fix: check chat/vote ownership during actions (#847)

jeremyphilemon · web-flow · commit a378757d3b29 · 2025-03-05T10:03:17.000-08:00
diff --git a/app/(chat)/api/chat/route.ts b/app/(chat)/api/chat/route.ts
@@ -58,7 +58,12 @@ export async function POST(request: Request) {
       const title = await generateTitleFromUserMessage({
         message: userMessage,
       });
+
       await saveChat({ id, userId: session.user.id, title });
+    } else {
+      if (chat.userId !== session.user.id) {
+        return new Response('Unauthorized', { status: 401 });
+      }
     }
 
     await saveMessages({
diff --git a/app/(chat)/api/document/route.ts b/app/(chat)/api/document/route.ts
@@ -67,6 +67,7 @@ export async function POST(request: Request) {
 
     return Response.json(document, { status: 200 });
   }
+
   return new Response('Unauthorized', { status: 401 });
 }
 
diff --git a/app/(chat)/api/vote/route.ts b/app/(chat)/api/vote/route.ts
@@ -1,5 +1,5 @@
 import { auth } from '@/app/(auth)/auth';
-import { getVotesByChatId, voteMessage } from '@/lib/db/queries';
+import { getChatById, getVotesByChatId, voteMessage } from '@/lib/db/queries';
 
 export async function GET(request: Request) {
   const { searchParams } = new URL(request.url);
@@ -15,6 +15,16 @@ export async function GET(request: Request) {
     return new Response('Unauthorized', { status: 401 });
   }
 
+  const chat = await getChatById({ id: chatId });
+
+  if (!chat) {
+    return new Response('Chat not found', { status: 404 });
+  }
+
+  if (chat.userId !== session.user.id) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+
   const votes = await getVotesByChatId({ id: chatId });
 
   return Response.json(votes, { status: 200 });
@@ -38,6 +48,16 @@ export async function PATCH(request: Request) {
     return new Response('Unauthorized', { status: 401 });
   }
 
+  const chat = await getChatById({ id: chatId });
+
+  if (!chat) {
+    return new Response('Chat not found', { status: 404 });
+  }
+
+  if (chat.userId !== session.user.id) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+
   await voteMessage({
     chatId,
     messageId,
diff --git a/playwright.config.ts b/playwright.config.ts
@@ -29,7 +29,7 @@ export default defineConfig({
   /* Fail the build on CI if you accidentally left test.only in the source code. */
   forbidOnly: !!process.env.CI,
   /* Retry on CI only */
-  retries: process.env.CI ? 2 : 0,
+  retries: process.env.CI ? 2 : 1,
   /* Opt out of parallel tests on CI. */
   workers: process.env.CI ? 1 : undefined,
   /* Reporter to use. See https://playwright.dev/docs/test-reporters */

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ export async function POST(request: Request) {`
`67`	`67`
`68`	`68`	`return Response.json(document, { status: 200 });`
`69`	`69`	`}`
	`70`	`+`
`70`	`71`	`return new Response('Unauthorized', { status: 401 });`
`71`	`72`	`}`
`72`	`73`