Security hardening: fix SQL injection, WAF bypass, placeholder injection, and more

- C1: Replace all ClickHouse string interpolation with parameterized queries
  (query_params) to eliminate SQL injection in analytics endpoints
- C3: Strip Caddy placeholder patterns from redirect rules, protected paths,
  and Authentik auth endpoint to prevent config injection
- C4: Replace WAF custom directive blocklist with allowlist approach — only
  SecRule/SecAction/SecMarker/SecDefaultAction permitted; block ctl:ruleEngine
  and Include directives
- H2: Validate GCM authentication tag is exactly 16 bytes before decryption
- H3: Validate forward auth redirect URIs (scheme, no credentials) to prevent
  open redirects
- H4: Switch 11 analytics/WAF/geoip endpoints from session-only requireAdmin
  to requireApiAdmin supporting both Bearer token and session auth
- H5: Add input validation for instance-mode (whitelist) and sync-token
  (32-char minimum) in settings API
- M1: Add non-root user to l4-port-manager Dockerfile
- M5: Document Caddy admin API binding security rationale
- Document C2 (custom config injection) and H1 (SSRF via upstreams) as
  intentional admin features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/api/analytics/blocked/route.ts

@@ -1,16 +1,20 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsBlocked, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { searchParams } = req.nextUrl;
-  const hostsParam = searchParams.get('hosts') ?? '';
-  const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
-  const page = parseInt(searchParams.get('page') ?? '1', 10);
-  const { from, to } = resolveRange(searchParams);
-  const data = await getAnalyticsBlocked(from, to, hosts, page);
-  return NextResponse.json(data);
+  try {
+    await requireApiAdmin(req);
+    const { searchParams } = req.nextUrl;
+    const hostsParam = searchParams.get('hosts') ?? '';
+    const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
+    const page = parseInt(searchParams.get('page') ?? '1', 10);
+    const { from, to } = resolveRange(searchParams);
+    const data = await getAnalyticsBlocked(from, to, hosts, page);
+    return NextResponse.json(data);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }
 
 function resolveRange(params: URLSearchParams): { from: number; to: number } {

app/api/analytics/countries/route.ts

@@ -1,15 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsCountries, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { searchParams } = req.nextUrl;
-  const hostsParam = searchParams.get('hosts') ?? '';
-  const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
-  const { from, to } = resolveRange(searchParams);
-  const data = await getAnalyticsCountries(from, to, hosts);
-  return NextResponse.json(data);
+  try {
+    await requireApiAdmin(req);
+    const { searchParams } = req.nextUrl;
+    const hostsParam = searchParams.get('hosts') ?? '';
+    const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
+    const { from, to } = resolveRange(searchParams);
+    const data = await getAnalyticsCountries(from, to, hosts);
+    return NextResponse.json(data);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }
 
 function resolveRange(params: URLSearchParams): { from: number; to: number } {

app/api/analytics/hosts/route.ts

@@ -1,9 +1,13 @@
-import { NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { NextRequest, NextResponse } from 'next/server';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsHosts } from '@/src/lib/analytics-db';
 
-export async function GET() {
-  await requireAdmin();
-  const hosts = await getAnalyticsHosts();
-  return NextResponse.json(hosts);
+export async function GET(request: NextRequest) {
+  try {
+    await requireApiAdmin(request);
+    const hosts = await getAnalyticsHosts();
+    return NextResponse.json(hosts);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }

app/api/analytics/protocols/route.ts

@@ -1,15 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsProtocols, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { searchParams } = req.nextUrl;
-  const hostsParam = searchParams.get('hosts') ?? '';
-  const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
-  const { from, to } = resolveRange(searchParams);
-  const data = await getAnalyticsProtocols(from, to, hosts);
-  return NextResponse.json(data);
+  try {
+    await requireApiAdmin(req);
+    const { searchParams } = req.nextUrl;
+    const hostsParam = searchParams.get('hosts') ?? '';
+    const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
+    const { from, to } = resolveRange(searchParams);
+    const data = await getAnalyticsProtocols(from, to, hosts);
+    return NextResponse.json(data);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }
 
