fix: protect admin routes (#1941)

HugoRCD · web-flow · commit 2076ca17ffee · 2025-06-18T14:22:50.000+02:00
diff --git a/server/api/auth/github.get.ts b/server/api/auth/github.get.ts
@@ -1,28 +1,8 @@
-interface TeamMember {
-  login: string
-}
-
-const getCoreMembers = cachedFunction(async () => {
-  return await $fetch<TeamMember[]>('https://api.nuxt.com/teams/core')
-}, {
-  maxAge: 60 * 60, // 1 hour
-  getKey: () => 'core-members'
-})
-
 export default defineOAuthGitHubEventHandler({
   async onSuccess(event, { user }) {
-    const coreMembers = await getCoreMembers()
-    if (!coreMembers) {
-      throw createError({
-        statusCode: 500,
-        statusMessage: 'Failed to fetch core team members.'
-      })
-    }
-
-    const userLogin = user.login.toLowerCase()
-    const coreTeamHasUser = coreMembers.some(member => member.login.toLowerCase() === userLogin)
+    const adminMember = await isCoreTeamMember(user.login.toLowerCase())
 
-    if (!coreTeamHasUser) {
+    if (!adminMember) {
       return sendRedirect(event, '/admin/login?error=access-denied')
     }
 
diff --git a/server/api/feedback/[id].delete.ts b/server/api/feedback/[id].delete.ts
@@ -6,6 +6,8 @@ const deleteParamsSchema = z.object({
 })
 
 export default defineEventHandler(async (event) => {
+  await requireUserSession(event)
+
   const { id } = await getValidatedRouterParams(event, deleteParamsSchema.parse)
 
   const drizzle = useDrizzle()
diff --git a/server/api/feedback/index.get.ts b/server/api/feedback/index.get.ts
@@ -1,4 +1,6 @@
-export default defineEventHandler(async () => {
+export default defineEventHandler(async (event) => {
+  await requireUserSession(event)
+
   const drizzle = useDrizzle()
 
   return await drizzle.query.feedback.findMany()
diff --git a/server/utils/team.ts b/server/utils/team.ts
@@ -0,0 +1,19 @@
+export const getCoreMembers = cachedFunction(async () => {
+  return await $fetch<{
+    login: string
+  }[]>('https://api.nuxt.com/teams/core')
+}, {
+  maxAge: 60 * 60, // 1 hour
+  getKey: () => 'core-members'
+})
+
+export async function isCoreTeamMember(login: string) {
+  const coreMembers = await getCoreMembers()
+  if (!coreMembers) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Failed to fetch core team members.'
+    })
+  }
+  return coreMembers.some(member => member.login.toLowerCase() === login)
+}
