Files
Momento/memento-note/app/api/labels/route.ts
sepehr fa72672aac
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s
security: fix critical auth gaps, SSRF, IDOR, and embedding error handling
CRITICAL:
- Add auth + admin check to 10 unprotected API routes (test-*, debug/*,
  config, models, fix-labels)
- Add CRON_SECRET bearer auth to /api/cron/reminders (was fully open)
- Add SSRF protection to getOllamaModels (blocks private/internal IPs)

HIGH:
- Fix getAllLabels() missing userId filter (leaked all users' labels)
- Fix /api/labels OR clause leaking other users' labels
- Fix IDOR in toggleAgent/getAgentActions (add ownership check)
- Fix getEmbeddings() returning [] on error in all 5 providers (corrupted
  semantic search with NaN cosine similarity) — now throws instead

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 21:02:13 +02:00

129 lines
3.4 KiB
TypeScript

import { NextRequest, NextResponse } from 'next/server'
import prisma from '@/lib/prisma'
import { auth } from '@/auth'
const COLORS = ['red', 'orange', 'yellow', 'green', 'teal', 'blue', 'purple', 'pink', 'gray'];
// GET /api/labels - Get all labels (supports optional notebookId filter)
export async function GET(request: NextRequest) {
const session = await auth();
if (!session?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
try {
const searchParams = request.nextUrl.searchParams
const notebookId = searchParams.get('notebookId')
// Build where clause
const where: any = {}
if (notebookId === 'null' || notebookId === '') {
// Get labels without a notebook (backward compatibility)
where.notebookId = null
} else if (notebookId) {
// Get labels for a specific notebook
where.notebookId = notebookId
} else {
// Get all labels for the user
where.userId = session.user.id
}
const labels = await prisma.label.findMany({
where,
include: {
notebook: {
select: { id: true, name: true }
}
},
orderBy: { name: 'asc' }
})
return NextResponse.json({
success: true,
data: labels
})
} catch (error) {
console.error('Error fetching labels:', error)
return NextResponse.json(
{ success: false, error: 'Failed to fetch labels' },
{ status: 500 }
)
}
}
// POST /api/labels - Create a new label
export async function POST(request: NextRequest) {
const session = await auth();
if (!session?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
try {
const body = await request.json()
const { name, color, notebookId } = body
if (!name || typeof name !== 'string') {
return NextResponse.json(
{ success: false, error: 'Label name is required' },
{ status: 400 }
)
}
if (!notebookId || typeof notebookId !== 'string') {
return NextResponse.json(
{ success: false, error: 'notebookId is required' },
{ status: 400 }
)
}
// Verify notebook ownership
const notebook = await prisma.notebook.findUnique({
where: { id: notebookId },
select: { userId: true }
})
if (!notebook || notebook.userId !== session.user.id) {
return NextResponse.json(
{ success: false, error: 'Notebook not found or unauthorized' },
{ status: 403 }
)
}
// Check if label already exists in this notebook
const existing = await prisma.label.findFirst({
where: {
name: name.trim(),
notebookId: notebookId
}
})
if (existing) {
return NextResponse.json(
{ success: false, error: 'Label already exists in this notebook' },
{ status: 409 }
)
}
const label = await prisma.label.create({
data: {
name: name.trim(),
color: color || COLORS[Math.floor(Math.random() * COLORS.length)],
notebookId: notebookId,
userId: session.user.id // Keep for backward compatibility
}
})
return NextResponse.json({
success: true,
data: label
}, { status: 201 })
} catch (error) {
console.error('Error creating label:', error)
return NextResponse.json(
{ success: false, error: 'Failed to create label' },
{ status: 500 }
)
}
}