Request validation for /api/subscriptions.* (#5476)

* chore: req validation for subscriptions.list * chore: req validation for subscriptions.info * chore: req validation for subscriptions.create * chore: req validation for subscriptions.delete * fix: reuse validations
2023-07-03 08:43:45 +05:30
parent 9d4a1965b0
commit 3c2e7b5b63
4 changed files with 84 additions and 56 deletions
--- a/server/routes/api/subscriptions/index.ts
+++ b/server/routes/api/subscriptions/index.ts
@@ -0,0 +1 @@
+export { default } from "./subscriptions";
--- a/server/routes/api/subscriptions/schema.ts
+++ b/server/routes/api/subscriptions/schema.ts
@@ -0,0 +1,44 @@
+import { z } from "zod";
+import { ValidateDocumentId } from "@server/validation";
+import BaseSchema from "../BaseSchema";
+
+export const SubscriptionsListSchema = BaseSchema.extend({
+  body: z.object({
+    documentId: z.string().refine(ValidateDocumentId.isValid, {
+      message: ValidateDocumentId.message,
+    }),
+    event: z.literal("documents.update"),
+  }),
+});
+
+export type SubscriptionsListReq = z.infer<typeof SubscriptionsListSchema>;
+
+export const SubscriptionsInfoSchema = BaseSchema.extend({
+  body: z.object({
+    documentId: z.string().refine(ValidateDocumentId.isValid, {
+      message: ValidateDocumentId.message,
+    }),
+    event: z.literal("documents.update"),
+  }),
+});
+
+export type SubscriptionsInfoReq = z.infer<typeof SubscriptionsInfoSchema>;
+
+export const SubscriptionsCreateSchema = BaseSchema.extend({
+  body: z.object({
+    documentId: z.string().refine(ValidateDocumentId.isValid, {
+      message: ValidateDocumentId.message,
+    }),
+    event: z.literal("documents.update"),
+  }),
+});
+
+export type SubscriptionsCreateReq = z.infer<typeof SubscriptionsCreateSchema>;
+
+export const SubscriptionsDeleteSchema = BaseSchema.extend({
+  body: z.object({
+    id: z.string().uuid(),
+  }),
+});
+
+export type SubscriptionsDeleteReq = z.infer<typeof SubscriptionsDeleteSchema>;
--- a/server/routes/api/subscriptions/subscriptions.test.ts
+++ b/server/routes/api/subscriptions/subscriptions.test.ts
@@ -0,0 +1,697 @@
+import { Event } from "@server/models";
+import {
+  buildUser,
+  buildSubscription,
+  buildDocument,
+} from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("#subscriptions.create", () => {
+  it("should create a subscription", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    const res = await server.post("/api/subscriptions.create", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.id).toBeDefined();
+    expect(body.data.userId).toEqual(user.id);
+    expect(body.data.documentId).toEqual(document.id);
+  });
+
+  it("should emit event", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    const res = await server.post("/api/subscriptions.create", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.ok).toEqual(true);
+
+    const events = await Event.findAll();
+
+    expect(events.length).toEqual(1);
+    expect(events[0].name).toEqual("subscriptions.create");
+    expect(events[0].actorId).toEqual(user.id);
+    expect(events[0].documentId).toEqual(document.id);
+  });
+
+  it("should not create duplicate subscriptions", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    // First `subscriptions.create` request.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // Second `subscriptions.create` request.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // Third `subscriptions.create` request.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // List subscriptions associated with
+    // `document.id`
+    const res = await server.post("/api/subscriptions.list", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    // Database should only have 1 "enabled" subscription registered.
+    expect(body.data.length).toEqual(1);
+    expect(body.data[0].userId).toEqual(user.id);
+    expect(body.data[0].documentId).toEqual(document.id);
+  });
+
+  it("should not create a subscription on invalid events", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    const res = await server.post("/api/subscriptions.create", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        // Subscription on event
+        // that cannot be subscribed to.
