Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| export async function POST(request: Request) { | ||
| const secretKey = process.env.MAGIC_SECRET_KEY | ||
|
|
||
| if (!secretKey) { | ||
| return NextResponse.json( | ||
| { | ||
| error: | ||
| 'Magic secret key is not configured. Set MAGIC_SECRET_KEY in your environment.', | ||
| }, | ||
| { status: 500 }, | ||
| ) | ||
| } | ||
|
|
||
| let body: unknown | ||
|
|
||
| try { | ||
| body = await request.json() | ||
| } catch { | ||
| return NextResponse.json({ error: 'Invalid JSON body.' }, { status: 400 }) | ||
| } | ||
|
|
||
| if (isBatchRequest(body)) { | ||
| if (body.providers.length === 0) { | ||
| return NextResponse.json( | ||
| { error: 'At least one provider payload is required.' }, | ||
| { status: 400 }, | ||
| ) | ||
| } | ||
|
|
||
| const batchResult = await registerMagicProvidersBatch( | ||
| secretKey, | ||
| body.providers, | ||
| body.shared_audience, | ||
| ) | ||
|
|
||
| if (!batchResult.success) { | ||
| const status = 'details' in batchResult ? 400 : 502 | ||
| return NextResponse.json(batchResult, { status }) | ||
| } | ||
|
|
||
| return NextResponse.json(batchResult) | ||
| } | ||
|
|
||
| if (!body || typeof body !== 'object') { | ||
| return invalidBodyResponse() | ||
| } | ||
|
|
||
| const payload = sanitizeProviderPayload(body as MagicProviderPayload) | ||
| const missingFields = findMissingFields(payload) | ||
|
|
||
| if (missingFields.length > 0) { | ||
| return NextResponse.json( | ||
| { | ||
| error: `Missing required field${missingFields.length > 1 ? 's' : ''}: ${missingFields.join(', ')}`, | ||
| }, | ||
| { status: 400 }, | ||
| ) | ||
| } | ||
|
|
||
| const result = await registerMagicProvider(secretKey, payload) | ||
|
|
||
| if (!result.success) { | ||
| return NextResponse.json( | ||
| { | ||
| error: result.error, | ||
| details: result.details, | ||
| }, | ||
| { status: result.status }, | ||
| ) | ||
| } | ||
|
|
||
| return NextResponse.json({ success: true, provider: result.provider }) |
There was a problem hiding this comment.
The /api/magic/provider POST handler registers Magic OIDC providers using the project’s secret key but never verifies that the caller is authenticated or authorized. Because the route is exported as a public API, any external user can supply arbitrary provider details and the server will create them via registerMagicProvider/registerMagicProvidersBatch, enabling unauthorized configuration changes or key abuse. Guard the endpoint with an admin-only check (e.g., Supabase session validation or an internal token) before invoking the Magic Admin API.
Useful? React with 👍 / 👎.
1 participant
Summary
/api/magic/walletroute to accept provider_id and user_jwt then mint or fetch the wallet from MagicTesting
https://chatgpt.com/codex/tasks/task_e_690a574cbdd8832fbb5830e3d9f05061