jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CRITICAL auth bypass: exact match for login/signup paths
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 45s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 28s
Details
CI — P3 Alert / test (push) Successful in 24s
Details
CI — P4 Portal / test (push) Successful in 27s
Details
CI — P5 Cost / test (push) Successful in 26s
Details
CI — P6 Run / saas (push) Successful in 25s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 46s
Details
CI — P3 Alert / build-push (push) Failing after 38s
Details
CI — P4 Portal / build-push (push) Failing after 50s
Details
CI — P5 Cost / build-push (push) Failing after 22s
Details
CI — P6 Run / build-push (push) Failing after 1m3s
Details

Browse Source 
startsWith('/api/v1/auth/login') allowed any path with that prefix
to bypass authentication (e.g. /api/v1/auth/login-anything).
Changed to exact path match with query string stripping.
Fixed across all 5 products + shared/auth.ts.
This commit is contained in:
Max Mayfield
2026-03-02 20:35:28 +00:00
parent dac6376fb2
commit be3f37cfdd
6 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
products/03-alert-intelligence/src/auth/middleware.ts
View File

@@ -27,7 +27,8 @@ export function registerAuth(app: FastifyInstance, jwtSecret: string, pool: Pool
if (req.url === '/health' || req.url === '/version') return;
if (req.url.startsWith('/webhooks/')) return;
if (req.url.startsWith('/slack/')) return;
if (req.url.startsWith('/api/v1/auth/login') || req.url.startsWith('/api/v1/auth/signup')) return;
const path = req.url.split('?')[0];
if (path === '/api/v1/auth/login' || path === '/api/v1/auth/signup') return;
const apiKey = req.headers['x-api-key'] as string | undefined;
const authHeader = req.headers['authorization'];