🛂 Prevent API calls without accepting ethics modal (#174)

src/hooks.server.ts

@@ -6,12 +6,38 @@ import {
 	PUBLIC_DEPRECATED_GOOGLE_ANALYTICS_ID,
 } from "$env/static/public";
 import { addYears } from "date-fns";
+import { collections } from "$lib/server/database";
+import { base } from "$app/paths";
 
 export const handle: Handle = async ({ event, resolve }) => {
 	const token = event.cookies.get(COOKIE_NAME);
 
 	event.locals.sessionId = token || crypto.randomUUID();
 
+	if (event.request.method === "POST" && !event.url.pathname.startsWith(`${base}/settings`)) {
+		const hasAcceptedEthicsModal = await collections.settings.countDocuments({
+			sessionId: event.locals.sessionId,
+			ethicsModalAcceptedAt: { $exists: true },
+		});
+
+		if (!hasAcceptedEthicsModal) {
+			const sendJson =
+				event.request.headers.get("accept")?.includes("application/json") ||
+				event.request.headers.get("content-type")?.includes("application/json");
+			return new Response(
+				sendJson
+					? JSON.stringify({ error: "You need to accept the welcome modal first" })
+					: "You need to accept the welcome modal first",
+				{
+					status: 405,
+					headers: {
+						"content-type": sendJson ? "application/json" : "text/plain",
+					},
+				}
+			);
+		}
+	}
+
 	// Refresh cookie expiration date
 	event.cookies.set(COOKIE_NAME, event.locals.sessionId, {
 		path: "/",