Skip to content

Commit b4d1102

Browse files
onerandomdevvclaude
andcommitted
fix: enforce auth-first ordering in admin [id] route handlers
Move auth() call before await context.params in all admin [id] routes so unauthorized requests are rejected before resolving route params. Affected files: - api/admin/blog/[id] (GET, PUT, DELETE) - api/admin/careers/[id] (GET, PUT, DELETE) - api/admin/messages/[id] (PUT, DELETE) - api/admin/team/[id] (GET, PUT, DELETE) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent d175e59 commit b4d1102

4 files changed

Lines changed: 22 additions & 11 deletions

File tree

src/app/api/admin/blog/[id]/route.ts

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,12 +34,13 @@ type RouteContext = {
3434
};
3535

3636
export async function GET(_request: Request, context: RouteContext) {
37-
const params = await context.params;
3837
const session = await auth();
3938
if (!session) {
4039
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
4140
}
4241

42+
const params = await context.params;
43+
4344
try {
4445
const parsedId = idSchema.safeParse(params.id);
4546

@@ -68,12 +69,13 @@ export async function GET(_request: Request, context: RouteContext) {
6869
}
6970

7071
export async function PUT(request: Request, context: RouteContext) {
71-
const params = await context.params;
7272
const session = await auth();
7373
if (!session) {
7474
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
7575
}
7676

77+
const params = await context.params;
78+
7779
try {
7880
const parsedId = idSchema.safeParse(params.id);
7981
const parsedBody = blogPostUpdateSchema.safeParse(await request.json());
@@ -129,12 +131,13 @@ export async function PUT(request: Request, context: RouteContext) {
129131
}
130132

131133
export async function DELETE(_request: Request, context: RouteContext) {
132-
const params = await context.params;
133134
const session = await auth();
134135
if (!session) {
135136
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
136137
}
137138

139+
const params = await context.params;
140+
138141
try {
139142
const parsedId = idSchema.safeParse(params.id);
140143

src/app/api/admin/careers/[id]/route.ts

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,13 @@ type RouteContext = {
2121
};
2222

2323
export async function GET(_request: Request, context: RouteContext) {
24-
const params = await context.params;
2524
const session = await auth();
2625
if (!session) {
2726
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
2827
}
2928

29+
const params = await context.params;
30+
3031
try {
3132
const parsedId = idSchema.safeParse(params.id);
3233

@@ -55,12 +56,13 @@ export async function GET(_request: Request, context: RouteContext) {
5556
}
5657

5758
export async function PUT(request: Request, context: RouteContext) {
58-
const params = await context.params;
5959
const session = await auth();
6060
if (!session) {
6161
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
6262
}
6363

64+
const params = await context.params;
65+
6466
try {
6567
const parsedId = idSchema.safeParse(params.id);
6668
const parsedBody = careerUpdateSchema.safeParse(await request.json());
@@ -96,12 +98,13 @@ export async function PUT(request: Request, context: RouteContext) {
9698
}
9799

98100
export async function DELETE(_request: Request, context: RouteContext) {
99-
const params = await context.params;
100101
const session = await auth();
101102
if (!session) {
102103
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
103104
}
104105

106+
const params = await context.params;
107+
105108
try {
106109
const parsedId = idSchema.safeParse(params.id);
107110

src/app/api/admin/messages/[id]/route.ts

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,13 @@ type RouteContext = {
1616
};
1717

1818
export async function PUT(request: Request, context: RouteContext) {
19-
const params = await context.params;
2019
const session = await auth();
2120
if (!session) {
2221
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
2322
}
2423

24+
const params = await context.params;
25+
2526
try {
2627
const parsedId = idSchema.safeParse(params.id);
2728
const parsedBody = messageUpdateSchema.safeParse(await request.json());
@@ -57,12 +58,13 @@ export async function PUT(request: Request, context: RouteContext) {
5758
}
5859

5960
export async function DELETE(_request: Request, context: RouteContext) {
60-
const params = await context.params;
6161
const session = await auth();
6262
if (!session) {
6363
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
6464
}
6565

66+
const params = await context.params;
67+
6668
try {
6769
const parsedId = idSchema.safeParse(params.id);
6870

src/app/api/admin/team/[id]/route.ts

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,12 +24,13 @@ type RouteContext = {
2424
};
2525

2626
export async function GET(_request: Request, context: RouteContext) {
27-
const params = await context.params;
2827
const session = await auth();
2928
if (!session) {
3029
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
3130
}
3231

32+
const params = await context.params;
33+
3334
try {
3435
const parsedId = idSchema.safeParse(params.id);
3536

@@ -58,12 +59,13 @@ export async function GET(_request: Request, context: RouteContext) {
5859
}
5960

6061
export async function PUT(request: Request, context: RouteContext) {
61-
const params = await context.params;
6262
const session = await auth();
6363
if (!session) {
6464
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
6565
}
6666

67+
const params = await context.params;
68+
6769
try {
6870
const parsedId = idSchema.safeParse(params.id);
6971
const parsedBody = teamMemberUpdateSchema.safeParse(await request.json());
@@ -99,12 +101,13 @@ export async function PUT(request: Request, context: RouteContext) {
99101
}
100102

101103
export async function DELETE(_request: Request, context: RouteContext) {
102-
const params = await context.params;
103104
const session = await auth();
104105
if (!session) {
105106
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
106107
}
107108

109+
const params = await context.params;
110+
108111
try {
109112
const parsedId = idSchema.safeParse(params.id);
110113

0 commit comments

Comments
 (0)