hotfix: cannot authorize (#662)

Author: aster-void

common/zod/schemas.ts

@@ -78,7 +78,7 @@ export const DaySchema = z.enum([
   "other",
 ]);
 
-export const PeriodSchema = z.number().min(0).max(6);
+export const PeriodSchema = z.coerce.number().min(0).max(6);
 
 export const SlotSchema = z.object({
   day: DaySchema,

server/src/firebase/auth/lib.ts

@@ -10,7 +10,7 @@ type DecodedIdToken = admin.DecodedIdToken;
 // REQUIRE: cookieParser middleware before this
 // THROWS: if idToken is not present in request cookie, or when the token is not valid.
 export async function getGUID(c: Context): Promise<GUID> {
-  const idToken = c.req.query("token");
+  const idToken = c.req.header("Authorization");
   if (typeof idToken !== "string") error("token not found in query", 401);
   return await getGUIDFromToken(idToken);
 }

test/server.spec.ts

@@ -29,7 +29,11 @@ test("/users/exists", async () => {
 test("basic auth", async () => {
   let res = await GET("/users/me");
   expect(res.status).toBe(401);
-  res = await GET(`/users/me?token=${MOCK_TOKEN}`);
+  res = await GET("/users/me", {
+    headers: {
+      Authorization: MOCK_TOKEN,
+    },
+  });
   expect(res.status).toBe(200);
   const json = await res.json();
   expect(json.name).toBe("田中太郎");
@@ -42,15 +46,27 @@ test("send request", async () => {
   res = await PUT("/requests/send/102");
   expect(res.status).toBe(401);
 
-  res = await GET(`/users/pending/from-me?token=${MOCK_TOKEN}`);
+  res = await GET("/users/pending/from-me", {
+    headers: {
+      Authorization: MOCK_TOKEN,
+    },
+  });
   expect(res.status).toBe(200);
   expect(await res.json()).toSatisfy((s) => s.length === 0);
   // starting actual request
 
-  res = await PUT(`/requests/send/102?token=${MOCK_TOKEN}`);
+  res = await PUT("/requests/send/102", {
+    headers: {
+      Authorization: MOCK_TOKEN,
+    },
+  });
   expect(res.status).toBe(201);
 
-  res = await GET(`/users/pending/from-me?token=${MOCK_TOKEN}`);
+  res = await GET("/users/pending/from-me", {
+    headers: {
+      Authorization: MOCK_TOKEN,
+    },
+  });
   expect(await res.json()).toSatisfy(
     (s) => s.length === 1 && s[0].name === "山田花子",
   );

web/api/internal/fetch-func.ts

@@ -8,10 +8,11 @@ export async function uploadImage(path: string, file: File): Promise<URL> {
   if (file.size >= MAX_IMAGE_SIZE) {
     throw new Error("画像のアップロードに失敗しました: 画像が大きすぎます");
   }
-  const res = await fetch(`${path}?token=${await getIdToken()}`, {
+  const res = await fetch(path, {
     method: "POST",
     headers: {
       "Content-Type": "image/png",
+      Authorization: await getIdToken(),
     },
     body: file,
   });

web/firebase/auth/lib.ts

@@ -34,20 +34,18 @@ export async function credFetch(
   path: string,
   body?: unknown,
 ): Promise<Response> {
-  let idToken = await getIdToken();
+  const idToken = await getIdToken();
   const init: RequestInit = { method };
   if (body) {
     init.body = JSON.stringify(body);
     init.headers = {
       "Content-Type": "application/json",
+      Authorization: idToken,
+    };
+  } else {
+    init.headers = {
+      Authorization: idToken,
     };
   }
-  let res = await fetch(`${path}?token=${idToken}`, init);
-
-  if (res.status === 401) {
-    idToken = await getIdToken();
-    res = await fetch(`${path}?token=${idToken}`, init);
-  }
-
-  return res;
+  return await fetch(path, init);
 }