12 files changed, 78 insertions, 57 deletions

diff --git a/src/lib/Database/SB/User/badges.ts b/src/lib/Database/SB/User/badges.ts
index 5d7d4899..026ca98f 100644
--- a/src/lib/Database/SB/User/badges.ts
+++ b/src/lib/Database/SB/User/badges.ts
@@ -1,5 +1,5 @@
 import { databaseTimeToDate } from "$lib/Utility/time";
-import sb from "../../sb";
+import sb from "../../sb.server";
 
 export interface Badge {
 	id: number;
@@ -87,7 +87,7 @@ export const addUserBadge = async (userId: number, badge: BadgeInput) => {
 };
 
 export const removeUserBadge = async (userId: number, id: number) => {
-	if (!isNaN(id))
+	if (!Number.isNaN(id))
 		await sb.from("user_badges").delete().eq("id", id).eq("user_id", userId);
 };
 
diff --git a/src/lib/Database/SB/User/configuration.ts b/src/lib/Database/SB/User/configuration.ts
index 6007e41b..09c74c6c 100644
--- a/src/lib/Database/SB/User/configuration.ts
+++ b/src/lib/Database/SB/User/configuration.ts
@@ -1,4 +1,4 @@
-import sb from "../../sb";
+import sb from "../../sb.server";
 
 interface UserConfiguration {
 	user_id: number;
diff --git a/src/lib/Database/SB/User/notifications.ts b/src/lib/Database/SB/User/notifications.ts
index 75dd5941..058171a9 100644
--- a/src/lib/Database/SB/User/notifications.ts
+++ b/src/lib/Database/SB/User/notifications.ts
@@ -1,4 +1,4 @@
-import sb from "../../sb";
+import sb from "../../sb.server";
 
 export interface UserNotifications {
 	created_at: string;
diff --git a/src/lib/Database/SB/User/preferences.ts b/src/lib/Database/SB/User/preferences.ts
index f0a49397..fcffbff2 100644
--- a/src/lib/Database/SB/User/preferences.ts
+++ b/src/lib/Database/SB/User/preferences.ts
@@ -1,4 +1,4 @@
-import sb from "../../sb";
+import sb from "../../sb.server";
 
 export interface UserPreferences {
 	created_at: string;
diff --git a/src/lib/Database/SB/badges.ts b/src/lib/Database/SB/badges.ts
index a287f01b..79a05d3d 100644
--- a/src/lib/Database/SB/badges.ts
+++ b/src/lib/Database/SB/badges.ts
@@ -1,4 +1,4 @@
-import sb from "../sb";
+import sb from "../sb.server";
 
 interface Badge {
 	id: number;
diff --git a/src/lib/Database/SB/events.ts b/src/lib/Database/SB/events.ts
index de213185..f386391c 100644
--- a/src/lib/Database/SB/events.ts
+++ b/src/lib/Database/SB/events.ts
@@ -1,5 +1,5 @@
 import type { Group } from "$lib/Database/SB/groups";
-import sb from "../sb";
+import sb from "../sb.server";
 
 export interface Event {
 	id: number;
diff --git a/src/lib/Database/SB/groups.ts b/src/lib/Database/SB/groups.ts
index 8cecb08f..4ff0d316 100644
--- a/src/lib/Database/SB/groups.ts
+++ b/src/lib/Database/SB/groups.ts
@@ -1,4 +1,4 @@
-import sb from "../sb";
+import sb from "../sb.server";
 
 export interface Group {
 	id: number;
diff --git a/src/lib/Database/sb.server.ts b/src/lib/Database/sb.server.ts
new file mode 100644
index 00000000..f380f98f
--- /dev/null
+++ b/src/lib/Database/sb.server.ts
@@ -0,0 +1,11 @@
+import { createClient } from "@supabase/supabase-js";
+import { SUPABASE_SERVICE_ROLE_KEY, SUPABASE_URL } from "$env/static/private";
+
+const sb = createClient(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, {
+	auth: {
+		autoRefreshToken: false,
+		persistSession: false,
+	},
+});
+
+export default sb;
diff --git a/src/lib/Database/sb.ts b/src/lib/Database/sb.ts
deleted file mode 100644
index d5b39a98..00000000
--- a/src/lib/Database/sb.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-import { createClient } from "@supabase/supabase-js";
-import { SUPABASE_URL, SUPABASE_ANON_KEY } from "$env/static/private";
-
-const sb = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);
-
-export default sb;
diff --git a/src/routes/api/configuration/+server.ts b/src/routes/api/configuration/+server.ts
index aa1b0bcf..786e8333 100644
--- a/src/routes/api/configuration/+server.ts
+++ b/src/routes/api/configuration/+server.ts
@@ -1,33 +1,44 @@
+import { Schema } from "effect";
 import { userIdentity } from "$lib/Data/AniList/identity";
-import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
-import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import {
 	deleteUserConfiguration,
 	getUserConfiguration,
 	setUserConfiguration,
 } from "$lib/Database/SB/User/configuration";
+import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
+import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import { appOriginHeaders } from "$lib/Utility/appOrigin";
-import { Schema } from "effect";
 
 const unauthorised = new Response("Unauthorised", { status: 401 });
 
-export const GET = async ({ url }) =>
-	Response.json(
-		await getUserConfiguration(Number(url.searchParams.get("id") || 0)),
-		{
-			headers: appOriginHeaders(),
-		},
-	);
-
-export const PUT = async ({ cookies, request }) => {
+const authenticatedUserId = async (cookies: {
+	get: (name: string) => string | undefined;
+}) => {
 	const userCookie = cookies.get("user");
 
