monoadmin/remotelink-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
27673daa63684e9cd1a28bc10555f0cca041e674
remotelink-docker/app/api/sessions/[id]/route.ts
monoadmin 27673daa63 Fix critical and high security issues 
- exec_script: relay now enforces admin role before forwarding to agent
- relay CORS: restrict allow_origins via ALLOWED_ORIGINS env var (docker-compose passes app URL)
- session-code: replace Math.random() with crypto.randomInt, add per-key rate limit (10 req/min)
- sessions GET: fix IDOR — users can only read their own sessions (admins see all)
- signal API: validate session ownership on create; enforce ownerUserId on all subsequent actions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 23:38:03 -07:00

59 lines
1.6 KiB
TypeScript
Raw Blame History

import { auth } from '@/auth'
import { db } from '@/lib/db'
import { sessions } from '@/lib/db/schema'
import { eq, and } from 'drizzle-orm'
import { NextRequest, NextResponse } from 'next/server'
export async function GET(
_request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const authSession = await auth()
if (!authSession?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const { id } = await params
const isAdmin = (authSession.user as { role?: string }).role === 'admin'
const result = await db
.select()
.from(sessions)
.where(
isAdmin
? eq(sessions.id, id)
: and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id))
)
.limit(1)
if (!result[0]) {
return NextResponse.json({ error: 'Session not found' }, { status: 404 })
}
return NextResponse.json({ session: result[0] })
}
export async function PATCH(
request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const authSession = await auth()
if (!authSession?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const { id } = await params
const body = await request.json()
const updates: Record<string, unknown> = {}
if (body.endedAt !== undefined) updates.endedAt = body.endedAt ? new Date(body.endedAt) : new Date()
if (body.durationSeconds !== undefined) updates.durationSeconds = body.durationSeconds
await db
.update(sessions)
.set(updates)
.where(and(eq(sessions.id, id), eq(sessions.viewerUserId, authSession.user.id)))
return NextResponse.json({ success: true })
}
Reference in New Issue View Git Blame Copy Permalink