NextJS API: Removed support for dev-only GET requests.

Author: schrodingersket

src/packages/next/lib/api/get-params.ts

@@ -1,32 +1,14 @@
 import type { Request } from "express";
 
-export default function getParams(
-  req: Request,
-  { allowGet }: { allowGet?: boolean } = {}
-): { [param: string]: any } {
+export default function getParams(req: Request): { [param: string]: any } {
   if (req?.method == "POST") {
     return new Proxy(
       {},
       {
         get(_, key) {
           return req.body?.[key];
         },
-      }
-    );
-  } else if (allowGet && req?.method == "GET") {
-    // allowGet is NOT enabled by default, since this could lead to a sneaky click on a link attack.
-    // Should only be enabled for dev purposes or for specific endpoints where making the api call
-    // doesn't potential leak private information.
-    return new Proxy(
-      {},
-      {
-        get(_, key) {
-          if (typeof key != "string") {
-            return undefined;
-          }
-          return req.query?.[key];
-        },
-      }
+      },
     );
   } else {
     // only support params for POST requests.

src/packages/next/pages/api/v2/compute/get-images-google.ts

@@ -27,9 +27,7 @@ async function get(req) {
   if (!account_id) {
     throw Error("must be signed in");
   }
-  let { noCache } = getParams(req, {
-    allowGet: true,
-  });
+  let { noCache } = getParams(req);
   if (noCache) {
     // NOTE: only admins can specify noCache
     if (!(await userIsInGroup(account_id, "admin"))) {

src/packages/next/pages/api/v2/compute/get-images.ts

@@ -27,9 +27,7 @@ async function get(req) {
   if (!account_id) {
     throw Error("must be signed in");
   }
-  let { noCache } = getParams(req, {
-    allowGet: true,
-  });
+  let { noCache } = getParams(req);
   if (noCache) {
     // NOTE: only admins can specify noCache
     if (!(await userIsInGroup(account_id, "admin"))) {

src/packages/next/pages/api/v2/compute/get-log.ts

@@ -26,9 +26,7 @@ async function get(req) {
   if (!account_id) {
     throw Error("must be signed in");
   }
-  const { id } = getParams(req, {
-    allowGet: true,
-  });
+  const { id } = getParams(req);
   return await getEventLog({ id, account_id });
 }
 

src/packages/next/pages/api/v2/compute/get-serial-port-output.ts

@@ -31,9 +31,7 @@ async function get(req) {
     throw Error("user must be signed in");
   }
   // id of the server
-  const { id } = getParams(req, {
-    allowGet: true,
-  });
+  const { id } = getParams(req);
   const server = await getServerNoCheck(id);
 
   if (

src/packages/next/pages/api/v2/compute/get-server-title.ts

@@ -26,9 +26,7 @@ async function get(req) {
   if (!account_id) {
     throw Error("must be signed in");
   }
-  const { id } = getParams(req, {
-    allowGet: true,
-  });
+  const { id } = getParams(req);
   return await getTitle({ id, account_id });
 }
 

src/packages/next/pages/api/v2/compute/get-servers.ts

@@ -26,9 +26,7 @@ async function get(req) {
   if (!account_id) {
     throw Error("must be signed in");
   }
-  const { project_id, id } = getParams(req, {
-    allowGet: true,
-  });
+  const { project_id, id } = getParams(req);
   return await getServers({
     account_id,
     project_id,

src/packages/next/pages/api/v2/compute/scripts.ts

@@ -11,9 +11,7 @@ import {
   getStopScript,
   getDeprovisionScript,
 } from "@cocalc/server/compute/control";
-import {
-  getAccountWithApiKey as getProjectIdWithApiKey,
-} from "@cocalc/server/api/manage";
+import { getAccountWithApiKey as getProjectIdWithApiKey } from "@cocalc/server/api/manage";
 import getParams from "lib/api/get-params";
 import getPool from "@cocalc/database/pool";
 
@@ -23,7 +21,6 @@ import {
   ComputeServerScriptsOutputSchema,
 } from "lib/api/schema/compute/scripts";
 
-
 async function handle(req, res) {
   try {
     res.send(await get(req));
@@ -34,7 +31,7 @@ async function handle(req, res) {
 }
 
 export async function get(req) {
-  const { api_key, id: id0, action } = getParams(req, { allowGet: true });
+  const { api_key, id: id0, action } = getParams(req);
   // use api_key to get project, and also verify access:
   const id = parseInt(id0);
   return await getScript({ api_key, id, action });
@@ -85,7 +82,7 @@ export default apiRoute({
   scripts: apiRouteOperation({
     method: "POST",
     openApiOperation: {
-      tags: ["Compute"]
+      tags: ["Compute"],
     },
   })
     .input({

src/packages/next/pages/api/v2/jupyter/execute.ts

@@ -37,9 +37,7 @@ export default async function handle(req, res) {
 
 async function doIt(req) {
   const { input, kernel, history, tag, noCache, hash, project_id, path } =
-    getParams(req, {
-      allowGet: true,
-    });
+    getParams(req);
   const account_id = await getAccountId(req);
   const analytics_cookie = req.cookies[analytics_cookie_name];
   return await execute({

src/packages/next/pages/api/v2/jupyter/kernels.ts

@@ -10,9 +10,7 @@ import getParams from "lib/api/get-params";
 import getAccountId from "lib/account/get-account";
 
 export default async function handle(req, res) {
-  const { project_id } = getParams(req, {
-    allowGet: true,
-  });
+  const { project_id } = getParams(req);
   const account_id = project_id != null ? await getAccountId(req) : undefined;
   try {
     res.json({