[offers][fix] make offers api open to unauthenticated users

apps/portal/src/server/router/offers/offers-comments-router.ts

@@ -1,9 +1,9 @@
 import { z } from 'zod';
 import * as trpc from '@trpc/server';
 
-import { createProtectedRouter } from '../context';
+import { createRouter } from '../context';
 
-export const offersCommentsRouter = createProtectedRouter()
+export const offersCommentsRouter = createRouter()
   .query('getComments', {
     input: z.object({
       profileId: z.string(),
@@ -71,9 +71,19 @@ export const offersCommentsRouter = createProtectedRouter()
       message: z.string(),
       profileId: z.string(),
       replyingToId: z.string().optional(),
-      userId: z.string().optional(),
+      token: z.string().optional(),
+      userId: z.string().optional()
     }),
     async resolve({ ctx, input }) {
+      const profile = await ctx.prisma.offersProfile.findFirst({
+        where: {
+          id: input.profileId,
+        },
+      });
+
+      const profileEditToken = profile?.editToken;
+
+      if (input.token === profileEditToken || input.userId) {
         const createdReply = await ctx.prisma.offersReply.create({
           data: {
             message: input.message,
@@ -135,6 +145,13 @@ export const offersCommentsRouter = createProtectedRouter()
         }
 
         return result;
+    }
+
+    throw new trpc.TRPCError({
+      code: 'UNAUTHORIZED',
+      message: 'Missing userId or wrong token.',
+    });
+
     },
   })
   .mutation('update', {