+        event: "documents.publish",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(400);
+    expect(body.ok).toEqual(false);
+    expect(body.error).toEqual("validation_error");
+    expect(body.message).toEqual(
+      `event: Invalid literal value, expected "documents.update"`
+    );
+  });
+});
+
+describe("#subscriptions.info", () => {
+  it("should provide info about a subscription", async () => {
+    const creator = await buildUser();
+
+    const subscriber = await buildUser({ teamId: creator.teamId });
+
+    // `creator` creates two documents
+    const document0 = await buildDocument({
+      userId: creator.id,
+      teamId: creator.teamId,
+    });
+
+    const document1 = await buildDocument({
+      userId: creator.id,
+      teamId: creator.teamId,
+    });
+
+    // `subscriber` subscribes to `document0`.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document0.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber` subscribes to `document1`.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document1.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber` wants info about
+    // their subscription on `document0`.
+    const subscription0 = await server.post("/api/subscriptions.info", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document0.id,
+        event: "documents.update",
+      },
+    });
+
+    const response0 = await subscription0.json();
+
+    expect(subscription0.status).toEqual(200);
+    expect(response0.data.id).toBeDefined();
+    expect(response0.data.userId).toEqual(subscriber.id);
+    expect(response0.data.documentId).toEqual(document0.id);
+  });
+
+  it("should not allow outsiders to gain info about a subscription", async () => {
+    const creator = await buildUser();
+    const subscriber = await buildUser({ teamId: creator.teamId });
+    // `viewer` is not a part of `creator`'s team.
+    const viewer = await buildUser();
+
+    // `creator` creates two documents
+    const document0 = await buildDocument({
+      userId: creator.id,
+      teamId: creator.teamId,
+    });
+
+    const document1 = await buildDocument({
+      userId: creator.id,
+      teamId: creator.teamId,
+    });
+
+    // `subscriber` subscribes to `document0`.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document0.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber` subscribes to `document1`.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document1.id,
+        event: "documents.update",
+      },
+    });
+
+    // `viewer` wants info about `subscriber`'s
+    // subscription on `document0`.
+    const subscription0 = await server.post("/api/subscriptions.info", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document0.id,
+        event: "documents.update",
+      },
+    });
+
+    const response0 = await subscription0.json();
+
+    // `viewer` should be unauthorized.
+    expect(subscription0.status).toEqual(403);
+    expect(response0.ok).toEqual(false);
+    expect(response0.error).toEqual("authorization_error");
+    expect(response0.message).toEqual("Authorization error");
+
+    // `viewer` wants info about `subscriber`'s
+    // subscription on `document0`.
+    const subscription1 = await server.post("/api/subscriptions.info", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document1.id,
+        event: "documents.update",
+      },
+    });
+
+    const response1 = await subscription1.json();
+
+    // `viewer` should be unauthorized.
+    expect(subscription1.status).toEqual(403);
+    expect(response1.ok).toEqual(false);
+    expect(response1.error).toEqual("authorization_error");
+    expect(response1.message).toEqual("Authorization error");
+  });
+
+  it("should not provide infomation on invalid events", async () => {
+    const creator = await buildUser();
+
+    const subscriber = await buildUser({ teamId: creator.teamId });
+    // `viewer` is a part of `creator`'s team.
+    const viewer = await buildUser({ teamId: creator.teamId });
+
+    // `creator` creates two documents
+    const document0 = await buildDocument({
+      userId: creator.id,
+      teamId: creator.teamId,
+    });
+
+    const document1 = await buildDocument({
+      userId: creator.id,
+      teamId: creator.teamId,
+    });
+
+    // `subscriber` subscribes to `document0`.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document0.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber` subscribes to `document1`.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber.getJwtToken(),
+        documentId: document1.id,
+        event: "documents.update",
+      },
+    });
+
+    // `viewer` wants info about `subscriber`'s
+    // subscription on `document0`.
+    // They have requested an invalid event.
