akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Restrict analytics, GeoIP status, and OpenAPI spec to admin role

Browse Source 
Pentest found that all 8 analytics API endpoints, the GeoIP status
endpoint, and the OpenAPI spec were accessible to any authenticated
user. Since the user role should only have access to forward auth
and self-service, these are now admin-only.

- analytics/*: requireUser → requireAdmin
- geoip-status: requireUser → requireAdmin
- openapi.json: add requireApiAdmin + change Cache-Control to private
- analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-06 00:02:13 +02:00
parent b81c211da9
commit 881992b6cc
13 changed files with 64 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/api/v1/openapi.json/route.ts
View File

@@ -1,4 +1,5 @@
import { NextResponse } from "next/server";
import { NextRequest, NextResponse } from "next/server";
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
const spec = {
openapi: "3.1.0",
@@ -1768,10 +1769,15 @@ const spec = {
},
};
export async function GET() {
export async function GET(request: NextRequest) {
try {
await requireApiAdmin(request);
} catch (error) {
return apiErrorResponse(error);
}
return NextResponse.json(spec, {
headers: {
"Cache-Control": "public, max-age=3600",
"Cache-Control": "private, max-age=3600",
},
});
}