Default to current time in list endpoint

regalijan · Oct 19, 2023 · e5dc359 · e5dc359
1 parent bd95bb2
commit e5dc359
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/functions/api/mod-queue/list.ts b/functions/api/mod-queue/list.ts
@@ -1,6 +1,6 @@
 export async function onRequestGet(context: RequestContext) {
   const { searchParams } = new URL(context.request.url);
-  const before = parseInt(searchParams.get("before") || "0");
+  const before = parseInt(searchParams.get("before") || `${Date.now()}`);
   const entryType = searchParams.get("type");
   const showClosed = searchParams.get("showClosed") === "true";
   const tables: { [k: string]: string } = {
@@ -47,11 +47,17 @@ export async function onRequestGet(context: RequestContext) {
   const prefix = types[entryType];
   const table = tables[entryType];
   const items = [];
+  console.log(!showClosed)
   const { results }: { results?: { created_at: number; id: string }[] } =
+    /*
+      This is normally VERY BAD and can lead to injection attacks
+      However, there is no other way to do this, as using bindings for table names is unsupported apparently
+      To avoid any potential injection attacks we enforce a list of specific values and permissions for table names
+    */
     await context.env.D1.prepare(
-      "SELECT created_at, id FROM ? WHERE created_at < ? AND open = ? ORDER BY created_at DESC LIMIT 25;"
+      `SELECT id FROM ${table} WHERE created_at < ? AND open = ? ORDER BY created_at DESC LIMIT 25;`
     )
-      .bind(table, before, Number(showClosed))
+      .bind(before, Number(!showClosed))
       .all();
 
   if (results)