 function resolveRange(params: URLSearchParams): { from: number; to: number } {

app/api/analytics/summary/route.ts

@@ -1,15 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsSummary, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { searchParams } = req.nextUrl;
-  const hostsParam = searchParams.get('hosts') ?? '';
-  const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
-  const { from, to } = resolveRange(searchParams);
-  const data = await getAnalyticsSummary(from, to, hosts);
-  return NextResponse.json(data);
+  try {
+    await requireApiAdmin(req);
+    const { searchParams } = req.nextUrl;
+    const hostsParam = searchParams.get('hosts') ?? '';
+    const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
+    const { from, to } = resolveRange(searchParams);
+    const data = await getAnalyticsSummary(from, to, hosts);
+    return NextResponse.json(data);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }
 
 function resolveRange(params: URLSearchParams): { from: number; to: number } {

app/api/analytics/timeline/route.ts

@@ -1,15 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsTimeline, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { searchParams } = req.nextUrl;
-  const hostsParam = searchParams.get('hosts') ?? '';
-  const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
-  const { from, to } = resolveRange(searchParams);
-  const data = await getAnalyticsTimeline(from, to, hosts);
-  return NextResponse.json(data);
+  try {
+    await requireApiAdmin(req);
+    const { searchParams } = req.nextUrl;
+    const hostsParam = searchParams.get('hosts') ?? '';
+    const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
+    const { from, to } = resolveRange(searchParams);
+    const data = await getAnalyticsTimeline(from, to, hosts);
+    return NextResponse.json(data);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }
 
 function resolveRange(params: URLSearchParams): { from: number; to: number } {

app/api/analytics/user-agents/route.ts

@@ -1,15 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { getAnalyticsUserAgents, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { searchParams } = req.nextUrl;
-  const hostsParam = searchParams.get('hosts') ?? '';
-  const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
-  const { from, to } = resolveRange(searchParams);
-  const data = await getAnalyticsUserAgents(from, to, hosts);
-  return NextResponse.json(data);
+  try {
+    await requireApiAdmin(req);
+    const { searchParams } = req.nextUrl;
+    const hostsParam = searchParams.get('hosts') ?? '';
+    const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
+    const { from, to } = resolveRange(searchParams);
+    const data = await getAnalyticsUserAgents(from, to, hosts);
+    return NextResponse.json(data);
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }
 
 function resolveRange(params: URLSearchParams): { from: number; to: number } {

app/api/analytics/waf-stats/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { requireAdmin } from '@/src/lib/auth';
+import { requireApiAdmin, apiErrorResponse } from '@/src/lib/api-auth';
 import { INTERVAL_SECONDS } from '@/src/lib/analytics-db';
 import { countWafEventsInRange, getTopWafRulesWithHosts, getWafEventCountries } from '@/src/lib/models/waf-events';
 
@@ -16,12 +16,16 @@ function resolveRange(params: URLSearchParams): { from: number; to: number } {
 }
 
 export async function GET(req: NextRequest) {
-  await requireAdmin();
-  const { from, to } = resolveRange(req.nextUrl.searchParams);
-  const [total, topRules, byCountry] = await Promise.all([
-    countWafEventsInRange(from, to),
-    getTopWafRulesWithHosts(from, to, 10),
-    getWafEventCountries(from, to),
-  ]);
-  return NextResponse.json({ total, topRules, byCountry });
+  try {
+    await requireApiAdmin(req);
+    const { from, to } = resolveRange(req.nextUrl.searchParams);
+    const [total, topRules, byCountry] = await Promise.all([
+      countWafEventsInRange(from, to),
+      getTopWafRulesWithHosts(from, to, 10),
+      getWafEventCountries(from, to),
+    ]);
+    return NextResponse.json({ total, topRules, byCountry });
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }

app/api/geoip-status/route.ts

@@ -1,14 +1,18 @@
 import { existsSync } from "node:fs";
-import { NextResponse } from "next/server";
-import { requireAdmin } from "@/src/lib/auth";
+import { NextRequest, NextResponse } from "next/server";
+import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
 
 const COUNTRY_DB = "/usr/share/GeoIP/GeoLite2-Country.mmdb";
 const ASN_DB = "/usr/share/GeoIP/GeoLite2-ASN.mmdb";
 
