Refactor API functions to use authorDid instead of user.did for vote,…

… post, and comment actions; enhance validation to ensure users can only act on their own content

packages/frontpage/app/(app)/_components/post-card.tsx

@@ -55,8 +55,9 @@ export async function PostCard({
         <VoteButton
           voteAction={async () => {
             "use server";
-            await ensureUser();
+            const user = await ensureUser();
             await createVote({
+              authorDid: user.did,
               subject: {
                 rkey,
                 cid,

packages/frontpage/app/(app)/post/[postAuthor]/[postRkey]/_lib/actions.tsx

@@ -42,7 +42,7 @@ export async function createCommentAction(
     parent: comment,
     post,
     content,
-    repo: user.did,
+    authorDid: user.did,
   });
 
   revalidatePath(`/post`);
@@ -83,8 +83,9 @@ export async function commentVoteAction(input: {
   rkey: string;
   authorDid: DID;
 }) {
-  await ensureUser();
+  const user = await ensureUser();
   await createVote({
+    authorDid: user.did,
     subject: {
       rkey: input.rkey,
       cid: input.cid,

packages/frontpage/app/(app)/post/new/_action.ts

@@ -26,7 +26,7 @@ export async function newPostAction(_prevState: unknown, formData: FormData) {
 
   try {
     const [{ rkey }, handle] = await Promise.all([
-      createPost({ title, url }),
+      createPost({ authorDid: user.did, title, url }),
       getVerifiedHandle(user.did),
     ]);
 

packages/frontpage/lib/api/comment.ts

@@ -9,14 +9,14 @@ import { invariant } from "../utils";
 import { TID } from "@atproto/common-web";
 
 export type ApiCreateCommentInput = Omit<atproto.CommentInput, "rkey"> & {
-  repo: DID;
+  authorDid: DID;
 };
 
 export async function createComment({
   parent,
   post,
   content,
-  repo,
+  authorDid,
 }: ApiCreateCommentInput) {
   const user = await ensureUser();
 
@@ -49,7 +49,7 @@ export async function createComment({
 
     const didToNotify = parent ? parent.authorDid : post.authorDid;
 
-    if (didToNotify !== repo) {
+    if (didToNotify !== authorDid) {
       await createNotification({
         commentId: dbCreatedComment.id,
         did: didToNotify,
@@ -62,12 +62,19 @@ export async function createComment({
   }
 }
 
-export async function deleteComment({ rkey }: db.DeleteCommentInput) {
+export async function deleteComment({
+  authorDid,
+  rkey,
+}: db.DeleteCommentInput) {
   const user = await ensureUser();
 
+  if (user.did !== authorDid) {
+    throw new DataLayerError("You can only delete your own comments");
+  }
+
   try {
     console.log("deleteComment", rkey);
-    await atproto.deleteComment(user.did, rkey);
+    await atproto.deleteComment(authorDid, rkey);
     await db.deleteComment({ authorDid: user.did, rkey });
   } catch (e) {
     throw new DataLayerError(`Failed to delete comment: ${e}`);

packages/frontpage/lib/api/post.ts

@@ -6,15 +6,25 @@ import { DataLayerError } from "../data/error";
 import { sendDiscordMessage } from "../discord";
 import { invariant } from "../utils";
 import { TID } from "@atproto/common-web";
+import { DID } from "../data/atproto/did";
 
 export type ApiCreatePostInput = {
+  authorDid: DID;
   title: string;
   url: string;
 };
 
-export async function createPost({ title, url }: ApiCreatePostInput) {
+export async function createPost({
+  authorDid,
+  title,
+  url,
+}: ApiCreatePostInput) {
   const user = await ensureUser();
 
+  if (user.did !== authorDid) {
+    throw new DataLayerError("You can only create posts for yourself");
+  }
+
   const rkey = TID.next().toString();
   try {
     const dbCreatedPost = await db.createPost({
@@ -67,11 +77,15 @@ export async function createPost({ title, url }: ApiCreatePostInput) {
   }
 }
 
-export async function deletePost({ rkey }: db.DeletePostInput) {
+export async function deletePost({ authorDid, rkey }: db.DeletePostInput) {
   const user = await ensureUser();
 
+  if (authorDid !== user.did) {
+    throw new DataLayerError("You can only delete your own posts");
+  }
+
   try {
-    await atproto.deletePost(user.did, rkey);
+    await atproto.deletePost(authorDid, rkey);
     await db.deletePost({ authorDid: user.did, rkey });
   } catch (e) {
     throw new DataLayerError(`Failed to delete post: ${e}`);

packages/frontpage/lib/api/vote.ts

@@ -10,6 +10,7 @@ import { invariant } from "../utils";
 import { TID } from "@atproto/common-web";
 
 export type ApiCreateVoteInput = {
+  authorDid: DID;
   subject: {
     rkey: string;
     cid: string;
@@ -18,14 +19,18 @@ export type ApiCreateVoteInput = {
   };
 };
 
-export async function createVote({ subject }: ApiCreateVoteInput) {
+export async function createVote({ authorDid, subject }: ApiCreateVoteInput) {
   const user = await ensureUser();
 
+  if (authorDid !== user.did) {
+    throw new DataLayerError("You can only vote for yourself");
+  }
+
   const rkey = TID.next().toString();
   try {
     if (subject.collection == PostCollection) {
       const dbCreatedVote = await db.createPostVote({
-        repo: user.did,
+        repo: authorDid,
         rkey,
         subject: {
           rkey: subject.rkey,
@@ -36,7 +41,7 @@ export async function createVote({ subject }: ApiCreateVoteInput) {
       invariant(dbCreatedVote, "Failed to insert post vote in database");
     } else if (subject.collection == CommentCollection) {
       const dbCreatedVote = await db.createCommentVote({
-        repo: user.did,
+        repo: authorDid,
         rkey,
         subject: {
           rkey: subject.rkey,
@@ -65,11 +70,14 @@ export async function createVote({ subject }: ApiCreateVoteInput) {
   }
 }
 
-export async function deleteVote({ rkey }: db.DeleteVoteInput) {
+export async function deleteVote({ authorDid, rkey }: db.DeleteVoteInput) {
   const user = await ensureUser();
+  if (authorDid !== user.did) {
+    throw new DataLayerError("You can only delete your own votes");
+  }
 
   try {
-    await atproto.deleteVote(user.did, rkey);
+    await atproto.deleteVote(authorDid, rkey);
     await db.deleteVote({ authorDid: user.did, rkey });
   } catch (e) {
     throw new DataLayerError(`Failed to delete vote: ${e}`);