Restrict analytics, GeoIP status, and OpenAPI spec to admin role
Pentest found that all 8 analytics API endpoints, the GeoIP status endpoint, and the OpenAPI spec were accessible to any authenticated user. Since the user role should only have access to forward auth and self-service, these are now admin-only. - analytics/*: requireUser → requireAdmin - geoip-status: requireUser → requireAdmin - openapi.json: add requireApiAdmin + change Cache-Control to private - analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
@@ -1,7 +1,7 @@
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import AnalyticsClient from './AnalyticsClient';
|
||||
|
||||
export default async function AnalyticsPage() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
return <AnalyticsClient />;
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { requireUser } from "@/src/lib/auth";
|
||||
import { requireAdmin } from "@/src/lib/auth";
|
||||
import ApiDocsClient from "./ApiDocsClient";
|
||||
|
||||
export const metadata = {
|
||||
@@ -6,7 +6,7 @@ export const metadata = {
|
||||
};
|
||||
|
||||
export default async function ApiDocsPage() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
|
||||
return <ApiDocsClient />;
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsBlocked, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsCountries, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsHosts } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const hosts = await getAnalyticsHosts();
|
||||
return NextResponse.json(hosts);
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsProtocols, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsSummary, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsTimeline, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { getAnalyticsUserAgents, INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { searchParams } = req.nextUrl;
|
||||
const hostsParam = searchParams.get('hosts') ?? '';
|
||||
const hosts = hostsParam ? hostsParam.split(',').filter(Boolean) : [];
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import { NextRequest, NextResponse } from 'next/server';
|
||||
import { requireUser } from '@/src/lib/auth';
|
||||
import { requireAdmin } from '@/src/lib/auth';
|
||||
import { INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
||||
import { countWafEventsInRange, getTopWafRulesWithHosts, getWafEventCountries } from '@/src/lib/models/waf-events';
|
||||
|
||||
@@ -16,7 +16,7 @@ function resolveRange(params: URLSearchParams): { from: number; to: number } {
|
||||
}
|
||||
|
||||
export async function GET(req: NextRequest) {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
const { from, to } = resolveRange(req.nextUrl.searchParams);
|
||||
const [total, topRules, byCountry] = await Promise.all([
|
||||
countWafEventsInRange(from, to),
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
import { existsSync } from "node:fs";
|
||||
import { NextResponse } from "next/server";
|
||||
import { requireUser } from "@/src/lib/auth";
|
||||
import { requireAdmin } from "@/src/lib/auth";
|
||||
|
||||
const COUNTRY_DB = "/usr/share/GeoIP/GeoLite2-Country.mmdb";
|
||||
const ASN_DB = "/usr/share/GeoIP/GeoLite2-ASN.mmdb";
|
||||
|
||||
export async function GET() {
|
||||
await requireUser();
|
||||
await requireAdmin();
|
||||
return NextResponse.json({
|
||||
country: existsSync(COUNTRY_DB),
|
||||
asn: existsSync(ASN_DB),
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import { NextResponse } from "next/server";
|
||||
import { NextRequest, NextResponse } from "next/server";
|
||||
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
|
||||
|
||||
const spec = {
|
||||
openapi: "3.1.0",
|
||||
@@ -1768,10 +1769,15 @@ const spec = {
|
||||
},
|
||||
};
|
||||
|
||||
export async function GET() {
|
||||
export async function GET(request: NextRequest) {
|
||||
try {
|
||||
await requireApiAdmin(request);
|
||||
} catch (error) {
|
||||
return apiErrorResponse(error);
|
||||
}
|
||||
return NextResponse.json(spec, {
|
||||
headers: {
|
||||
"Cache-Control": "public, max-age=3600",
|
||||
"Cache-Control": "private, max-age=3600",
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user