-export async function GET() {
-  await requireAdmin();
-  return NextResponse.json({
-    country: existsSync(COUNTRY_DB),
-    asn: existsSync(ASN_DB),
-  });
+export async function GET(request: NextRequest) {
+  try {
+    await requireApiAdmin(request);
+    return NextResponse.json({
+      country: existsSync(COUNTRY_DB),
+      asn: existsSync(ASN_DB),
+    });
+  } catch (error) {
+    return apiErrorResponse(error);
+  }
 }

app/api/l4-ports/route.ts

@@ -1,20 +1,20 @@
 import { NextRequest, NextResponse } from "next/server";
-import { requireAdmin, checkSameOrigin } from "@/src/lib/auth";
+import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
 import { getL4PortsDiff, getL4PortsStatus, applyL4Ports } from "@/src/lib/l4-ports";
 
 /**
  * GET /api/l4-ports — returns current port diff and apply status.
  */
-export async function GET() {
+export async function GET(request: NextRequest) {
   try {
-    await requireAdmin();
+    await requireApiAdmin(request);
     const [diff, status] = await Promise.all([
       getL4PortsDiff(),
       getL4PortsStatus(),
     ]);
     return NextResponse.json({ diff, status });
-  } catch {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  } catch (error) {
+    return apiErrorResponse(error);
   }
 }
 
@@ -22,18 +22,11 @@ export async function GET() {
  * POST /api/l4-ports — trigger port apply (write override + trigger file).
  */
 export async function POST(request: NextRequest) {
-  const originCheck = checkSameOrigin(request);
-  if (originCheck) return originCheck;
-
   try {
-    await requireAdmin();
+    await requireApiAdmin(request);
     const status = await applyL4Ports();
     return NextResponse.json({ status });
   } catch (error) {
-    console.error("Failed to apply L4 ports:", error);
-    return NextResponse.json(
-      { error: error instanceof Error ? error.message : "Failed to apply L4 ports" },
-      { status: 500 }
-    );
+    return apiErrorResponse(error);
   }
 }

app/api/v1/settings/[group]/route.ts

@@ -72,11 +72,25 @@ export async function PUT(
     const body = await request.json();
 
     if (group === "instance-mode") {
+      const validModes = ["standalone", "master", "slave"];
+      if (!validModes.includes(body.mode)) {
+        return NextResponse.json(
+          { error: `Invalid mode. Must be one of: ${validModes.join(", ")}` },
+          { status: 400 }
+        );
+      }
       await setInstanceMode(body.mode);
       return NextResponse.json({ ok: true });
     }
 
     if (group === "sync-token") {
+      if (body.token !== null && body.token !== undefined &&
+          (typeof body.token !== "string" || body.token.length < 32)) {
+        return NextResponse.json(
+          { error: "Token must be null or a string of at least 32 characters" },
+          { status: 400 }
+        );
+      }
       await setSlaveMasterToken(body.token ?? null);
       return NextResponse.json({ ok: true });
     }

app/api/waf-events/route.ts

@@ -1,10 +1,10 @@
 import { NextRequest, NextResponse } from "next/server";
-import { requireAdmin } from "@/src/lib/auth";
+import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
 import { listWafEvents, countWafEvents } from "@/src/lib/models/waf-events";
 
 export async function GET(request: NextRequest) {
   try {
-    await requireAdmin();
+    await requireApiAdmin(request);
     const { searchParams } = request.nextUrl;
     const page = Math.max(1, parseInt(searchParams.get("page") ?? "1", 10) || 1);
     const perPage = Math.min(200, Math.max(1, parseInt(searchParams.get("per_page") ?? "50", 10) || 50));
@@ -17,7 +17,7 @@ export async function GET(request: NextRequest) {
     ]);
 
     return NextResponse.json({ events, total, page, perPage });
-  } catch {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  } catch (error) {
+    return apiErrorResponse(error);
   }
 }