feature(locksmith): Update access control for checkoutConfigs

locksmith/src/controllers/v2/checkoutController.ts

@@ -34,13 +34,20 @@ export const createOrUpdateCheckoutConfig: RequestHandler = async (
       createdBy: request.user!.walletAddress,
     })
 
+    if (!createdConfig) {
+      return response.status(403).send({
+        message:
+          'Unauthorized: You do not have permission to create or update this configuration.',
+      })
+    }
+
     return response.status(200).send({
-      id: createdConfig.id,
-      by: createdConfig.createdBy,
-      name: createdConfig.name,
-      config: createdConfig.config,
-      updatedAt: createdConfig.updatedAt.toISOString(),
-      createdAt: createdConfig.createdAt.toISOString(),
+      id: createdConfig?.id,
+      by: createdConfig?.createdBy,
+      name: createdConfig?.name,
+      config: createdConfig?.config,
+      updatedAt: createdConfig?.updatedAt.toISOString(),
+      createdAt: createdConfig?.createdAt.toISOString(),
     })
   } catch (error) {
     console.error('Error creating/updating checkout config:', error)
@@ -113,9 +120,8 @@ export const deleteCheckoutConfig: RequestHandler = async (
   const deleted = await deleteCheckoutConfigOperation(userAddress, id)
 
   if (!deleted) {
-    return response.status(403).send({
-      message:
-        'Unauthorized: You do not have permission to delete this configuration.',
+    return response.status(404).send({
+      message: 'Config not found or you do not have permission to delete it.',
     })
   }
 

locksmith/src/operations/checkoutConfigOperations.ts

@@ -4,8 +4,6 @@ import { PaywallConfig } from '@unlock-protocol/core'
 import { Web3Service } from '@unlock-protocol/unlock-js'
 import networks from '@unlock-protocol/networks'
 
-const web3Service = new Web3Service(networks)
-
 interface SaveCheckoutConfigArgs {
   id?: string
   name: string
@@ -42,6 +40,7 @@ const isLockManager = async (
   userAddress: string,
   network: number
 ): Promise<boolean> => {
+  const web3Service = new Web3Service(networks)
   try {
     return await web3Service.isLockManager(lockAddress, userAddress, network)
   } catch (error) {
@@ -78,7 +77,7 @@ const isUserAuthorized = async (
 /**
  * Creates or updates a checkout configuration
  * @param args - The SaveCheckoutConfigArgs object
- * @returns The created or updated checkout configuration
+ * @returns The created or updated checkout configuration or null if not authorized
  */
 export const saveCheckoutConfig = async ({
   id,
@@ -95,6 +94,17 @@ export const saveCheckoutConfig = async ({
     checkoutConfigData.referrer = createdBy
   }
 
+  // Check if the user is authorized to save/update the config
+  if (id) {
+    const existingConfig = await CheckoutConfig.findOne({ where: { id } })
+    if (
+      existingConfig &&
+      !(await isUserAuthorized(createdBy, existingConfig))
+    ) {
+      return null
+    }
+  }
+
   const [createdConfig] = await CheckoutConfig.upsert(
     {
       id: generatedId,
@@ -133,27 +143,6 @@ export const getCheckoutConfigById = async (id: string) => {
   return null
 }
 
-/**
- * Checks if a user is authorized to manage a specific checkout config
- * @param userAddress - The address of the user
- * @param configId - The ID of the checkout configuration
- * @returns A boolean indicating whether the user is authorized
- */
-export const isAuthorizedToManageConfig = async (
-  userAddress: string,
-  configId: string
-): Promise<boolean> => {
-  const checkoutConfig = await CheckoutConfig.findOne({
-    where: {
-      id: configId,
-    },
-  })
-  if (!checkoutConfig) {
-    return false
-  }
-  return isUserAuthorized(userAddress, checkoutConfig)
-}
-
 export const getCheckoutConfigsByUserOperation = async (
   userAddress: string
 ) => {