⚡perf: add demo mode middleware preventing malicious deletion

blinko-space · blinko-space · commit eb435f7368dd · 2024-11-08T14:58:11.000+08:00
diff --git a/src/server/routers/note.ts b/src/server/routers/note.ts
@@ -1,4 +1,4 @@
-import { router, authProcedure } from '../trpc';
+import { router, authProcedure, demoAuthMiddleware } from '../trpc';
 import { z } from 'zod';
 import { prisma } from '../prisma';
 import { Prisma } from '@prisma/client';
@@ -203,7 +203,7 @@ export const noteRouter = router({
       }
       return await prisma.notes.updateMany({ where: { id: { in: ids } }, data: update })
     }),
-  deleteMany: authProcedure
+  deleteMany: authProcedure.use(demoAuthMiddleware)
     .input(z.object({
       ids: z.array(z.number())
     }))
diff --git a/src/server/routers/tag.ts b/src/server/routers/tag.ts
@@ -1,4 +1,4 @@
-import { router, authProcedure } from '../trpc';
+import { router, authProcedure, demoAuthMiddleware } from '../trpc';
 import { z } from 'zod';
 import { prisma } from '../prisma';
 import { caller } from './_app';
@@ -51,7 +51,7 @@ export const tagRouter = router({
       const { id, icon } = input
       return await prisma.tag.update({ where: { id }, data: { icon } })
     }),
-  deleteOnlyTag: authProcedure
+  deleteOnlyTag: authProcedure.use(demoAuthMiddleware)
     .input(z.object({
       id: z.number()
     }))
@@ -67,7 +67,7 @@ export const tagRouter = router({
       await prisma.tag.delete({ where: { id } })
       return true
     }),
-  deleteTagWithAllNote: authProcedure
+  deleteTagWithAllNote: authProcedure.use(demoAuthMiddleware)
     .input(z.object({
       id: z.number()
     }))
diff --git a/src/server/trpc.ts b/src/server/trpc.ts
@@ -22,16 +22,30 @@ export const t = initTRPC.meta<OpenApiMeta>().context<Context>().create({
 
 export const router = t.router;
 export const publicProcedure = t.procedure;
-export const authProcedure = t.procedure.use(async ({ctx, next}) => {
-    if (!ctx.ok) {
-        throw new TRPCError({
-            code: "UNAUTHORIZED",
-            message: 'Unauthorized'
-        })
-    }
-    return next({
-        ctx
+export const authProcedure = t.procedure.use(async ({ ctx, next }) => {
+  if (!ctx.ok) {
+    throw new TRPCError({
+      code: "UNAUTHORIZED",
+      message: 'Unauthorized'
     })
+  }
+  return next({
+    ctx
+  })
 })
 
+
+export const demoAuthMiddleware = t.middleware(async ({ ctx, next }) => {
+  if (process.env.IS_DEMO) {
+    throw new TRPCError({
+      code: "FORBIDDEN",
+      message: 'The operation is rejected because this is a demo environment'
+    })
+  }
+  return next({
+    ctx
+  });
+});
+
+
 export const mergeRouters = t.mergeRouters;
