Restrict analytics, GeoIP status, and OpenAPI spec to admin role
Pentest found that all 8 analytics API endpoints, the GeoIP status endpoint, and the OpenAPI spec were accessible to any authenticated user. Since the user role should only have access to forward auth and self-service, these are now admin-only. - analytics/*: requireUser → requireAdmin - geoip-status: requireUser → requireAdmin - openapi.json: add requireApiAdmin + change Cache-Control to private - analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
@@ -1,7 +1,7 @@
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import AnalyticsClient from './AnalyticsClient';
|
||||
|
||||
export default async function AnalyticsPage() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
return <AnalyticsClient />;
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { requireUser } from "@/src/lib/auth";
|
||||
import { requireAdmin } from "@/src/lib/auth";
|
||||
import ApiDocsClient from "./ApiDocsClient";
|
||||
|
||||
export const metadata = {
|
||||
@@ -6,7 +6,7 @@ export const metadata = {
|
||||
};
|
||||
|
||||
export default async function ApiDocsPage() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
|
||||
return <ApiDocsClient />;
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsBlocked, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsCountries, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsHosts } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const hosts = await getAnalyticsHosts();
|
||||
return NextResponse.json(hosts);
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsProtocols, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsSummary, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsTimeline, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsUserAgents, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
import { countWafEventsInRange, getTopWafRulesWithHosts, getWafEventCountries } from '@/src/lib/models/waf-events';
|
||||
|
||||
@@ -16,7 +16,7 @@ function resolveRange(params: URLSearchParams): { from: number; to: number } {
|
||||
}
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { from, to } = resolveRange(req.nextUrl.searchParams);
|
||||
const [total, topRules, byCountry] = await Promise.all([
|
||||
countWafEventsInRange(from, to),
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
import { existsSync } from "node:fs";
|
||||
import { NextResponse } from "next/server";
|
||||
import { requireUser } from "@/src/lib/auth";
|
||||
import { requireAdmin } from "@/src/lib/auth";
|
||||
|
||||
const COUNTRY_DB = "/usr/share/GeoIP/GeoLite2-Country.mmdb";
|
||||
const ASN_DB = "/usr/share/GeoIP/GeoLite2-ASN.mmdb";
|
||||
|
||||
export async function GET() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
return NextResponse.json({
|
||||
country: existsSync(COUNTRY_DB),
|
||||
asn: existsSync(ASN_DB),
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
|
||||
|
||||
const spec = {
|
||||
openapi: "3.1.0",
|
||||
@@ -1768,10 +1769,15 @@ const spec = {
|
||||
},
|
||||
};
|
||||
|
||||
export async function GET() {
|
||||
export async function GET(request: NextRequest) {
|
||||
try {
|
||||
await requireApiAdmin(request);
|
||||
} catch (error) {
|
||||
return apiErrorResponse(error);
|
||||
}
|
||||
return NextResponse.json(spec, {
|
||||
headers: {
|
||||
"Cache-Control": "public, max-age=3600",
|
||||
"Cache-Control": "private, max-age=3600",
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
@@ -1,20 +1,46 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { describe, it, expect, vi } from 'vitest';
|
||||
import { NextRequest } from 'next/server';
|
||||
|
||||
vi.mock('@/src/lib/api-auth', () => {
|
||||
const ApiAuthError = class extends Error {
|
||||
status: number;
|
||||
constructor(msg: string, status: number) { super(msg); this.status = status; this.name = 'ApiAuthError'; }
|
||||
};
|
||||
return {
|
||||
requireApiAdmin: vi.fn().mockResolvedValue({ userId: 1, role: 'admin', authMethod: 'bearer' }),
|
||||
apiErrorResponse: vi.fn((error: unknown) => {
|
||||
const { NextResponse: NR } = require('next/server');
|
||||
if (error instanceof ApiAuthError) {
|
||||
return NR.json({ error: error.message }, { status: error.status });
|
||||
}
|
||||
return NR.json({ error: error instanceof Error ? error.message : 'Internal server error' }, { status: 500 });
|
||||
}),
|
||||
ApiAuthError,
|
||||
};
|
||||
});
|
||||
|
||||
import { GET } from '@/app/api/v1/openapi.json/route';
|
||||
|
||||
function makeRequest() {
|
||||
return new NextRequest('http://localhost/api/v1/openapi.json', {
|
||||
headers: { authorization: 'Bearer test-token' },
|
||||
});
|
||||
}
|
||||
|
||||
describe('GET /api/v1/openapi.json', () => {
|
||||
it('returns 200', async () => {
|
||||
const response = await GET();
|
||||
const response = await GET(makeRequest());
|
||||
expect(response.status).toBe(200);
|
||||
});
|
||||
|
||||
it('returns valid JSON with openapi field = "3.1.0"', async () => {
|
||||
const response = await GET();
|
||||
const response = await GET(makeRequest());
|
||||
const data = await response.json();
|
||||
expect(data.openapi).toBe('3.1.0');
|
||||
});
|
||||
|
||||
it('contains all expected paths', async () => {
|
||||
const response = await GET();
|
||||
const response = await GET(makeRequest());
|
||||
const data = await response.json();
|
||||
const paths = Object.keys(data.paths);
|
||||
|
||||
@@ -33,12 +59,12 @@ describe('GET /api/v1/openapi.json', () => {
|
||||
});
|
||||
|
||||
it('has Cache-Control header', async () => {
|
||||
const response = await GET();
|
||||
expect(response.headers.get('Cache-Control')).toBe('public, max-age=3600');
|
||||
const response = await GET(makeRequest());
|
||||
expect(response.headers.get('Cache-Control')).toBe('private, max-age=3600');
|
||||
});
|
||||
|
||||
it('has components.schemas defined', async () => {
|
||||
const response = await GET();
|
||||
const response = await GET(makeRequest());
|
||||
const data = await response.json();
|
||||
expect(data.components).toBeDefined();
|
||||
expect(data.components.schemas).toBeDefined();
|
||||
|
||||
Reference in New Issue
Block a user