2 files changed, 22 insertions, 9 deletions

diff --git a/src/routes/api/badges/+server.ts b/src/routes/api/badges/+server.ts
index 2673273c..10b63125 100644
--- a/src/routes/api/badges/+server.ts
+++ b/src/routes/api/badges/+server.ts
@@ -16,6 +16,7 @@ import {
 import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
 import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import { appOrigin, appOriginHeaders } from "$lib/Utility/appOrigin";
+import { isOwnerOrPrivileged } from "$lib/Utility/authorisation";
 import privilegedUser from "$lib/Utility/privilegedUser";
 
 const unauthorised = () => new Response("Unauthorised", { status: 401 });
@@ -76,11 +77,14 @@ export const PUT = async ({ cookies, url, request }) => {
 	if (!identity) return unauthorised();
 	const authorised = privilegedUser(identity.id);
 
-	if (url.searchParams.get("shadowHide"))
-		await setShadowHidden(
-			Number(url.searchParams.get("shadowHide")),
-			authorised,
-		);
+	if (url.searchParams.get("shadowHide")) {
+		const targetUserId = Number(url.searchParams.get("shadowHide"));
+
+		if (!isOwnerOrPrivileged(identity.id, targetUserId, authorised))
+			return unauthorised();
+
+		await setShadowHidden(targetUserId, authorised);
+	}
 
 	if (url.searchParams.get("import") || undefined) {
 		const importedBadges = await decodeRequestJsonOrThrow(
diff --git a/src/routes/api/notifications/subscribe/+server.ts b/src/routes/api/notifications/subscribe/+server.ts
index 51dbf340..b1913e5d 100644
--- a/src/routes/api/notifications/subscribe/+server.ts
+++ b/src/routes/api/notifications/subscribe/+server.ts
@@ -3,6 +3,7 @@ import { safeUserIdentity } from "$lib/Data/AniList/identity";
 import { setUserSubscription } from "$lib/Database/SB/User/notifications";
 import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
 import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
+import { isAllowedPushEndpoint } from "$lib/Utility/pushEndpoint";
 
 const unauthorised = new Response("Unauthorised", { status: 401 });
 
@@ -20,12 +21,20 @@ export const POST = async ({ cookies, request, url }) => {
 
 	if (!userId) return unauthorised;
 
+	const subscription = await decodeRequestJsonOrThrow(
+		request,
+		Schema.Record(Schema.String, Schema.Unknown),
+	);
+
+	if (
+		typeof subscription.endpoint !== "string" ||
+		!isAllowedPushEndpoint(subscription.endpoint)
+	)
+		return new Response("Invalid push endpoint", { status: 400 });
+
 	await setUserSubscription(
 		userId,
-		(await decodeRequestJsonOrThrow(
-			request,
-			Schema.Record(Schema.String, Schema.Unknown),
-		)) as unknown as JSON,
+		subscription as unknown as JSON,
 		fingerprint,
 	);