improve: authenticate addItem requests (#242)

2024-05-30 13:32:28 +02:00 · 2024-05-30 13:32:28 +02:00 · bc21a4d282
commit bc21a4d282
parent 02e4562daa
3 changed files with 10 additions and 12 deletions
--- a/src/controllers/custom/addItemController.ts
+++ b/src/controllers/custom/addItemController.ts
@ -1,3 +1,4 @@
+import { getAccountIdForRequest } from "@/src/services/loginService";
 import { ItemType, toAddItemRequest } from "@/src/helpers/customHelpers/addItemHelpers";
 import { getWeaponType } from "@/src/services/itemDataService";
 import { addPowerSuit, addWeapon } from "@/src/services/inventoryService";
@ -5,16 +6,17 @@ import { RequestHandler } from "express";

 // eslint-disable-next-line @typescript-eslint/no-misused-promises
 const addItemController: RequestHandler = async (req, res) => {
+    const accountId = await getAccountIdForRequest(req);
    const request = toAddItemRequest(req.body);

    switch (request.type) {
        case ItemType.Powersuit:
-            const powersuit = await addPowerSuit(request.InternalName, request.accountId);
+            const powersuit = await addPowerSuit(request.InternalName, accountId);
            res.json(powersuit);
            return;
        case ItemType.Weapon:
            const weaponType = getWeaponType(request.InternalName);
-            const weapon = await addWeapon(weaponType, request.InternalName, request.accountId);
+            const weapon = await addWeapon(weaponType, request.InternalName, accountId);
            res.json(weapon);
            break;
        default:
--- a/src/helpers/customHelpers/addItemHelpers.ts
+++ b/src/helpers/customHelpers/addItemHelpers.ts
@ -21,7 +21,6 @@ const parseItemType = (itemType: unknown): ItemType => {
 interface IAddItemRequest {
    type: ItemType;
    InternalName: string;
-    accountId: string;
 }
 export const isInternalItemName = (internalName: string): boolean => {
    const item = items.find(i => i.uniqueName === internalName);
@ -41,11 +40,10 @@ export const toAddItemRequest = (body: unknown): IAddItemRequest => {
        throw new Error("incorrect or missing add item request data");
    }

-    if ("type" in body && "internalName" in body && "accountId" in body) {
+    if ("type" in body && "internalName" in body) {
        return {
            type: parseItemType(body.type),
-            InternalName: parseInternalItemName(body.internalName),
-            accountId: parseString(body.accountId)
+            InternalName: parseInternalItemName(body.internalName)
        };
    }

--- a/static/webui/script.js
+++ b/static/webui/script.js
@ -266,12 +266,11 @@ function doAcquireWarframe() {
    }
    revalidateAuthz(() => {
        const req = $.post({
-            url: "/custom/addItem",
+            url: "/custom/addItem?" + window.authz,
            contentType: "application/json",
            data: JSON.stringify({
                type: "Powersuit",
-                internalName: uniqueName,
-                accountId: window.accountId
+                internalName: uniqueName
            })
        });
        req.done(() => {
@ -293,12 +292,11 @@ function doAcquireWeapon() {
    }
    revalidateAuthz(() => {
        const req = $.post({
-            url: "/custom/addItem",
+            url: "/custom/addItem?" + window.authz,
            contentType: "application/json",
            data: JSON.stringify({
                type: "Weapon",
-                internalName: uniqueName,
-                accountId: window.accountId
+                internalName: uniqueName
            })
        });
        req.done(() => {