From c3003e46b1140ed2e2bb6370e8bd478929e4f033 Mon Sep 17 00:00:00 2001 From: briannval Date: Sat, 17 Feb 2024 07:56:15 -0800 Subject: [PATCH] Fixed profile url exposure --- .../(pages)/(auth)/signup/addinfo/page.tsx | 21 ++++++++++------ .../auth/email-verification/[token]/route.ts | 25 +++++++++++++++++-- .../api/auth/signup/google/callback/route.ts | 5 +--- src/lib/lucia.ts | 1 + 4 files changed, 38 insertions(+), 14 deletions(-) diff --git a/src/app/(pages)/(auth)/signup/addinfo/page.tsx b/src/app/(pages)/(auth)/signup/addinfo/page.tsx index f5f6e9b..30485e1 100644 --- a/src/app/(pages)/(auth)/signup/addinfo/page.tsx +++ b/src/app/(pages)/(auth)/signup/addinfo/page.tsx @@ -36,7 +36,7 @@ import {ZOD_ERR, DEFAULT_SERVER_ERR} from '@constants/error-messages'; import axios from 'axios'; import {useState, useCallback, useEffect} from 'react'; import {useDropzone, FileRejection} from 'react-dropzone'; -import {setRevalidateHeaders} from 'next/dist/server/send-payload'; +import {getClientSession} from '@utils/getClientSession'; const schema = z.object({ skill: z.string().min(1, ZOD_ERR.REQ_FIELD), @@ -50,7 +50,6 @@ const AddInfo = () => { const statusToast = useToast(); const params = useSearchParams(); const id = params.get('id'); - const picture = params.get('picture'); const { handleSubmit, @@ -132,7 +131,17 @@ const AddInfo = () => { const watched = watch(); useEffect(() => { - setValue('profile', picture!); + const getUserFromSession = async () => { + const session = await getClientSession(); + return session; + }; + + const fetchSession = async () => { + const session = await getUserFromSession(); + setValue('profile', session.user.profile); + }; + + fetchSession(); }, []); return ( @@ -143,11 +152,7 @@ const AddInfo = () => { Create your profile - {watched.profile ? ( - - ) : ( - - )} + diff --git a/src/app/api/auth/email-verification/[token]/route.ts b/src/app/api/auth/email-verification/[token]/route.ts index 8c346ce..4be82e3 100644 --- a/src/app/api/auth/email-verification/[token]/route.ts +++ b/src/app/api/auth/email-verification/[token]/route.ts @@ -6,7 +6,7 @@ import {auth} from '@lib'; import {cookies, headers} from 'next/headers'; export const GET = async ( - _: NextRequest, + request: NextRequest, {params: {token}}: {params: {token: string}} ) => { await connectToDatabase(); @@ -30,6 +30,27 @@ export const GET = async ( } ); + const userAttributes = { + first_name: user.first_name, + last_name: user.last_name, + email_address: user.email_address, + email_verified: user.email_verified, + skill: user.skill, + instagram: user.instagram, + profile: user.profile, + }; + + const session = await auth.createSession({ + userId: id, + attributes: userAttributes, + }); + + const authRequest = auth.handleRequest(request.method, { + cookies, + headers, + }); + + authRequest.setSession(session); success = true; } } catch (e) { @@ -37,7 +58,7 @@ export const GET = async ( } if (success) { - redirect(`/signup/addinfo?id=${id}&picture=${profile}`); + redirect(`/signup/addinfo?id=${id}`); } else { redirect('/login?confirmation-status=failed'); } diff --git a/src/app/api/auth/signup/google/callback/route.ts b/src/app/api/auth/signup/google/callback/route.ts index c65f699..b141bf6 100644 --- a/src/app/api/auth/signup/google/callback/route.ts +++ b/src/app/api/auth/signup/google/callback/route.ts @@ -53,10 +53,7 @@ export const GET = async (request: NextRequest) => { }); authRequest.setSession(session); return NextResponse.redirect( - new URL( - `/signup/addinfo?id=${user.userId}&picture=${googleUser.picture}`, - request.url - ) + new URL(`/signup/addinfo?id=${user.userId}`, request.url) ); } catch (e) { if (e instanceof OAuthRequestError) { diff --git a/src/lib/lucia.ts b/src/lib/lucia.ts index f43ac11..67b759f 100644 --- a/src/lib/lucia.ts +++ b/src/lib/lucia.ts @@ -24,6 +24,7 @@ export const auth = lucia({ email_verified: data.email_verified, skill: data.skill, instagram: data.instagram, + profile: data.profile, }; }, });