Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access #44

New Issue
Closed
opened 2026-04-16 22:05:09 +02:00 by Hartmut · 1 comment
Hartmut commented 2026-04-16 22:05:09 +02:00
Owner
Copy Link
Copy Source

Problem

apps/web/src/middleware.ts lists /api/ as public prefix, exempting the entire API tree from session check. Every newly added /api/ route defaults to public unless it explicitly self-authenticates. Audit cron endpoints for fail-closed behavior (CRON_SECRET unset).

Evidence

  • apps/web/src/middleware.ts:6-14 — PUBLIC_PREFIXES includes '/api/'
  • apps/web/src/app/api/cron/public-holidays/route.ts:22-54 — gated on verifyCronSecret
  • apps/web/src/app/api/cron/security-audit/route.ts:110-154 — same

Impact

Default-allow pattern. A newly added /api/debug/* or /api/internal/* route is public unless a developer remembers to gate it manually.

Proposed Fix

Allowlist only: /api/auth/*, /api/trpc/*, /api/health, /api/cron/* (which self-auth via CRON_SECRET), /api/sse/*. All other /api/* require session by default. Verify verifyCronSecret fails-closed when env missing, add unit test.

Acceptance Criteria

  • Default-deny: new /api route requires explicit allowlist entry
  • Unit test for verifyCronSecret: missing CRON_SECRET → 401
  • Existing endpoints remain functional

Parent Epic: #1
Source: Full-Codebase Security Audit 2026-04-16 (A-13, B-24)

## Problem `apps/web/src/middleware.ts` lists `/api/` as public prefix, exempting the entire API tree from session check. Every newly added `/api/` route defaults to public unless it explicitly self-authenticates. Audit cron endpoints for fail-closed behavior (`CRON_SECRET` unset). ## Evidence - `apps/web/src/middleware.ts:6-14 — PUBLIC_PREFIXES includes '/api/'` - `apps/web/src/app/api/cron/public-holidays/route.ts:22-54 — gated on verifyCronSecret` - `apps/web/src/app/api/cron/security-audit/route.ts:110-154 — same` ## Impact Default-allow pattern. A newly added `/api/debug/*` or `/api/internal/*` route is public unless a developer remembers to gate it manually. ## Proposed Fix Allowlist only: `/api/auth/*`, `/api/trpc/*`, `/api/health`, `/api/cron/*` (which self-auth via CRON_SECRET), `/api/sse/*`. All other `/api/*` require session by default. Verify `verifyCronSecret` fails-closed when env missing, add unit test. ## Acceptance Criteria - [ ] Default-deny: new /api route requires explicit allowlist entry - [ ] Unit test for verifyCronSecret: missing CRON_SECRET → 401 - [ ] Existing endpoints remain functional --- Parent Epic: #1 Source: Full-Codebase Security Audit 2026-04-16 (A-13, B-24)
Hartmut added the security label 2026-04-16 22:05:09 +02:00
Hartmut commented 2026-04-17 09:29:04 +02:00
Author
Owner
Copy Link
Copy Source

Resolved in commit b32160d (security: default-deny /api middleware allowlist). The web app middleware now allowlists known public /api/* routes; new routes default to auth-required.

Resolved in commit b32160d (`security: default-deny /api middleware allowlist`). The web app middleware now allowlists known public `/api/*` routes; new routes default to auth-required.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#44
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?