require accountId for all authenticated queries

Author: ryanflorence

app/routes/board.$id/queries.ts

@@ -2,14 +2,15 @@ import { prisma } from "~/db/prisma";
 
 import { ItemMutation } from "./types";
 
-export function deleteCard(id: string) {
-  return prisma.item.delete({ where: { id } });
+export function deleteCard(id: string, accountId: string) {
+  return prisma.item.delete({ where: { id, Board: { accountId } } });
 }
 
-export async function getBoardData(boardId: number) {
+export async function getBoardData(boardId: number, accountId: string) {
   return prisma.board.findUnique({
     where: {
       id: boardId,
+      accountId: accountId,
     },
     include: {
       items: true,
@@ -18,31 +19,52 @@ export async function getBoardData(boardId: number) {
   });
 }
 
-export async function updateBoardName(boardId: number, name: string) {
+export async function updateBoardName(
+  boardId: number,
+  name: string,
+  accountId: string,
+) {
   return prisma.board.update({
-    where: { id: boardId },
+    where: { id: boardId, accountId: accountId },
     data: { name },
   });
 }
 
-export function upsertItem(mutation: ItemMutation & { boardId: number }) {
+export function upsertItem(
+  mutation: ItemMutation & { boardId: number },
+  accountId: string,
+) {
   return prisma.item.upsert({
-    where: { id: mutation.id },
+    where: {
+      id: mutation.id,
+      Board: {
+        accountId,
+      },
+    },
     create: mutation,
     update: mutation,
   });
 }
 
-export async function updateColumnName(id: string, name: string) {
+export async function updateColumnName(
+  id: string,
+  name: string,
+  accountId: string,
+) {
   return prisma.column.update({
-    where: { id },
+    where: { id, Board: { accountId } },
     data: { name },
   });
 }
 
-export async function createColumn(boardId: number, name: string, id: string) {
+export async function createColumn(
+  boardId: number,
+  name: string,
+  id: string,
+  accountId: string,
+) {
   let columnCount = await prisma.column.count({
-    where: { boardId },
+    where: { boardId, Board: { accountId } },
   });
   return prisma.column.create({
     data: {

app/routes/board.$id/route.tsx

@@ -18,12 +18,12 @@ import {
 import { Board } from "./board";
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  await requireAuthCookie(request);
+  let accountId = await requireAuthCookie(request);
 
   invariant(params.id, "Missing board ID");
   let id = Number(params.id);
 
-  let board = await getBoardData(id);
+  let board = await getBoardData(id, accountId);
   if (!board) throw notFound();
 
   return { board };
@@ -36,6 +36,7 @@ export const meta: MetaFunction<typeof loader> = ({ data }) => {
 export { Board as default };
 
 export async function action({ request, params }: ActionFunctionArgs) {
+  let accountId = await requireAuthCookie(request);
   let boardId = Number(params.id);
   invariant(boardId, "Missing boardId");
 
@@ -47,32 +48,32 @@ export async function action({ request, params }: ActionFunctionArgs) {
   switch (intent) {
     case INTENTS.deleteCard: {
       let id = String(formData.get("itemId") || "");
-      await deleteCard(id);
+      await deleteCard(id, accountId);
       break;
     }
     case INTENTS.updateBoardName: {
       let name = String(formData.get("name") || "");
       invariant(name, "Missing name");
-      await updateBoardName(boardId, name);
+      await updateBoardName(boardId, name, accountId);
       break;
     }
     case INTENTS.moveItem:
     case INTENTS.createItem: {
       let mutation = parseItemMutation(formData);
-      await upsertItem({ ...mutation, boardId });
+      await upsertItem({ ...mutation, boardId }, accountId);
       break;
     }
     case INTENTS.createColumn: {
       let { name, id } = Object.fromEntries(formData);
       invariant(name, "Missing name");
       invariant(id, "Missing id");
-      await createColumn(boardId, String(name), String(id));
+      await createColumn(boardId, String(name), String(id), accountId);
       break;
     }
     case INTENTS.updateColumn: {
       let { name, columnId } = Object.fromEntries(formData);
       if (!name || !columnId) throw badRequest("Missing name or columnId");
-      await updateColumnName(String(columnId), String(name));
+      await updateColumnName(String(columnId), String(name), accountId);
       break;
     }
     default: {

app/routes/home/queries.ts

@@ -1,8 +1,8 @@
 import { prisma } from "~/db/prisma";
 
-export async function deleteBoard(boardId: number) {
+export async function deleteBoard(boardId: number, accountId: string) {
   return prisma.board.delete({
-    where: { id: boardId },
+    where: { id: boardId, accountId },
   });
 }
 

app/routes/home/route.tsx

@@ -32,21 +32,21 @@ export async function loader({ request }: LoaderFunctionArgs) {
 }
 
 export async function action({ request }: ActionFunctionArgs) {
-  let userId = await requireAuthCookie(request);
+  let accountId = await requireAuthCookie(request);
   let formData = await request.formData();
   let intent = String(formData.get("intent"));
   switch (intent) {
     case INTENTS.createBoard: {
       let name = String(formData.get("name") || "");
       let color = String(formData.get("color") || "");
       if (!name) throw badRequest("Bad request");
-      let board = await createBoard(userId, name, color);
+      let board = await createBoard(accountId, name, color);
       return redirect(`/board/${board.id}`);
     }
     case INTENTS.deleteBoard: {
       let boardId = formData.get("boardId");
       if (!boardId) throw badRequest("Missing boardId");
-      await deleteBoard(Number(boardId));
+      await deleteBoard(Number(boardId), accountId);
       return { ok: true };
     }
     default: {