submission-receive: defense-in-depth approval check
Even though distribute-rmp gates the submitter, re-validate the contributor's distribute.users.status here before inserting into bb.native_articles. A leaked DISTRIBUTE_SHARED_SECRET shouldn't be enough to bypass the approval system. Falls back to letting the request through on transient lookup failure (distribute side already checked). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -54,6 +54,42 @@ export async function POST(request: NextRequest) {
|
|||||||
const submissionId = body?.submission_id || null;
|
const submissionId = body?.submission_id || null;
|
||||||
const property = body?.property || 'broadcastbeat';
|
const property = body?.property || 'broadcastbeat';
|
||||||
|
|
||||||
|
// Defense in depth: re-check the contributor's approval status against
|
||||||
|
// distribute.users. distribute-rmp's submit route already gates, but a
|
||||||
|
// belt-and-suspenders check here means even a leaked DISTRIBUTE_SHARED_SECRET
|
||||||
|
// can't shove articles in from non-approved users.
|
||||||
|
if (contributor?.id) {
|
||||||
|
const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
|
||||||
|
const srKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
|
||||||
|
if (url && srKey) {
|
||||||
|
try {
|
||||||
|
const r = await fetch(
|
||||||
|
`${url}/rest/v1/users?id=eq.${encodeURIComponent(contributor.id)}&select=status&limit=1`,
|
||||||
|
{
|
||||||
|
headers: {
|
||||||
|
apikey: srKey,
|
||||||
|
Authorization: `Bearer ${srKey}`,
|
||||||
|
'Accept-Profile': 'distribute',
|
||||||
|
},
|
||||||
|
cache: 'no-store',
|
||||||
|
},
|
||||||
|
);
|
||||||
|
const rows = (await r.json()) as Array<{ status: string }>;
|
||||||
|
const status = Array.isArray(rows) && rows.length ? rows[0].status : null;
|
||||||
|
if (status !== 'approved') {
|
||||||
|
return NextResponse.json(
|
||||||
|
{ error: 'Contributor not approved', status },
|
||||||
|
{ status: 403 },
|
||||||
|
);
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
// If the lookup fails, fall back to letting the request through
|
||||||
|
// (distribute-rmp side already gated). Don't break the pipeline on
|
||||||
|
// a transient supabase glitch.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
|
const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
|
||||||
const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
|
const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
|
||||||
if (!url || !key) return NextResponse.json({ error: 'supabase not configured' }, { status: 500 });
|
if (!url || !key) return NextResponse.json({ error: 'supabase not configured' }, { status: 500 });
|
||||||
|
|||||||
Reference in New Issue
Block a user