Fix missing authentication check for invite revocation (#1666)

* Fix missing authentication check for invite revocation * Toast invite revocation error
2024-11-30 19:08:30 +01:00 · 2024-11-30 19:08:30 +01:00 · 0837460c53
commit 0837460c53
parent 55d1f2c952
2 changed files with 21 additions and 6 deletions
--- a/api/resolvers/invite.js
+++ b/api/resolvers/invite.js
@ -1,7 +1,7 @@
 import { inviteSchema, validateSchema } from '@/lib/validate'
 import { msatsToSats } from '@/lib/format'
 import assertApiKeyNotPermitted from './apiKey'
-import { GqlAuthenticationError } from '@/lib/error'
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'

 export default {
  Query: {
@ -46,10 +46,17 @@ export default {
        throw new GqlAuthenticationError()
      }

-      return await models.invite.update({
-        where: { id },
-        data: { revoked: true }
-      })
+      try {
+        return await models.invite.update({
+          where: { id, userId: me.id },
+          data: { revoked: true }
+        })
+      } catch (err) {
+        if (err.code === 'P2025') {
+          throw new GqlInputError('invite not found')
+        }
+        throw err
+      }
    }
  },

--- a/components/invite.js
+++ b/components/invite.js
@ -2,6 +2,7 @@ import { CopyInput } from './form'
 import { gql, useMutation } from '@apollo/client'
 import { INVITE_FIELDS } from '@/fragments/invites'
 import styles from '@/styles/invites.module.css'
+import { useToast } from '@/components/toast'

 export default function Invite ({ invite, active }) {
  const [revokeInvite] = useMutation(
@ -13,6 +14,7 @@ export default function Invite ({ invite, active }) {
        }
      }`
  )
+  const toaster = useToast()

  return (
    <div
@ -33,7 +35,13 @@ export default function Invite ({ invite, active }) {
              <span> \ </span>
              <span
                className={styles.revoke}
-                onClick={() => revokeInvite({ variables: { id: invite.id } })}
+                onClick={async () => {
+                  try {
+                    await revokeInvite({ variables: { id: invite.id } })
+                  } catch (err) {
+                    toaster.danger(err.message)
+                  }
+                }}
              >revoke
              </span>
            </>)