improve: authenticate addItem requests (#242)

src/controllers/custom/addItemController.ts

@@ -1,3 +1,4 @@
+import { getAccountIdForRequest } from "@/src/services/loginService";
 import { ItemType, toAddItemRequest } from "@/src/helpers/customHelpers/addItemHelpers";
 import { getWeaponType } from "@/src/services/itemDataService";
 import { addPowerSuit, addWeapon } from "@/src/services/inventoryService";
@@ -5,16 +6,17 @@ import { RequestHandler } from "express";
 
 // eslint-disable-next-line @typescript-eslint/no-misused-promises
 const addItemController: RequestHandler = async (req, res) => {
+    const accountId = await getAccountIdForRequest(req);
     const request = toAddItemRequest(req.body);
 
     switch (request.type) {
         case ItemType.Powersuit:
-            const powersuit = await addPowerSuit(request.InternalName, request.accountId);
+            const powersuit = await addPowerSuit(request.InternalName, accountId);
             res.json(powersuit);
             return;
         case ItemType.Weapon:
             const weaponType = getWeaponType(request.InternalName);
-            const weapon = await addWeapon(weaponType, request.InternalName, request.accountId);
+            const weapon = await addWeapon(weaponType, request.InternalName, accountId);
             res.json(weapon);
             break;
         default:

src/helpers/customHelpers/addItemHelpers.ts

@@ -21,7 +21,6 @@ const parseItemType = (itemType: unknown): ItemType => {
 interface IAddItemRequest {
     type: ItemType;
     InternalName: string;
-    accountId: string;
 }
 export const isInternalItemName = (internalName: string): boolean => {
     const item = items.find(i => i.uniqueName === internalName);
@@ -41,11 +40,10 @@ export const toAddItemRequest = (body: unknown): IAddItemRequest => {
         throw new Error("incorrect or missing add item request data");
     }
 
-    if ("type" in body && "internalName" in body && "accountId" in body) {
+    if ("type" in body && "internalName" in body) {
         return {
             type: parseItemType(body.type),
-            InternalName: parseInternalItemName(body.internalName),
+            InternalName: parseInternalItemName(body.internalName)
-            accountId: parseString(body.accountId)
         };
     }
 

static/webui/script.js

@@ -266,12 +266,11 @@ function doAcquireWarframe() {
     }
     revalidateAuthz(() => {
         const req = $.post({
-            url: "/custom/addItem",
+            url: "/custom/addItem?" + window.authz,
             contentType: "application/json",
             data: JSON.stringify({
                 type: "Powersuit",
-                internalName: uniqueName,
+                internalName: uniqueName
-                accountId: window.accountId
             })
         });
         req.done(() => {
@@ -293,12 +292,11 @@ function doAcquireWeapon() {
     }
     revalidateAuthz(() => {
         const req = $.post({
-            url: "/custom/addItem",
+            url: "/custom/addItem?" + window.authz,
             contentType: "application/json",
             data: JSON.stringify({
                 type: "Weapon",
-                internalName: uniqueName,
+                internalName: uniqueName
-                accountId: window.accountId
             })
         });
         req.done(() => {