Add api validations.

lib/middleware.ts

@@ -1,19 +1,20 @@
+import redis from '@umami/redis-client';
+import cors from 'cors';
+import debug from 'debug';
+import { getAuthToken, parseShareToken } from 'lib/auth';
+import { ROLES } from 'lib/constants';
+import { isUuid, secret } from 'lib/crypto';
+import { findSession } from 'lib/session';
 import {
-  createMiddleware,
-  unauthorized,
   badRequest,
+  createMiddleware,
   parseSecureToken,
   tooManyRequest,
+  unauthorized,
 } from 'next-basics';
-import debug from 'debug';
-import cors from 'cors';
-import redis from '@umami/redis-client';
-import { findSession } from 'lib/session';
-import { getAuthToken, parseShareToken } from 'lib/auth';
-import { secret, isUuid } from 'lib/crypto';
-import { ROLES } from 'lib/constants';
-import { getUserById } from '../queries';
 import { NextApiRequestCollect } from 'pages/api/send';
+import { getUserById } from '../queries';
+import { NextApiRequestQueryBody } from './types';
 
 const log = debug('umami:middleware');
 
@@ -75,3 +76,15 @@ export const useAuth = createMiddleware(async (req, res, next) => {
 
   next();
 });
+
+export const useValidate = createMiddleware(async (req: any, res, next) => {
+  try {
+    const { yup } = req as NextApiRequestQueryBody;
+
+    yup[req.method].validateSync({ ...req.query, ...req.body });
+  } catch (e: any) {
+    return badRequest(res, e.message);
+  }
+
+  next();
+});

lib/types.ts

@@ -5,11 +5,13 @@ import {
   EVENT_TYPE,
   KAFKA_TOPIC,
   REPORT_FILTER_TYPES,
+  REPORT_TYPES,
   ROLES,
   TEAM_FILTER_TYPES,
   USER_FILTER_TYPES,
   WEBSITE_FILTER_TYPES,
 } from './constants';
+import * as yup from 'yup';
 
 type ObjectValues<T> = T[keyof T];
 
@@ -18,6 +20,8 @@ export type Role = ObjectValues<typeof ROLES>;
 export type EventType = ObjectValues<typeof EVENT_TYPE>;
 export type DynamicDataType = ObjectValues<typeof DATA_TYPE>;
 export type KafkaTopic = ObjectValues<typeof KAFKA_TOPIC>;
+export type ReportType = ObjectValues<typeof REPORT_TYPES>;
+
 export type ReportSearchFilterType = ObjectValues<typeof REPORT_FILTER_TYPES>;
 export type UserSearchFilterType = ObjectValues<typeof USER_FILTER_TYPES>;
 export type WebsiteSearchFilterType = ObjectValues<typeof WEBSITE_FILTER_TYPES>;
@@ -47,8 +51,8 @@ export interface ReportSearchFilter extends SearchFilter<ReportSearchFilterType>
 export interface SearchFilter<T> {
   filter?: string;
   filterType?: T;
-  pageSize?: number;
-  page?: number;
+  pageSize: number;
+  page: number;
   orderBy?: string;
 }
 
@@ -76,11 +80,19 @@ export interface Auth {
   };
 }
 
+export interface YupRequest {
+  GET?: yup.ObjectSchema<any>;
+  POST?: yup.ObjectSchema<any>;
+  PUT?: yup.ObjectSchema<any>;
+  DELETE?: yup.ObjectSchema<any>;
+}
+
 export interface NextApiRequestQueryBody<TQuery = any, TBody = any> extends NextApiRequest {
   auth?: Auth;
   query: TQuery & { [key: string]: string | string[] };
   body: TBody;
   headers: any;
+  yup: YupRequest;
 }
 
 export interface NextApiRequestAuth extends NextApiRequest {
@@ -168,7 +180,6 @@ export interface RealtimeUpdate {
 export interface DateRange {
   startDate: Date;
   endDate: Date;
-  unit: string;
   value: string;
 }
 

lib/yup.ts

@@ -0,0 +1,19 @@
+import * as yup from 'yup';
+
+export function getDateRangeValidation() {
+  return {
+    startAt: yup.number().integer().required(),
+    endAt: yup.number().integer().moreThan(yup.ref('startAt')).required(),
+  };
+}
+
+// ex: /funnel|insights|retention/i
+export function getFilterValidation(matchRegex) {
+  return {
+    filter: yup.string(),
+    filterType: yup.string().matches(matchRegex),
+    pageSize: yup.number().integer().positive().max(200),
+    page: yup.number().integer().positive(),
+    orderBy: yup.string(),
+  };
+}

pages/api/auth/login.ts

@@ -1,19 +1,20 @@
+import redis from '@umami/redis-client';
 import debug from 'debug';
+import { setAuthKey } from 'lib/auth';
+import { secret } from 'lib/crypto';
+import { useValidate } from 'lib/middleware';
+import { NextApiRequestQueryBody, User } from 'lib/types';
 import { NextApiResponse } from 'next';
 import {
-  ok,
-  unauthorized,
-  badRequest,
   checkPassword,
   createSecureToken,
-  methodNotAllowed,
   forbidden,
+  methodNotAllowed,
+  ok,
+  unauthorized,
 } from 'next-basics';
-import redis from '@umami/redis-client';
 import { getUserByUsername } from 'queries';
-import { secret } from 'lib/crypto';
-import { NextApiRequestQueryBody, User } from 'lib/types';
-import { setAuthKey } from 'lib/auth';
+import * as yup from 'yup';
 
 const log = debug('umami:auth');
 