-	if (!userCookie) return unauthorised;
+	if (!userCookie) return null;
+
+	return (await userIdentity(decodeAuthCookieOrThrow(userCookie))).id;
+};
 
-	const user = decodeAuthCookieOrThrow(userCookie);
+export const GET = async ({ cookies, url }) => {
+	const userId = await authenticatedUserId(cookies);
+	const requestedUserId = Number(url.searchParams.get("id") || 0);
+
+	if (!userId || requestedUserId !== userId) return unauthorised;
+
+	return Response.json(await getUserConfiguration(requestedUserId), {
+		headers: appOriginHeaders(),
+	});
+};
+
+export const PUT = async ({ cookies, request }) => {
+	const userId = await authenticatedUserId(cookies);
+
+	if (!userId) return unauthorised;
 
 	return Response.json(
-		await setUserConfiguration((await userIdentity(user)).id, {
+		await setUserConfiguration(userId, {
 			configuration: await decodeRequestJsonOrThrow(
 				request,
 				Schema.Record(Schema.String, Schema.Unknown),
@@ -40,16 +51,11 @@ export const PUT = async ({ cookies, request }) => {
 };
 
 export const DELETE = async ({ cookies }) => {
-	const userCookie = cookies.get("user");
+	const userId = await authenticatedUserId(cookies);
 
-	if (!userCookie) return unauthorised;
+	if (!userId) return unauthorised;
 
-	const user = decodeAuthCookieOrThrow(userCookie);
-
-	return Response.json(
-		await deleteUserConfiguration((await userIdentity(user)).id),
-		{
-			headers: appOriginHeaders(),
-		},
-	);
+	return Response.json(await deleteUserConfiguration(userId), {
+		headers: appOriginHeaders(),
+	});
 };
diff --git a/src/routes/api/preferences/+server.ts b/src/routes/api/preferences/+server.ts
index d6db364f..8e269028 100644
--- a/src/routes/api/preferences/+server.ts
+++ b/src/routes/api/preferences/+server.ts
@@ -1,24 +1,37 @@
+import { Schema } from "effect";
 import { userIdentity } from "$lib/Data/AniList/identity";
-import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
-import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import {
 	getUserPreferences,
-	toggleHideMissingBadges,
-	setCSS,
 	setBiography,
+	setCSS,
+	setPinnedBadgeWallCategories,
 	toggleHideAWCBadges,
+	toggleHideMissingBadges,
 	togglePinnedBadgeWallCategory,
-	setPinnedBadgeWallCategories,
 } from "$lib/Database/SB/User/preferences";
+import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
+import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import { appOriginHeaders } from "$lib/Utility/appOrigin";
-import { Schema } from "effect";
 
 const unauthorised = new Response("Unauthorised", { status: 401 });
 
-export const GET = async ({ url }) => {
-	const preferences = await getUserPreferences(
-		Number(url.searchParams.get("id") || 0),
-	);
+const authenticatedUserId = async (cookies: {
+	get: (name: string) => string | undefined;
+}) => {
+	const userCookie = cookies.get("user");
+
+	if (!userCookie) return null;
+
+	return (await userIdentity(decodeAuthCookieOrThrow(userCookie))).id;
+};
+
+export const GET = async ({ cookies, url }) => {
+	const userId = await authenticatedUserId(cookies);
+	const requestedUserId = Number(url.searchParams.get("id") || 0);
+
+	if (!userId || requestedUserId !== userId) return unauthorised;
+
+	const preferences = await getUserPreferences(requestedUserId);
 
 	return Response.json(preferences ? preferences : {}, {
 		headers: appOriginHeaders(),
@@ -26,12 +39,9 @@ export const GET = async ({ url }) => {
 };
 
 export const PUT = async ({ url, cookies, request }) => {
-	const userCookie = cookies.get("user");
-
-	if (!userCookie) return unauthorised;
+	const userId = await authenticatedUserId(cookies);
 
-	const user = decodeAuthCookieOrThrow(userCookie);
-	const userId = (await userIdentity(user)).id;
+	if (!userId) return unauthorised;
 
 	if (url.searchParams.get("toggleHideMissingBadges") !== null)
 		return Response.json(await toggleHideMissingBadges(userId), {
diff --git a/src/trigger/notifications.ts b/src/trigger/notifications.ts
index ae3c206c..8a16624c 100644
--- a/src/trigger/notifications.ts
+++ b/src/trigger/notifications.ts
@@ -1,6 +1,6 @@
+import { createClient } from "@supabase/supabase-js";
 import { envvars, schedules } from "@trigger.dev/sdk";
 import * as webpush from "web-push";
-import { createClient } from "@supabase/supabase-js";
 
 export const notificationsTask = schedules.task({
 	id: "notifications",
@@ -20,7 +20,7 @@ export const notificationsTask = schedules.task({
 					await envvars.retrieve(
 						triggerProjectReference,
 						environment,
-						"SUPABASE_ANON_KEY",
+						"SUPABASE_SERVICE_ROLE_KEY",
 					)
 				).value,
 			)
@@ -58,7 +58,7 @@ export const notificationsTask = schedules.task({
 
 		for (const subscription of await getUserSubscriptions())
 			try {
-				await webpush.sendNotification(subscription["subscription"], ".");
+				await webpush.sendNotification(subscription.subscription, ".");
 			} catch (error) {
 				console.error(error);
 			}