }
+
+      await updateWebsite(website_id, { name, domain, share_id });
+
+      return ok(res);
     } else {
       const website_uuid = uuid();
       const share_id = enable_share_url ? getRandomChars(8) : null;

pages/api/websites.js

@@ -7,13 +7,14 @@ export default async (req, res) => {
 
   const { user_id: current_user_id, is_admin } = req.auth;
   const { user_id } = req.query;
+  const userId = +user_id;
 
   if (req.method === 'GET') {
-    if (user_id && !is_admin) {
+    if (userId !== current_user_id && !is_admin) {
       return unauthorized(res);
     }
 
-    const websites = await getUserWebsites(+user_id || current_user_id);
+    const websites = await getUserWebsites(userId || current_user_id);
 
     return ok(res, websites);
   }