881992b6cc
Pentest found that all 8 analytics API endpoints, the GeoIP status endpoint, and the OpenAPI spec were accessible to any authenticated user. Since the user role should only have access to forward auth and self-service, these are now admin-only. - analytics/*: requireUser → requireAdmin - geoip-status: requireUser → requireAdmin - openapi.json: add requireApiAdmin + change Cache-Control to private - analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
28 lines
1.1 KiB
TypeScript
28 lines
1.1 KiB
TypeScript
import { NextRequest, NextResponse } from 'next/server';
|
|
import { requireAdmin } from '@/src/lib/auth';
|
|
import { INTERVAL_SECONDS } from '@/src/lib/analytics-db';
|
|
import { countWafEventsInRange, getTopWafRulesWithHosts, getWafEventCountries } from '@/src/lib/models/waf-events';
|
|
|
|
function resolveRange(params: URLSearchParams): { from: number; to: number } {
|
|
const fromParam = params.get('from');
|
|
const toParam = params.get('to');
|
|
if (fromParam && toParam) {
|
|
return { from: parseInt(fromParam, 10), to: parseInt(toParam, 10) };
|
|
}
|
|
const interval = params.get('interval') ?? '1h';
|
|
const to = Math.floor(Date.now() / 1000);
|
|
const from = to - (INTERVAL_SECONDS[interval as keyof typeof INTERVAL_SECONDS] ?? INTERVAL_SECONDS['1h']);
|
|
return { from, to };
|
|
}
|
|
|
|
export async function GET(req: NextRequest) {
|
|
await requireAdmin();
|
|
const { from, to } = resolveRange(req.nextUrl.searchParams);
|
|
const [total, topRules, byCountry] = await Promise.all([
|
|
countWafEventsInRange(from, to),
|
|
getTopWafRulesWithHosts(from, to, 10),
|
|
getWafEventCountries(from, to),
|
|
]);
|
|
return NextResponse.json({ total, topRules, byCountry });
|
|
}
|