From 970bea255f50760be02271a58be3aa54da8746d5 Mon Sep 17 00:00:00 2001
From: TZGyn <ca538901d@mozmail.com>
Date: Sat, 4 Feb 2023 20:39:23 +0800
Subject: [PATCH] only show notes under request user's id

---
 server/api/note.get.ts | 11 +++++++++--
 server/api/note/new.ts |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/server/api/note.get.ts b/server/api/note.get.ts
index 47c0666..5da9ef4 100644
--- a/server/api/note.get.ts
+++ b/server/api/note.get.ts
@@ -13,7 +13,14 @@ export default defineEventHandler(async (event) => {
 	const { data: note, error } = await supabase
 		.from('notes')
 		.select('*')
-		.eq('id', query.id);
+		.eq('id', query.id)
+		.eq('user_id', user.id)
+		.limit(1)
+		.single();
 
-	return { note: note ? note[0] : null, error: error };
+	if (!note) {
+		throw createError({ statusCode: 500, message: 'No note found' });
+	}
+
+	return { note: note, error: error };
 });
diff --git a/server/api/note/new.ts b/server/api/note/new.ts
index 74138a6..debf202 100644
--- a/server/api/note/new.ts
+++ b/server/api/note/new.ts
@@ -16,6 +16,7 @@ export default defineEventHandler(async (event) => {
 	const { data: note, error: fetchError } = await supabase
 		.from('notes')
 		.select('id')
+		.eq('user_id', user.id)
 		.order('created_at', { ascending: false })
 		.limit(1)
 		.single();