@@ -27,6 +28,13 @@ export interface LoginResponse {
   user: User;
 }
 
+const schema = {
+  POST: yup.object().shape({
+    username: yup.string().required(),
+    password: yup.string().required(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<any, LoginRequestBody>,
   res: NextApiResponse<LoginResponse>,
@@ -35,13 +43,12 @@ export default async (
     return forbidden(res);
   }
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   if (req.method === 'POST') {
     const { username, password } = req.body;
 
-    if (!username || !password) {
-      return badRequest(res);
-    }
-
     const user = await getUserByUsername(username, { includePassword: true });
 
     if (user && checkPassword(password, user.password)) {

pages/api/event-data/events.ts

@@ -1,26 +1,37 @@
 import { canViewWebsite } from 'lib/auth';
-import { useCors, useAuth } from 'lib/middleware';
+import { useAuth, useCors, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
-import { ok, methodNotAllowed, unauthorized } from 'next-basics';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { getEventDataEvents } from 'queries';
+import * as yup from 'yup';
 
-export interface EventDataEventsRequestQuery {
+export interface EventDataFieldsRequestQuery {
   websiteId: string;
-  dateRange: {
-    startDate: string;
-    endDate: string;
-  };
-  event?: string;
+  startAt: string;
+  endAt: string;
+  event: string;
 }
 
+const schema = {
+  GET: yup.object().shape({
+    websiteId: yup.string().uuid().required(),
+    startAt: yup.number().integer().required(),
+    endAt: yup.number().integer().moreThan(yup.ref('startAt')).required(),
+    event: yup.string().required(),
+  }),
+};
+
 export default async (
-  req: NextApiRequestQueryBody<EventDataEventsRequestQuery>,
+  req: NextApiRequestQueryBody<EventDataFieldsRequestQuery, any>,
   res: NextApiResponse<any>,
 ) => {
   await useCors(req, res);
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   if (req.method === 'GET') {
     const { websiteId, startAt, endAt, event } = req.query;
 

pages/api/event-data/fields.ts

@@ -1,26 +1,37 @@
 import { canViewWebsite } from 'lib/auth';
-import { useCors, useAuth } from 'lib/middleware';
+import { useAuth, useCors, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
-import { ok, methodNotAllowed, unauthorized } from 'next-basics';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { getEventDataFields } from 'queries';
+import * as yup from 'yup';
 
 export interface EventDataFieldsRequestQuery {
   websiteId: string;
-  dateRange: {
-    startDate: string;
-    endDate: string;
-  };
+  startAt: string;
+  endAt: string;
   field?: string;
 }
 
+const schema = {
+  GET: yup.object().shape({
+    websiteId: yup.string().uuid().required(),
+    startAt: yup.number().integer().required(),
+    endAt: yup.number().integer().moreThan(yup.ref('startAt')).required(),
+    field: yup.string(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<EventDataFieldsRequestQuery>,
   res: NextApiResponse<any>,
 ) => {
   await useCors(req, res);
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   if (req.method === 'GET') {
     const { websiteId, startAt, endAt, field } = req.query;
 

pages/api/event-data/stats.ts

@@ -1,25 +1,34 @@
 import { canViewWebsite } from 'lib/auth';
-import { useCors, useAuth } from 'lib/middleware';
+import { useAuth, useCors, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody } from 'lib/types';
 import { NextApiResponse } from 'next';
-import { ok, methodNotAllowed, unauthorized } from 'next-basics';
-import { getEventDataStats } from 'queries';
+import { methodNotAllowed, ok, unauthorized } from 'next-basics';
+import * as yup from 'yup';
 
 export interface EventDataStatsRequestQuery {
   websiteId: string;
-  dateRange: {
-    startDate: string;
-    endDate: string;
-  };
+  startAt: string;
+  endAt: string;
 }
 
+const schema = {
+  GET: yup.object().shape({
+    websiteId: yup.string().uuid().required(),
+    startAt: yup.number().integer().required(),
+    endAt: yup.number().integer().moreThan(yup.ref('startAt')).required(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<EventDataStatsRequestQuery>,
   res: NextApiResponse<any>,
 ) => {
   await useCors(req, res);
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   if (req.method === 'GET') {
     const { websiteId, startAt, endAt } = req.query;
 

pages/api/me/password.ts

@@ -1,15 +1,16 @@
+import { useAuth, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody, User } from 'lib/types';
-import { useAuth } from 'lib/middleware';
 import { NextApiResponse } from 'next';
 import {
   badRequest,
   checkPassword,
+  forbidden,
   hashPassword,
   methodNotAllowed,
-  forbidden,
   ok,
 } from 'next-basics';
 import { getUserById, updateUser } from 'queries';
+import * as yup from 'yup';
 
 export interface UserPasswordRequestQuery {
   id: string;
@@ -20,6 +21,14 @@ export interface UserPasswordRequestBody {
   newPassword: string;
 }
 
+const schema = {
+  POST: yup.object().shape({
+    id: yup.string().uuid().required(),
+    currentPassword: yup.string().required(),
+    newPassword: yup.string().min(8).required(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<UserPasswordRequestQuery, UserPasswordRequestBody>,
   res: NextApiResponse<User>,
@@ -30,6 +39,9 @@ export default async (
 
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   const { currentPassword, newPassword } = req.body;
   const { id } = req.auth.user;