881992b6cc
Pentest found that all 8 analytics API endpoints, the GeoIP status endpoint, and the OpenAPI spec were accessible to any authenticated user. Since the user role should only have access to forward auth and self-service, these are now admin-only. - analytics/*: requireUser → requireAdmin - geoip-status: requireUser → requireAdmin - openapi.json: add requireApiAdmin + change Cache-Control to private - analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
13 lines
245 B
TypeScript
13 lines
245 B
TypeScript
import { requireAdmin } from "@/src/lib/auth";
|
|
import ApiDocsClient from "./ApiDocsClient";
|
|
|
|
export const metadata = {
|
|
title: "API Docs",
|
|
};
|
|
|
|
export default async function ApiDocsPage() {
|
|
await requireAdmin();
|
|
|
|
return <ApiDocsClient />;
|
|
}
|