+    const subscription0 = await server.post("/api/subscriptions.info", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document0.id,
+        event: "documents.changed",
+      },
+    });
+
+    const response0 = await subscription0.json();
+
+    expect(subscription0.status).toEqual(400);
+    expect(response0.ok).toEqual(false);
+    expect(response0.error).toEqual("validation_error");
+    expect(response0.message).toEqual(
+      `event: Invalid literal value, expected "documents.update"`
+    );
+
+    // `viewer` wants info about `subscriber`'s
+    // subscription on `document0`.
+    // They have requested an invalid event.
+    const subscription1 = await server.post("/api/subscriptions.info", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document1.id,
+        event: "doc.affected",
+      },
+    });
+
+    const response1 = await subscription1.json();
+
+    expect(subscription1.status).toEqual(400);
+    expect(response1.ok).toEqual(false);
+    expect(response1.error).toEqual("validation_error");
+    expect(response1.message).toEqual(
+      `event: Invalid literal value, expected "documents.update"`
+    );
+  });
+});
+
+describe("#subscriptions.list", () => {
+  it("should list user subscriptions", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    await buildSubscription();
+
+    const subscription = await buildSubscription({
+      userId: user.id,
+      documentId: document.id,
+      event: "documents.update",
+    });
+
+    const res = await server.post("/api/subscriptions.list", {
+      body: {
+        token: user.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(1);
+    expect(body.data[0].id).toEqual(subscription.id);
+    expect(body.data[0].userId).toEqual(user.id);
+    expect(body.data[0].documentId).toEqual(document.id);
+  });
+
+  it("user should be able to list subscriptions on document", async () => {
+    const subscriber0 = await buildUser();
+    // `subscriber1` belongs to `subscriber0`'s team.
+    const subscriber1 = await buildUser({ teamId: subscriber0.teamId });
+    // `viewer` belongs to `subscriber0`'s team.
+    const viewer = await buildUser({ teamId: subscriber0.teamId });
+
+    // `subscriber0` created a document.
+    const document = await buildDocument({
+      userId: subscriber0.id,
+      teamId: subscriber0.teamId,
+    });
+
+    // `subscriber0` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber0.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber1` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber1.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `viewer` just wants to know the subscribers
+    // for this document.
+    const res = await server.post("/api/subscriptions.list", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    // `viewer` doesn't have any subscriptions on `document`.
+    expect(body.data.length).toEqual(0);
+
+    // `subscriber0` wants to know the subscribers
+    // for this document.
+    const res0 = await server.post("/api/subscriptions.list", {
+      body: {
+        token: subscriber0.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body0 = await res0.json();
+
+    // `subscriber1` subscribed after `subscriber0`
+    expect(body0.data[0].userId).toEqual(subscriber0.id);
+    // Both subscribers subscribed to same `document`.
+    expect(body0.data[0].documentId).toEqual(document.id);
+
+    // `subscriber1` wants to know the subscribers
+    // for this document.
+    const res1 = await server.post("/api/subscriptions.list", {
+      body: {
+        token: subscriber1.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body1 = await res1.json();
+
+    // `subscriber1` subscribed after `subscriber1`
+    expect(body1.data[0].userId).toEqual(subscriber1.id);
+    // Both subscribers subscribed to same `document`.
+    expect(body1.data[0].documentId).toEqual(document.id);
+  });
+
+  it("user should not be able to list invalid subscriptions", async () => {
+    const subscriber0 = await buildUser();
+    // `subscriber1` belongs to `subscriber0`'s team.
+    const subscriber1 = await buildUser({ teamId: subscriber0.teamId });
+    // `viewer` belongs to `subscriber0`'s team.
+    const viewer = await buildUser({ teamId: subscriber0.teamId });
+
+    // `subscriber0` created a document.
+    const document = await buildDocument({
+      userId: subscriber0.id,
+      teamId: subscriber0.teamId,
+    });
+
+    // `subscriber0` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber0.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber1` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber1.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `viewer` just wants to know the subscribers
+    // for this document.
