Fix critical security vulnerability: use server-side auth instead of client-provided sessionID

Author: Gerome-Elassaad

app/api/files/content/route.ts

@@ -1,31 +1,30 @@
 import { NextRequest, NextResponse } from 'next/server'
-import { createClient } from '@supabase/supabase-js'
+import { createServerClient } from '@/lib/supabase-server'
 
 export const dynamic = 'force-dynamic'
 
 export async function GET(request: NextRequest) {
   try {
-    const sessionID = request.nextUrl.searchParams.get('sessionID')
     const path = request.nextUrl.searchParams.get('path')
 
-    if (!sessionID || !path) {
-      return NextResponse.json({ error: 'Session ID and path are required' }, { status: 400 })
+    if (!path) {
+      return NextResponse.json({ error: 'Path is required' }, { status: 400 })
     }
 
-    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL
-    const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+    const supabase = createServerClient()
 
-    if (!supabaseUrl || !supabaseKey) {
-      return NextResponse.json({ error: 'Supabase configuration missing' }, { status: 500 })
-    }
+    // Get authenticated user from session
+    const { data: { user }, error: authError } = await supabase.auth.getUser()
 
-    const supabase = createClient(supabaseUrl, supabaseKey)
+    if (authError || !user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
 
     // Fetch the file content
     const { data: file, error } = await supabase
       .from('workspace_files')
       .select('content, path, name, is_directory')
-      .eq('user_id', sessionID)
+      .eq('user_id', user.id)
       .eq('path', path)
       .single()
 
@@ -52,20 +51,20 @@ export async function GET(request: NextRequest) {
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
-    const { sessionID, path, content } = body
+    const { path, content } = body
 
-    if (!sessionID || !path || content === undefined) {
-      return NextResponse.json({ error: 'Session ID, path, and content are required' }, { status: 400 })
+    if (!path || content === undefined) {
+      return NextResponse.json({ error: 'Path and content are required' }, { status: 400 })
     }
 
-    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL
-    const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+    const supabase = createServerClient()
 
-    if (!supabaseUrl || !supabaseKey) {
-      return NextResponse.json({ error: 'Supabase configuration missing' }, { status: 500 })
-    }
+    // Get authenticated user from session
+    const { data: { user }, error: authError } = await supabase.auth.getUser()
 
-    const supabase = createClient(supabaseUrl, supabaseKey)
+    if (authError || !user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
 
     // Calculate content size
     const sizeBytes = Buffer.byteLength(content, 'utf8')
@@ -78,7 +77,7 @@ export async function POST(request: NextRequest) {
         size_bytes: sizeBytes,
         updated_at: new Date().toISOString()
       })
-      .eq('user_id', sessionID)
+      .eq('user_id', user.id)
       .eq('path', path)
       .select()
       .single()

app/api/files/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server'
-import { createClient } from '@supabase/supabase-js'
+import { createServerClient } from '@/lib/supabase-server'
 
 export const dynamic = 'force-dynamic'
 
@@ -38,26 +38,20 @@ function buildFileTree(files: any[]): any[] {
 
 export async function GET(request: NextRequest) {
   try {
-    const sessionID = request.nextUrl.searchParams.get('sessionID')
+    const supabase = createServerClient()
 
-    if (!sessionID) {
-      return NextResponse.json({ error: 'Session ID is required' }, { status: 400 })
-    }
-
-    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL
-    const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+    // Get authenticated user from session
+    const { data: { user }, error: authError } = await supabase.auth.getUser()
 
-    if (!supabaseUrl || !supabaseKey) {
-      return NextResponse.json({ error: 'Supabase configuration missing' }, { status: 500 })
+    if (authError || !user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const supabase = createClient(supabaseUrl, supabaseKey)
-
     // Fetch all workspace files for the user
     const { data: files, error } = await supabase
       .from('workspace_files')
       .select('*')
-      .eq('user_id', sessionID)
+      .eq('user_id', user.id)
       .order('path', { ascending: true })
 
     if (error) {
@@ -78,20 +72,20 @@ export async function GET(request: NextRequest) {
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json()
-    const { sessionID, path, isDirectory, content = '' } = body
+    const { path, isDirectory, content = '' } = body
 
