백엔드에서, Request Body 검증 전에 인증을 먼저 거치도록 변경

2025-12-12 21:08:46 +00:00 · 2024-12-30 00:48:21 +09:00
parent 04780d2493
commit d39931c79a
4 changed files with 21 additions and 22 deletions
--- a/src/routes/api/client/register/+server.ts
+++ b/src/routes/api/client/register/+server.ts
@@ -5,19 +5,19 @@ import { registerUserClient } from "$lib/server/services/client";
 import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ request, cookies, getClientAddress }) => {
+  const { userId, clientId } = authenticate(cookies);
+  if (clientId) {
+    error(403, "Forbidden");
+  }
+
  const zodRes = z
    .object({
      pubKey: z.string().base64().nonempty(),
    })
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-
-  const { userId, clientId } = authenticate(cookies);
-  if (clientId) {
-    error(403, "Forbidden");
-  }
-
  const { pubKey } = zodRes.data;
+
  const challenge = await registerUserClient(userId, getClientAddress(), pubKey.trim());
  return json({ challenge });
 };
--- a/src/routes/api/client/verify/+server.ts
+++ b/src/routes/api/client/verify/+server.ts
@@ -5,19 +5,19 @@ import { verifyUserClient } from "$lib/server/services/client";
 import type { RequestHandler } from "./$types";

 export const POST: RequestHandler = async ({ request, cookies, getClientAddress }) => {
+  const { userId, clientId } = authenticate(cookies);
+  if (clientId) {
+    error(403, "Forbidden");
+  }
+
  const zodRes = z
    .object({
      answer: z.string().base64().nonempty(),
    })
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-
-  const { userId, clientId } = authenticate(cookies);
-  if (clientId) {
-    error(403, "Forbidden");
-  }
-
  const { answer } = zodRes.data;
+
  await verifyUserClient(userId, getClientAddress(), answer.trim());
  return text("Client verified", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/mek/register/+server.ts
+++ b/src/routes/api/mek/register/+server.ts
@@ -5,6 +5,8 @@ import { registerNewActiveMek } from "$lib/server/services/mek";
 import type { RequestHandler } from "@sveltejs/kit";

 export const POST: RequestHandler = async ({ request, cookies }) => {
+  const { userId, clientId } = await authorize(cookies, "activeClient");
+
  const zodRes = z
    .object({
      meks: z.array(
@@ -16,9 +18,8 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
    })
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-
-  const { userId, clientId } = await authorize(cookies, "activeClient");
  const { meks } = zodRes.data;
+
  await registerNewActiveMek(
    userId,
    clientId,
@@ -27,6 +28,5 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
      encMek: mek.trim(),
    })),
  );
-
  return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/mek/register/initial/+server.ts
+++ b/src/routes/api/mek/register/initial/+server.ts
@@ -5,20 +5,19 @@ import { registerInitialActiveMek } from "$lib/server/services/mek";
 import type { RequestHandler } from "@sveltejs/kit";

 export const POST: RequestHandler = async ({ request, cookies }) => {
+  const { userId, clientId } = authenticate(cookies);
+  if (!clientId) {
+    error(403, "Forbidden");
+  }
+
  const zodRes = z
    .object({
      mek: z.string().base64().nonempty(),
    })
    .safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-
-  const { userId, clientId } = authenticate(cookies);
-  if (!clientId) {
-    error(403, "Forbidden");
-  }
-
  const { mek } = zodRes.data;
-  await registerInitialActiveMek(userId, clientId, mek);

+  await registerInitialActiveMek(userId, clientId, mek);
  return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
 };