Fix authorization bypass and input sanitization vulnerabilities in API routes

[Copilot]

Multiple API endpoints lack ownership verification, allowing any authenticated user to modify/delete other users' forms and view their responses. The sendgrid endpoint is unauthenticated and vulnerable to HTML injection. The formResponses POST endpoint accepts a client-supplied userId, enabling identity spoofing.

Authorization bypass in forms API

• PUT/DELETE: Added formCreator ownership check before allowing form edit/delete. Returns 403 if the user doesn't own the form.

const formCreator = await prisma.formCreator.findUnique({
    where: { userId_formId: { userId, formId: id } }
});
if (!formCreator) {
    return NextResponse.json({ error: 'Not authorized to edit this form' }, { status: 403 });
}

Authorization bypass in formResponses GET

• Joined formCreators in the query and verified the requesting user owns the parent form before returning response data.

userId spoofing in formResponses POST

• Wrapped endpoint in auth() handler; derives userId from session instead of trusting the request body. Anonymous submissions still work (no auth required to submit, but you can't impersonate another user).
• Removed client-side userId from both respondForm and respondFormWithPublicLink pages.

Unauthenticated sendgrid endpoint + HTML injection

• Added auth() wrapper requiring authentication.
• Added escapeHtml() to sanitize subject, fullname, email, and message before interpolation into the HTML template.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkpoint.prisma.io
  • Triggering command: /opt/hostedtoolcache/node/24.13.1/x64/bin/node /opt/hostedtoolcache/node/24.13.1/x64/bin/node /home/REDACTED/work/EasyForm/EasyForm/node_modules/prisma/build/child {"product":"prisma","version":"5.22.0","cli_install_type":"local","information":"","local_timestamp":"2026-02-28T16:10:02Z","project_hash":"d5532733","cli_path":"/home/REDACTED/work/EasyForm/EasyForm/node_modules/prisma/build/index.js","cli_path_hash":"d4f6 (dns block)
  • Triggering command: /opt/hostedtoolcache/node/24.13.1/x64/bin/node /opt/hostedtoolcache/node/24.13.1/x64/bin/node /home/REDACTED/work/EasyForm/EasyForm/node_modules/prisma/build/child {"product":"prisma","version":"5.22.0","cli_install_type":"local","information":"","local_timestamp":"2026-02-28T16:10:12Z","project_hash":"d5532733","cli_path":"/home/REDACTED/work/EasyForm/EasyForm/node_modules/.bin/prisma","cli_path_hash":"072b8f5f","end (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.