-    if (!sessionID || !path) {
-      return NextResponse.json({ error: 'Session ID and path are required' }, { status: 400 })
+    if (!path) {
+      return NextResponse.json({ error: 'Path is required' }, { status: 400 })
     }
 
-    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL
-    const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+    const supabase = createServerClient()
 
-    if (!supabaseUrl || !supabaseKey) {
-      return NextResponse.json({ error: 'Supabase configuration missing' }, { status: 500 })
-    }
+    // Get authenticated user from session
+    const { data: { user }, error: authError } = await supabase.auth.getUser()
 
-    const supabase = createClient(supabaseUrl, supabaseKey)
+    if (authError || !user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
 
     // Extract file name and parent path
     const pathParts = path.split('/')
@@ -105,7 +99,7 @@ export async function POST(request: NextRequest) {
     const { data: file, error } = await supabase
       .from('workspace_files')
       .insert({
-        user_id: sessionID,
+        user_id: user.id,
         path,
         name,
         content,
@@ -131,26 +125,26 @@ export async function POST(request: NextRequest) {
 export async function DELETE(request: NextRequest) {
   try {
     const body = await request.json()
-    const { sessionID, path } = body
+    const { path } = body
 
-    if (!sessionID || !path) {
-      return NextResponse.json({ error: 'Session ID and path are required' }, { status: 400 })
+    if (!path) {
+      return NextResponse.json({ error: 'Path is required' }, { status: 400 })
     }
 
-    const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL
-    const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+    const supabase = createServerClient()
 
-    if (!supabaseUrl || !supabaseKey) {
-      return NextResponse.json({ error: 'Supabase configuration missing' }, { status: 500 })
-    }
+    // Get authenticated user from session
+    const { data: { user }, error: authError } = await supabase.auth.getUser()
 
-    const supabase = createClient(supabaseUrl, supabaseKey)
+    if (authError || !user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
 
     // Delete the file and all its children (for directories)
     const { error } = await supabase
       .from('workspace_files')
       .delete()
-      .eq('user_id', sessionID)
+      .eq('user_id', user.id)
       .or(`path.eq.${path},parent_path.eq.${path}`)
 
     if (error) {

app/page.tsx

@@ -457,7 +457,6 @@ export default function Home() {
             'Content-Type': 'application/json',
           },
           body: JSON.stringify({
-            sessionID: session.user.id,
             path,
             content
           }),

components/github-import.tsx

@@ -176,7 +176,6 @@ export function GitHubImport({ onImport, onClose }: GitHubImportProps) {
               'Content-Type': 'application/json',
             },
             body: JSON.stringify({
-              sessionID: session.user.id,
               path: `${repo.name}/${file.path}`,
               isDirectory: false,
               content: file.content,

components/ide.tsx

@@ -42,7 +42,7 @@ export function IDE({ sandboxId }: IDEProps = {}) {
     } else if (session) {
       // Fetch files from Supabase
       try {
-        const response = await fetch(`/api/files?sessionID=${session.user.id}`)
+        const response = await fetch('/api/files')
         if (response.ok) {
           const data = await response.json()
           setFiles(data)
@@ -79,7 +79,7 @@ export function IDE({ sandboxId }: IDEProps = {}) {
       setSelectedFile({ path, content })
     } else if (session) {
       // Load file from Supabase
-      const response = await fetch(`/api/files/content?sessionID=${session.user.id}&path=${path}`)
+      const response = await fetch(`/api/files/content?path=${encodeURIComponent(path)}`)
       const { content } = await response.json()
       setSelectedFile({ path, content })
     }
@@ -102,7 +102,7 @@ export function IDE({ sandboxId }: IDEProps = {}) {
         headers: {
           'Content-Type': 'application/json',
         },
-        body: JSON.stringify({ sessionID: session.user.id, path, content }),
+        body: JSON.stringify({ path, content }),
       })
     }
   }
@@ -122,7 +122,6 @@ export function IDE({ sandboxId }: IDEProps = {}) {
           'Content-Type': 'application/json',
         },
         body: JSON.stringify({
-          sessionID: session.user.id,
           path,
           isDirectory,
           content: isDirectory ? '' : '// New file\n'
@@ -151,7 +150,6 @@ export function IDE({ sandboxId }: IDEProps = {}) {
           'Content-Type': 'application/json',
         },
         body: JSON.stringify({
-          sessionID: session.user.id,
           path,
         }),
       })