Update token handling (#4054)

* Update token handling

* add extra layer of verification

* prettier

handlers/rays/dailyRays.ts

@@ -1,5 +1,6 @@
 import { getRaysDailyChallengeData, getRaysDailyChallengeDateFormat } from 'helpers/dailyRays'
 import type { NextApiHandler } from 'next'
+import { verifyAccessToken } from 'pages/api/auth/check-auth'
 import { prisma } from 'server/prisma'
 
 export const dailyRaysGetHandler: NextApiHandler = async (req, res) => {
@@ -8,7 +9,7 @@ export const dailyRaysGetHandler: NextApiHandler = async (req, res) => {
   const { walletAddress } = req.query
   const dailyChallengeData = await prisma.raysDailyChallenge.findUnique({
     where: {
-      address: (walletAddress as string).toLocaleLowerCase(),
+      address: (walletAddress as string).toLowerCase(),
     },
   })
   const calculatedData = getRaysDailyChallengeData(dailyChallengeData?.claimed_dates)
@@ -24,12 +25,22 @@ export const dailyRaysPostHandler: NextApiHandler = async (req, res) => {
     return res.status(400).end()
   }
 
-  const token = req.cookies[`token-${address.toLocaleLowerCase()}`]
+  const token = req.cookies[`token-${address.toLowerCase()}`]
 
   if (!token) {
     return res.status(401).json({ authenticated: false })
   }
 
+  const decoded = verifyAccessToken(token)
+
+  if (!decoded) {
+    return res.status(401).json({ authenticated: false })
+  }
+
+  if (decoded.address.toLowerCase() !== address.toLowerCase()) {
+    return res.status(401).json({ authenticated: false })
+  }
+
   const usersOverview = await fetch(
     `${process.env.FUNCTIONS_API_URL}/api/portfolio/overview?address=${address}`,
   ).then((usersOverviewRes) => usersOverviewRes.json())

handlers/risk/get.ts

@@ -1,4 +1,5 @@
 import type { NextApiRequest, NextApiResponse } from 'next'
+import { verifyAccessToken } from 'pages/api/auth/check-auth'
 import {
   createRiskForAddress,
   selectRiskForAddress,
@@ -109,6 +110,16 @@ export async function getRisk(req: NextApiRequest, res: NextApiResponse) {
     return res.status(401).json({ authenticated: false })
   }
 
+  const decoded = verifyAccessToken(token)
+
+  if (!decoded) {
+    return res.status(401).json({ authenticated: false })
+  }
+
+  if (decoded.address.toLowerCase() !== walletAddress.toLowerCase()) {
+    return res.status(401).json({ authenticated: false })
+  }
+
   if (chainId !== 1) {
     return res.status(200).json({ isRisky: false })
   }

handlers/tos/get.ts

@@ -22,7 +22,9 @@ export async function get(req: NextApiRequest, res: NextApiResponse) {
   } else {
     const decoded = verifyAccessToken(token)
 
-    if (decoded) {
+    if (decoded?.address.toLowerCase() !== walletAddress.toLowerCase()) {
+      authorized = false
+    } else {
       authorized = true
     }
   }

handlers/tos/sign.ts

@@ -23,6 +23,10 @@ export async function sign(req: NextApiRequest, res: NextApiResponse) {
     return res.status(401).json({ authenticated: false })
   }
 
+  if (decoded.address.toLowerCase() !== walletAddress.toLowerCase()) {
+    return res.status(401).json({ authenticated: false })
+  }
+
   const approvalData = {
     address: decoded.address,
     signature: decoded.signature,

handlers/vault/createOrUpdate.ts

@@ -1,5 +1,6 @@
 import type { VaultType } from '@prisma/client'
 import type { NextApiRequest, NextApiResponse } from 'next'
+import { verifyAccessToken } from 'pages/api/auth/check-auth'
 import { prisma } from 'server/prisma'
 import * as z from 'zod'
 
@@ -23,6 +24,16 @@ export async function createOrUpdate(req: NextApiRequest, res: NextApiResponse)
     return res.status(401).json({ authenticated: false })
   }
 
+  const decoded = verifyAccessToken(token)
+
+  if (!decoded) {
+    return res.status(401).json({ authenticated: false })
+  }
+
+  if (decoded.address.toLowerCase() !== params.walletAddress.toLowerCase()) {
+    return res.status(401).json({ authenticated: false })
+  }
+
   const vaultData = {
     vault_id: params.id,
     type: params.type as VaultType,

pages/api/auth/check-auth.ts

@@ -31,5 +31,9 @@ export default function checkAuthHandler(req: NextApiRequest, res: NextApiRespon
     return res.status(401).json({ authenticated: false })
   }
 
+  if (decoded.address.toLowerCase() !== walletAddress.toLowerCase()) {
+    return res.status(401).json({ authenticated: false })
+  }
+
   return res.status(200).json({ authenticated: true })
 }

pages/api/user/create.tsx

@@ -1,6 +1,7 @@
 import type { User } from '@prisma/client'
 import { getAddress } from 'ethers/lib/utils'
 import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next'
+import { verifyAccessToken } from 'pages/api/auth/check-auth'
 import { prisma } from 'server/prisma'
 import * as z from 'zod'
 
@@ -33,6 +34,16 @@ const create = async (req: NextApiRequest, res: NextApiResponse) => {
     return res.status(401).json({ authenticated: false })
   }
 
+  const decoded = verifyAccessToken(token)
+
+  if (!decoded) {
+    return res.status(401).json({ authenticated: false })
+  }
+
+  if (decoded.address.toLowerCase() !== params.address.toLowerCase()) {
+    return res.status(401).json({ authenticated: false })
+  }
+
   if (params.user_that_referred_address && !checksumAddress) {
     return res.status(401).json('referral-create/invalid-address')
   }