fix(api): add admin auth guard to upload file-serve route#76
Open
teddylee777 wants to merge 1 commit into
Open
fix(api): add admin auth guard to upload file-serve route#76teddylee777 wants to merge 1 commit into
teddylee777 wants to merge 1 commit into
Conversation
The GET handler at frontend/src/app/api/admin/upload/[filename]/route.ts served admin-uploaded files to any caller without an authentication check, while the sibling POST handler already required auth() + isAdmin(). This asymmetry let unauthenticated clients read admin-private branding and logo assets once a filename leaked (browser history, server logs, CDN cache). Add the session + role check at the start of the GET handler: - no session -> 401 Unauthorized - authenticated non-admin -> 403 Forbidden - admin/super_admin -> existing file-serve path (unchanged) Keep the existing path-traversal defense and MIME handling intact. Add a Playwright e2e regression test covering the unauthenticated 401 case (matches the existing e2e infra under frontend/e2e/).
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GET /api/admin/upload/[filename]served admin-uploaded assets without any authentication check, allowing any client that knew a filename to download admin-private branding/logos.auth()+isAdmin(session.user.role as UserRole)guard at the start of the GET handler: no session → 401 Unauthorized, non-admin → 403 Forbidden, admin → existing file-serve path (unchanged)...,/,\) and MIME handling; no changes to the sibling POST handler or shared auth helpers.frontend/e2e/admin-upload-auth.spec.ts) asserting the 401 unauthenticated case — matches the existing e2e infrastructure.Closes #65