add user checks in routes

server/routers/resource/createResource.ts

@@ -39,6 +39,7 @@ const createHttpResourceSchema = z
         isBaseDomain: z.boolean().optional(),
         siteId: z.number(),
         http: z.boolean(),
+        protocol: z.string(),
         domainId: z.string()
     })
     .strict()
@@ -129,7 +130,7 @@ export async function createResource(
 
         const { siteId, orgId } = parsedParams.data;
 
-        if (!req.userOrgRoleId) {
+        if (req.user && !req.userOrgRoleId) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -202,7 +203,7 @@ async function createHttpResource(
         );
     }
 
-    const { name, subdomain, isBaseDomain, http, domainId } =
+    const { name, subdomain, isBaseDomain, http, protocol, domainId } =
         parsedBody.data;
 
     const [orgDomain] = await db
@@ -261,7 +262,7 @@ async function createHttpResource(
                 name,
                 subdomain,
                 http,
-                protocol: "tcp",
+                protocol,
                 ssl: true,
                 isBaseDomain
             })
@@ -284,7 +285,7 @@ async function createHttpResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,

server/routers/resource/listResources.ts

@@ -69,9 +69,7 @@ function queryResources(
                 http: resources.http,
                 protocol: resources.protocol,
                 proxyPort: resources.proxyPort,
-                enabled: resources.enabled,
-                tlsServerName: resources.tlsServerName,
-                setHostHeader: resources.setHostHeader
+                enabled: resources.enabled
             })
             .from(resources)
             .leftJoin(sites, eq(resources.siteId, sites.siteId))
@@ -105,9 +103,7 @@ function queryResources(
                 http: resources.http,
                 protocol: resources.protocol,
                 proxyPort: resources.proxyPort,
-                enabled: resources.enabled,
-                tlsServerName: resources.tlsServerName,
-                setHostHeader: resources.setHostHeader
+                enabled: resources.enabled
             })
             .from(resources)
             .leftJoin(sites, eq(resources.siteId, sites.siteId))
@@ -187,9 +183,17 @@ export async function listResources(
                 )
             );
         }
-        const { siteId, orgId } = parsedParams.data;
+        const { siteId } = parsedParams.data;
 
-        if (orgId && orgId !== req.userOrgId) {
+        const orgId = parsedParams.data.orgId || req.userOrg?.orgId || req.apiKeyOrg?.orgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (req.user && orgId && orgId !== req.userOrgId) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
@@ -198,7 +202,9 @@ export async function listResources(
             );
         }
 
-        const accessibleResources = await db
+        let accessibleResources;
+        if (req.user) {
+            accessibleResources = await db
             .select({
                 resourceId: sql<number>`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})`
             })
@@ -213,6 +219,11 @@ export async function listResources(
                     eq(roleResources.roleId, req.userOrgRoleId!)
                 )
             );
+        } else {
+            accessibleResources = await db.select({
+                resourceId: resources.resourceId
+            }).from(resources).where(eq(resources.orgId, orgId));
+        }
 
         const accessibleResourceIds = accessibleResources.map(
             (resource) => resource.resourceId

server/routers/resource/setResourceRoles.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { roleResources, roles } from "@server/db/schemas";
+import { apiKeys, roleResources, roles } from "@server/db/schemas";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -74,6 +74,17 @@ export async function setResourceRoles(
 
         const { resourceId } = parsedParams.data;
 
+        const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Organization not found"
+                )
+            );
+        }
+
         // get this org's admin role
         const adminRole = await db
             .select()
@@ -81,7 +92,7 @@ export async function setResourceRoles(
             .where(
                 and(
                     eq(roles.name, "Admin"),
-                    eq(roles.orgId, req.userOrg!.orgId)
+                    eq(roles.orgId, orgId)
                 )
             )
             .limit(1);
@@ -136,3 +147,4 @@ export async function setResourceRoles(
         );
     }
 }
+

server/routers/resource/updateResource.ts

@@ -45,8 +45,8 @@ const updateHttpResourceBodySchema = z
         domainId: z.string().optional(),
         enabled: z.boolean().optional(),
         stickySession: z.boolean().optional(),
-        tlsServerName: z.string().optional(),
-        setHostHeader: z.string().optional()
+        tlsServerName: z.string().nullable().optional(),
+        setHostHeader: z.string().nullable().optional()
     })
     .strict()
     .refine((data) => Object.keys(data).length > 0, {