feat: add auth check to media end point (#173)

Monday-Morning · Jan 9, 2023 · 214d8d4 · 214d8d4
1 parent 07544fb
commit 214d8d4
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/server/router/index.js b/server/router/index.js
@@ -56,7 +56,17 @@ router.use('/admin/spotify/auth', async (_req, res) => {
   }
 });
 
-router.use('/admin/media/auth', (_req, res) => {
+router.use('/admin/media/auth', async (req, res) => {
+  const { authToken, decodedToken } = await UserAuth.getContext(req);
+
+  if (!authToken || !decodedToken || !UserPermission.exists(req.session, authToken, decodedToken, 'media.write.new')) {
+    return res.status(401).json({
+      data: 'The user is not authorized to access media endpoint.',
+      code: 401,
+      error: true,
+    });
+  }
+
   try {
     const imagekit = new ImageKit({
       publicKey: process.env.IMAGEKIT_PUBLIC_KEY,