From 288fc7936689b0db696b57c2e662f6df8475f9b2 Mon Sep 17 00:00:00 2001
From: Matti Nannt <mail@matthiasnannt.com>
Date: Mon, 31 Jul 2023 14:10:28 +0200
Subject: [PATCH] Fix Authentication issues for Webhook API (#622)

---
 .../app/api/v1/webhooks/[webhookId]/route.ts  | 14 +++++++++++-
 apps/web/lib/api/response.ts                  | 14 ++++++++++++
 packages/lib/services/webhook.ts              | 22 +++++--------------
 3 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/apps/web/app/api/v1/webhooks/[webhookId]/route.ts b/apps/web/app/api/v1/webhooks/[webhookId]/route.ts
index 16b0a45e78..e500401fcd 100644
--- a/apps/web/app/api/v1/webhooks/[webhookId]/route.ts
+++ b/apps/web/app/api/v1/webhooks/[webhookId]/route.ts
@@ -18,6 +18,9 @@ export async function GET(_: Request, { params }: { params: { webhookId: string
   if (!webhook) {
     return responses.notFoundResponse("Webhook", params.webhookId);
   }
+  if (webhook.environmentId !== apiKeyData.environmentId) {
+    return responses.unauthorizedResponse();
+  }
   return responses.successResponse(webhook);
 }
 
@@ -31,7 +34,16 @@ export async function DELETE(_: Request, { params }: { params: { webhookId: stri
     return responses.notAuthenticatedResponse();
   }
 
-  // add webhook to database
+  // check if webhook exists
+  const webhook = await getWebhook(params.webhookId);
+  if (!webhook) {
+    return responses.notFoundResponse("Webhook", params.webhookId);
+  }
+  if (webhook.environmentId !== apiKeyData.environmentId) {
+    return responses.unauthorizedResponse();
+  }
+
+  // delete webhook from database
   try {
     const webhook = await deleteWebhook(params.webhookId);
     return responses.successResponse(webhook);
diff --git a/apps/web/lib/api/response.ts b/apps/web/lib/api/response.ts
index 4f18b799e3..be189a6094 100644
--- a/apps/web/lib/api/response.ts
+++ b/apps/web/lib/api/response.ts
@@ -101,6 +101,19 @@ const notAuthenticatedResponse = (cors: boolean = false) =>
     }
   );
 
+const unauthorizedResponse = (cors: boolean = false) =>
+  NextResponse.json(
+    {
+      code: "unauthorized",
+      message: "You are not authorized to access this resource",
+      details: {},
+    } as ApiErrorResponse,
+    {
+      status: 401,
+      ...(cors && { headers: corsHeaders }),
+    }
+  );
+
 const successResponse = (data: Object, cors: boolean = false) =>
   NextResponse.json(
     {
@@ -131,6 +144,7 @@ export const responses = {
   missingFieldResponse,
   methodNotAllowedResponse,
   notAuthenticatedResponse,
+  unauthorizedResponse,
   notFoundResponse,
   successResponse,
 };
diff --git a/packages/lib/services/webhook.ts b/packages/lib/services/webhook.ts
index b9eb9115f1..7cc920e094 100644
--- a/packages/lib/services/webhook.ts
+++ b/packages/lib/services/webhook.ts
@@ -16,22 +16,12 @@ export const getWebhooks = async (environmentId: string): Promise<TWebhook[]> =>
 };
 
 export const getWebhook = async (id: string): Promise<TWebhook | null> => {
-  try {
-    const webhook = await prisma.webhook.findUnique({
-      where: {
-        id,
-      },
-    });
-    if (!webhook) {
-      throw new ResourceNotFoundError("Webhook", id);
-    }
-    return webhook;
-  } catch (error) {
-    if (!(error instanceof ResourceNotFoundError)) {
-      throw new DatabaseError(`Database error when fetching webhook with ID ${id}`);
-    }
-    throw error;
-  }
+  const webhook = await prisma.webhook.findUnique({
+    where: {
+      id,
+    },
+  });
+  return webhook;
 };
 
 export const createWebhook = async (