fix: private songs not being accessible by the uploader

Author: Bentroen

server/src/song/song.service.ts

@@ -260,9 +260,7 @@ export class SongService {
     publicId: string,
     user: UserDocument | null,
   ): Promise<SongViewDto> {
-    const foundSong = await this.songModel
-      .findOne({ publicId: publicId })
-      .populate('uploader', 'username profileImage -_id');
+    const foundSong = await this.songModel.findOne({ publicId: publicId });
 
     if (!foundSong) {
       throw new HttpException('Song not found', HttpStatus.NOT_FOUND);
@@ -282,7 +280,12 @@ export class SongService {
     foundSong.playCount++;
     await foundSong.save();
 
-    return SongViewDto.fromSongDocument(foundSong);
+    const populatedSong = await foundSong.populate(
+      'uploader',
+      'username profileImage -_id',
+    );
+
+    return SongViewDto.fromSongDocument(populatedSong);
   }
 
   // TODO: service should not handle HTTP -> https://www.reddit.com/r/node/comments/uoicw1/should_i_return_status_code_from_service_layer/

web/src/app/(content)/song/[id]/page.tsx

@@ -1,5 +1,6 @@
 import { SongViewDtoType } from '@shared/validation/song/dto/types';
 import type { Metadata } from 'next';
+import { cookies } from 'next/headers';
 
 import axios from '@web/src/lib/axios';
 import { SongPage } from '@web/src/modules/song/components/SongPage';
@@ -16,9 +17,21 @@ export async function generateMetadata({
   let song;
   const publicUrl = process.env.NEXT_PUBLIC_URL;
 
+  const cookieStore = await cookies();
+  const token = cookieStore.get('token')?.value || null;
+
+  const headers: Record<string, string> = {};
+
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
+  }
+
   try {
-    const response = await axios.get<SongViewDtoType>(`/song/${params.id}`);
-    song = response.data;
+    const response = await axios.get<SongViewDtoType>(`/song/${params.id}`, {
+      headers,
+    });
+
+    song = await response.data;
   } catch {
     return {
       title: 'Unknown song!',

web/src/modules/song/components/SongPage.tsx

@@ -1,5 +1,6 @@
 import { SongPreviewDto } from '@shared/validation/song/dto/SongPreview.dto';
 import { SongViewDtoType } from '@shared/validation/song/dto/types';
+import { cookies } from 'next/headers';
 import Image from 'next/image';
 
 import axios from '@web/src/lib/axios';
@@ -21,8 +22,21 @@ import { formatTimeAgo } from '../../shared/util/format';
 export async function SongPage({ id }: { id: string }) {
   let song;
 
+  // get 'token' cookie from headers
+  const cookieStore = await cookies();
+  const token = cookieStore.get('token')?.value || null;
+
+  const headers: Record<string, string> = {};
+
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
+  }
+
   try {
-    const response = await axios.get<SongViewDtoType>(`/song/${id}`);
+    const response = await axios.get<SongViewDtoType>(`/song/${id}`, {
+      headers,
+    });
+
     song = await response.data;
   } catch {
     return <ErrorBox message='An error occurred while retrieving the song' />;