サーバーサイドのAPI Keyの実装の忘れ

Author: yuito-it

src/app/api/clubs/[id]/route.ts

@@ -1,6 +1,7 @@
 import { auth } from "@/auth";
 import Club from "@/models/Club";
 import { NextResponse } from "next/server";
+import CryptoJS from "crypto-js";
 
 export const dynamic = "force-dynamic";
 
@@ -12,19 +13,30 @@ export async function GET(request: Request, { params }: { params: Promise<{ id:
   if (clubRes.status !== 200) return NextResponse.json({ status: clubRes.status });
   const clubData = (await clubRes.json()) as Club;
   const session = await auth();
-  if (!session && !((clubData.visible & 0x2) == 0x2))
+  const apiKey = request.headers.get("X-Api-Key");
+  const sessionEmail = apiKey
+    ? CryptoJS.AES.decrypt(apiKey, process.env.API_ROUTE_SECRET as string).toString(
+        CryptoJS.enc.Utf8
+      )
+    : "";
+  const checkEmail =
+    sessionEmail &&
+    (sessionEmail.endsWith("@nnn.ed.jp") ||
+      sessionEmail.endsWith("@nnn.ac.jp") ||
+      sessionEmail.endsWith("@n-jr.jp"));
+  if (!(session || checkEmail) && !((clubData.visible & 0x2) == 0x2))
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
   const user_clubRes = await fetch(`${endpoint}/user_club/?filter1=club,eq,${id}`);
   const user_clubData = (
     (await user_clubRes.json()) as { records: [{ user: string }] }
   ).records.map((record) => record.user);
   if (
-    session &&
-    !user_clubData.includes(session?.user?.email || "") &&
+    (session || checkEmail) &&
+    !user_clubData.includes(session?.user?.email || sessionEmail || "") &&
     !((clubData.visible & 0x1) == 0x1)
   )
     return NextResponse.json({ error: "Forbidden" }, { status: 403 });
-  if (user_clubData.includes(session?.user?.email || "")) {
+  if (user_clubData.includes(session?.user?.email || sessionEmail || "")) {
     clubData.owner = user_clubData;
   }
   return Response.json(clubData);