fix: issues found in security audit (#1668)

packages/api/src/router/widgets/dns-hole.ts

@@ -10,7 +10,7 @@ import { controlsInputSchema } from "@homarr/integrations/types";
 import { dnsHoleRequestHandler } from "@homarr/request-handler/dns-hole";
 
 import { createManyIntegrationMiddleware, createOneIntegrationMiddleware } from "../../middlewares/integration";
-import { createTRPCRouter, publicProcedure } from "../../trpc";
+import { createTRPCRouter, protectedProcedure, publicProcedure } from "../../trpc";
 
 export const dnsHoleRouter = createTRPCRouter({
   summary: publicProcedure
@@ -62,7 +62,7 @@ export const dnsHoleRouter = createTRPCRouter({
       });
     }),
 
-  enable: publicProcedure
+  enable: protectedProcedure
     .unstable_concat(createOneIntegrationMiddleware("interact", ...getIntegrationKindsByCategory("dnsHole")))
     .mutation(async ({ ctx: { integration } }) => {
       const client = integrationCreator(integration);
@@ -75,7 +75,7 @@ export const dnsHoleRouter = createTRPCRouter({
       });
     }),
 
-  disable: publicProcedure
+  disable: protectedProcedure
     .input(controlsInputSchema)
     .unstable_concat(createOneIntegrationMiddleware("interact", ...getIntegrationKindsByCategory("dnsHole")))
     .mutation(async ({ ctx: { integration }, input }) => {

packages/api/src/router/widgets/indexer-manager.ts

@@ -9,7 +9,7 @@ import { indexerManagerRequestHandler } from "@homarr/request-handler/indexer-ma
 
 import type { IntegrationAction } from "../../middlewares/integration";
 import { createManyIntegrationMiddleware } from "../../middlewares/integration";
-import { createTRPCRouter, publicProcedure } from "../../trpc";
+import { createTRPCRouter, protectedProcedure, publicProcedure } from "../../trpc";
 
 const createIndexerManagerIntegrationMiddleware = (action: IntegrationAction) =>
   createManyIntegrationMiddleware(action, ...getIntegrationKindsByCategory("indexerManager"));
@@ -54,7 +54,7 @@ export const indexerManagerRouter = createTRPCRouter({
         };
       });
     }),
-  testAllIndexers: publicProcedure
+  testAllIndexers: protectedProcedure
     .unstable_concat(createIndexerManagerIntegrationMiddleware("interact"))
     .mutation(async ({ ctx }) => {
       await Promise.all(

packages/api/src/router/widgets/notebook.ts

@@ -5,10 +5,10 @@ import { eq } from "@homarr/db";
 import { items } from "@homarr/db/schema/sqlite";
 import { z } from "@homarr/validation";
 
-import { createTRPCRouter, publicProcedure } from "../../trpc";
+import { createTRPCRouter, protectedProcedure } from "../../trpc";
 
 export const notebookRouter = createTRPCRouter({
-  updateContent: publicProcedure
+  updateContent: protectedProcedure
     .input(
       z.object({
         itemId: z.string(),

packages/api/src/router/widgets/smart-home.ts

@@ -7,7 +7,7 @@ import { z } from "@homarr/validation";
 
 import type { IntegrationAction } from "../../middlewares/integration";
 import { createOneIntegrationMiddleware } from "../../middlewares/integration";
-import { createTRPCRouter, publicProcedure } from "../../trpc";
+import { createTRPCRouter, protectedProcedure, publicProcedure } from "../../trpc";
 
 const createSmartHomeIntegrationMiddleware = (action: IntegrationAction) =>
   createOneIntegrationMiddleware(action, ...getIntegrationKindsByCategory("smartHomeServer"));
@@ -41,7 +41,7 @@ export const smartHomeRouter = createTRPCRouter({
         };
       });
     }),
-  switchEntity: publicProcedure
+  switchEntity: protectedProcedure
     .unstable_concat(createSmartHomeIntegrationMiddleware("interact"))
     .input(z.object({ entityId: z.string() }))
     .mutation(async ({ ctx: { integration }, input }) => {
@@ -53,7 +53,7 @@ export const smartHomeRouter = createTRPCRouter({
 
       return success;
     }),
-  executeAutomation: publicProcedure
+  executeAutomation: protectedProcedure
     .unstable_concat(createSmartHomeIntegrationMiddleware("interact"))
     .input(z.object({ automationId: z.string() }))
     .mutation(async ({ ctx: { integration }, input }) => {