+    const res = await server.post("/api/subscriptions.list", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document.id,
+        event: "changes.on.documents",
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(400);
+    expect(body.ok).toEqual(false);
+    expect(body.error).toEqual("validation_error");
+    expect(body.message).toEqual(
+      `event: Invalid literal value, expected "documents.update"`
+    );
+  });
+
+  it("user outside of the team should not be able to list subscriptions on internal document", async () => {
+    const subscriber0 = await buildUser();
+    // `subscriber1` belongs to `subscriber0`'s team.
+    const subscriber1 = await buildUser({ teamId: subscriber0.teamId });
+    // `viewer` belongs to a different team.
+    const viewer = await buildUser();
+
+    // `subscriber0` created a document.
+    const document = await buildDocument({
+      userId: subscriber0.id,
+      teamId: subscriber0.teamId,
+    });
+
+    // `subscriber0` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber0.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber1` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber1.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `viewer` wants to know the subscribers
+    // for this internal document.
+    const res = await server.post("/api/subscriptions.info", {
+      body: {
+        token: viewer.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const body = await res.json();
+
+    // `viewer` should not be authorized
+    // to view subscriptions on this document.
+    expect(res.status).toEqual(403);
+    expect(body.ok).toEqual(false);
+    expect(body.error).toEqual("authorization_error");
+    expect(body.message).toEqual("Authorization error");
+  });
+});
+
+describe("#subscriptions.delete", () => {
+  it("should delete user's subscription", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    const subscription = await buildSubscription({
+      userId: user.id,
+      documentId: document.id,
+      event: "documents.update",
+    });
+
+    const res = await server.post("/api/subscriptions.delete", {
+      body: {
+        userId: user.id,
+        id: subscription.id,
+        token: user.getJwtToken(),
+      },
+    });
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.ok).toEqual(true);
+    expect(body.success).toEqual(true);
+  });
+
+  it("should emit event", async () => {
+    const user = await buildUser();
+
+    const document = await buildDocument({
+      userId: user.id,
+      teamId: user.teamId,
+    });
+
+    const subscription = await buildSubscription({
+      userId: user.id,
+      documentId: document.id,
+      event: "documents.update",
+    });
+
+    const res = await server.post("/api/subscriptions.delete", {
+      body: {
+        userId: user.id,
+        id: subscription.id,
+        token: user.getJwtToken(),
+      },
+    });
+
+    const events = await Event.findAll();
+
+    expect(events.length).toEqual(1);
+    expect(events[0].name).toEqual("subscriptions.delete");
+    expect(events[0].modelId).toEqual(subscription.id);
+    expect(events[0].actorId).toEqual(user.id);
+    expect(events[0].documentId).toEqual(document.id);
+
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.ok).toEqual(true);
+    expect(body.success).toEqual(true);
+  });
+
+  it("users should not be able to delete other's subscriptions on document", async () => {
+    const subscriber0 = await buildUser();
+    // `subscriber1` belongs to `subscriber0`'s team.
+    const subscriber1 = await buildUser({ teamId: subscriber0.teamId });
+
+    // `subscriber0` created a document.
+    const document = await buildDocument({
+      userId: subscriber0.id,
+      teamId: subscriber0.teamId,
+    });
+
+    // `subscriber0` wants to be notified about
+    // changes on this document.
+    await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber0.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    // `subscriber1` wants to be notified about
+    // changes on this document.
+    const resp = await server.post("/api/subscriptions.create", {
+      body: {
+        token: subscriber1.getJwtToken(),
+        documentId: document.id,
+        event: "documents.update",
+      },
+    });
+
+    const subscription1 = await resp.json();
+    const subscription1Id = subscription1.data.id;
+
+    // `subscriber0` wants to change `subscriber1`'s
+    // subscription for this document.
+    const res = await server.post("/api/subscriptions.delete", {
+      body: {
+        // `subscriber0`
+        userId: subscriber0.id,
+        // subscription id of `subscriber1`
+        id: subscription1Id,
+        token: subscriber0.getJwtToken(),
+      },
+    });
+
+    const body = await res.json();
+
+    // `subscriber0` should be unauthorized.
