oss-oopssec-store/app/api/documents/share/route.ts at 96834e4e96b14e59ce444effaaef2368e4490b5f · kOaDT/oss-oopssec-store · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import { NextRequest, NextResponse } from "next/server";
import { prisma } from "@/lib/prisma";
import { decryptShareToken } from "@/lib/share-crypto";
import { parseQuery } from "@/lib/validation";
import { shareTokenQuerySchema } from "@/lib/validation/schemas/documents";

export async function GET(request: NextRequest) {
  const { searchParams } = new URL(request.url);
  const parsed = parseQuery(searchParams, shareTokenQuerySchema);
  if (!parsed.success) return parsed.response;
  const { token } = parsed.data;

  let resourcePath: string;
  try {
    resourcePath = decryptShareToken(token);
  } catch {
    return NextResponse.json(
      { error: "Invalid share token format" },
      { status: 400 }
    );
  }

  const colonIndex = resourcePath.indexOf(":");
  if (colonIndex === -1) {
    return NextResponse.json(
      { error: "Shared resource not found" },
      { status: 404 }
    );
  }

  const resourceType = resourcePath.substring(0, colonIndex);
  const resourceId = resourcePath.substring(colonIndex + 1);

  const supportedTypes = ["order", "report"];
  if (!supportedTypes.includes(resourceType)) {
    return NextResponse.json(
      {
        error: `Unsupported resource type '${resourceType}'. Expected: ${supportedTypes.join(", ")}`,
      },
      { status: 400 }
    );
  }

  if (resourceType === "order") {
    const order = await prisma.order.findUnique({
      where: { id: resourceId },
      include: {
        user: true,
        items: {
          include: { product: true },
        },
        address: true,
      },
    });

    if (!order) {
      return NextResponse.json(
        { error: "Shared resource not found" },
        { status: 404 }
      );
    }

    const emailName = order.user.email.split("@")[0];
    const customerName = emailName.charAt(0).toUpperCase() + emailName.slice(1);

    return NextResponse.json({
      type: "order",
      order: {
        id: order.id,
        total: order.total,
        status: order.status,
        customerName,
        createdAt: order.createdAt,
        items: order.items.map((item) => ({
          name: item.product.name,
          quantity: item.quantity,
          price: item.priceAtPurchase,
        })),
        deliveryAddress: {
          street: order.address.street,
          city: order.address.city,
          state: order.address.state,
          zipCode: order.address.zipCode,
          country: order.address.country,
        },
      },
    });
  }

  if (resourceType === "report") {
    if (resourceId === "internal") {
      const flag = await prisma.flag.findUnique({
        where: { slug: "aes-cbc-padding-oracle" },
      });

      return NextResponse.json({
        type: "report",
        title: "Internal Security Audit Report",
        content:
          "Quarterly security assessment completed. All systems operational. No critical findings.",
        flag: flag?.flag,
      });
    }
  }

  return NextResponse.json(
    { error: "Shared resource not found" },
    { status: 404 }
  );
}