akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Restrict analytics, GeoIP status, and OpenAPI spec to admin role

Browse Source 
Pentest found that all 8 analytics API endpoints, the GeoIP status
endpoint, and the OpenAPI spec were accessible to any authenticated
user. Since the user role should only have access to forward auth
and self-service, these are now admin-only.

- analytics/*: requireUser → requireAdmin
- geoip-status: requireUser → requireAdmin
- openapi.json: add requireApiAdmin + change Cache-Control to private
- analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-04-06 00:02:13 +02:00
parent b81c211da9
commit 881992b6cc
13 changed files with 64 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
tests/unit/api-routes/openapi.test.ts
View File

@@ -1,20 +1,46 @@
import { describe, it, expect } from 'vitest';
import { describe, it, expect, vi } from 'vitest';
import { NextRequest } from 'next/server';
vi.mock('@/src/lib/api-auth', () => {
const ApiAuthError = class extends Error {
status: number;
constructor(msg: string, status: number) { super(msg); this.status = status; this.name = 'ApiAuthError'; }
};
return {
requireApiAdmin: vi.fn().mockResolvedValue({ userId: 1, role: 'admin', authMethod: 'bearer' }),
apiErrorResponse: vi.fn((error: unknown) => {
const { NextResponse: NR } = require('next/server');
if (error instanceof ApiAuthError) {
return NR.json({ error: error.message }, { status: error.status });
}
return NR.json({ error: error instanceof Error ? error.message : 'Internal server error' }, { status: 500 });
}),
ApiAuthError,
};
});
import { GET } from '@/app/api/v1/openapi.json/route';
function makeRequest() {
return new NextRequest('http://localhost/api/v1/openapi.json', {
headers: { authorization: 'Bearer test-token' },
});
}
describe('GET /api/v1/openapi.json', () => {
it('returns 200', async () => {
const response = await GET();
const response = await GET(makeRequest());
expect(response.status).toBe(200);
});
it('returns valid JSON with openapi field = "3.1.0"', async () => {
const response = await GET();
const response = await GET(makeRequest());
const data = await response.json();
expect(data.openapi).toBe('3.1.0');
});
it('contains all expected paths', async () => {
const response = await GET();
const response = await GET(makeRequest());
const data = await response.json();
const paths = Object.keys(data.paths);
@@ -33,12 +59,12 @@ describe('GET /api/v1/openapi.json', () => {
});
it('has Cache-Control header', async () => {
const response = await GET();
expect(response.headers.get('Cache-Control')).toBe('public, max-age=3600');
const response = await GET(makeRequest());
expect(response.headers.get('Cache-Control')).toBe('private, max-age=3600');
});
it('has components.schemas defined', async () => {
const response = await GET();
const response = await GET(makeRequest());
const data = await response.json();
expect(data.components).toBeDefined();
expect(data.components.schemas).toBeDefined();