+    expect(res.status).toEqual(403);
+    expect(body.ok).toEqual(false);
+    expect(body.error).toEqual("authorization_error");
+    expect(body.message).toEqual("Authorization error");
+  });
+});
--- a/server/routes/api/subscriptions/subscriptions.ts
+++ b/server/routes/api/subscriptions/subscriptions.ts
@@ -0,0 +1,136 @@
+import Router from "koa-router";
+import subscriptionCreator from "@server/commands/subscriptionCreator";
+import subscriptionDestroyer from "@server/commands/subscriptionDestroyer";
+import auth from "@server/middlewares/authentication";
+import { transaction } from "@server/middlewares/transaction";
+import validate from "@server/middlewares/validate";
+import { Subscription, Document } from "@server/models";
+import { authorize } from "@server/policies";
+import { presentSubscription } from "@server/presenters";
+import { APIContext } from "@server/types";
+import pagination from "../middlewares/pagination";
+import * as T from "./schema";
+
+const router = new Router();
+
+router.post(
+  "subscriptions.list",
+  auth(),
+  pagination(),
+  validate(T.SubscriptionsListSchema),
+  async (ctx: APIContext<T.SubscriptionsListReq>) => {
+    const { user } = ctx.state.auth;
+    const { documentId, event } = ctx.input.body;
+
+    const document = await Document.findByPk(documentId, { userId: user.id });
+
+    authorize(user, "read", document);
+
+    const subscriptions = await Subscription.findAll({
+      where: {
+        documentId: document.id,
+        userId: user.id,
+        event,
+      },
+      order: [["createdAt", "DESC"]],
+      offset: ctx.state.pagination.offset,
+      limit: ctx.state.pagination.limit,
+    });
+
+    ctx.body = {
+      pagination: ctx.state.pagination,
+      data: subscriptions.map(presentSubscription),
+    };
+  }
+);
+
+router.post(
+  "subscriptions.info",
+  auth(),
+  validate(T.SubscriptionsInfoSchema),
+  async (ctx: APIContext<T.SubscriptionsInfoReq>) => {
+    const { user } = ctx.state.auth;
+    const { documentId, event } = ctx.input.body;
+
+    const document = await Document.findByPk(documentId, { userId: user.id });
+
+    authorize(user, "read", document);
+
+    // There can be only one subscription with these props.
+    const subscription = await Subscription.findOne({
+      where: {
+        userId: user.id,
+        documentId: document.id,
+        event,
+      },
+      rejectOnEmpty: true,
+    });
+
+    ctx.body = {
+      data: presentSubscription(subscription),
+    };
+  }
+);
+
+router.post(
+  "subscriptions.create",
+  auth(),
+  validate(T.SubscriptionsCreateSchema),
+  transaction(),
+  async (ctx: APIContext<T.SubscriptionsCreateReq>) => {
+    const { auth, transaction } = ctx.state;
+    const { user } = auth;
+    const { documentId, event } = ctx.input.body;
+
+    const document = await Document.findByPk(documentId, {
+      userId: user.id,
+      transaction,
+    });
+
+    authorize(user, "subscribe", document);
+
+    const subscription = await subscriptionCreator({
+      user,
+      documentId: document.id,
+      event,
+      ip: ctx.request.ip,
+      transaction,
+    });
+
+    ctx.body = {
+      data: presentSubscription(subscription),
+    };
+  }
+);
+
+router.post(
+  "subscriptions.delete",
+  auth(),
+  validate(T.SubscriptionsDeleteSchema),
+  transaction(),
+  async (ctx: APIContext<T.SubscriptionsDeleteReq>) => {
+    const { auth, transaction } = ctx.state;
+    const { user } = auth;
+    const { id } = ctx.input.body;
+
+    const subscription = await Subscription.findByPk(id, {
+      rejectOnEmpty: true,
+      transaction,
+    });
+
+    authorize(user, "delete", subscription);
+
+    await subscriptionDestroyer({
+      user,
+      subscription,
+      ip: ctx.request.ip,
+      transaction,
+    });
+
+    ctx.body = {
+      success: true,
+    };
+  }
+);
+
+export default router;