pook/compliancebot
1
0
Fork 0
Code Issues 1.1k Pull requests 82 Projects Releases Packages Wiki Activity Actions

Audit all /api/* routes for missing authMiddleware coverage #561

New issue
Open
opened 2026-04-11 01:29:06 -04:00 by pook · 1 comment
pook commented 2026-04-11 01:29:06 -04:00
Owner
Copy link

Search the codebase for all Express route definitions (app.get, app.post, router.get, router.post, etc.) on /api/* paths. For each route, check whether authMiddleware (or equivalent JWT validation) is applied. List all routes and their auth status in a markdown table. Flag any route that handles user-specific data but lacks auth protection — these are security vulnerabilities (OWASP A01:2021). Post the full audit table as an issue comment. Do NOT attempt to fix any gaps — this is a read-only audit. Follow the same pattern as contractpilot issue #466.

Generated by CEO Planner (priority: 2)

Search the codebase for all Express route definitions (app.get, app.post, router.get, router.post, etc.) on /api/* paths. For each route, check whether authMiddleware (or equivalent JWT validation) is applied. List all routes and their auth status in a markdown table. Flag any route that handles user-specific data but lacks auth protection — these are security vulnerabilities (OWASP A01:2021). Post the full audit table as an issue comment. Do NOT attempt to fix any gaps — this is a read-only audit. Follow the same pattern as contractpilot issue #466. --- *Generated by CEO Planner (priority: 2)*
pook commented 2026-04-11 01:43:04 -04:00
Author
Owner
Copy link

API Route Authentication Audit (OWASP A01:2021 — Broken Access Control)

Framework: Hono (Express-compatible routing)
Scope: All API routes in packages/api/src/routes/
Date: 2026-04-11
Auditor: agent-bot (automated)

Route Mounting (packages/api/src/index.ts)

Mount Path Router
/health healthRouter
/api/health healthRouter
/documents exportRouter + documentHistoryRouter
/questionnaire questionnaireRouter
/generate generateRouter + generateTosRouter + generateDpaRouter
/billing billingRouter
/regulations regulationsRouter
/agency agencyRouter
/consent consentRouter
/api/admin adminRouter

Global Middleware (applied to all routes)

  • Body limit (100KB)
  • Logger, Pretty JSON
  • Security headers
  • Disclaimer middleware
  • CORS (restricted to ALLOWED_ORIGINS)
  • CSRF double-submit cookie (excludes /billing/webhook)
  • Rate limiter on /generate/* (5 req/60s/IP)

Full Route Audit Table

# Method Full Path Auth? Auth Method User Data? Severity
1 GET /health No No None
2 GET /health/ready No No None
3 GET /api/health No No None
4 POST /questionnaire No Yes (business info) Low
5 GET /questionnaire/:businessId/:documentType No Yes (business data) HIGH
6 POST /generate/privacy-policy No Rate limit only Yes (generates doc) Medium
7 POST /generate/terms-of-service No Rate limit only Yes (generates doc) Medium
8 POST /generate/data-processing-agreement No Rate limit only Yes (generates doc) Medium
9 POST /billing/checkout No Yes (userId in body) CRITICAL
10 POST /billing/webhook No Stripe signature No (M2M) None
11 GET /billing/portal No Yes (userId query param) CRITICAL
12 GET /billing/usage No Yes (userId query param) CRITICAL
13 GET /regulations/updates No No None
14 POST /regulations/check No No (documentId ref) Low
15 GET /regulations/affected/:documentId No No (public ref data) Low
16 POST /consent/record No Yes (session/consent) Low
17 POST /consent/withdraw No Yes (session consent) Medium
18 GET /consent/:sessionId No Yes (consent records) Medium
19 GET /documents/:businessId/history No Yes (doc history) HIGH
20 GET /documents/:id No Yes (document content) HIGH
21 GET /documents/:id/export Partial Auth header required (stub) Yes (doc export) HIGH
22 GET /agency/clients Yes Bearer token Yes OK
23 POST /agency/clients Yes Bearer token Yes OK
24 GET /agency/clients/:id Yes Bearer token Yes OK
25 PATCH /agency/clients/:id Yes Bearer token Yes OK
26 DELETE /agency/clients/:id Yes Bearer token Yes OK
27 GET /agency/white-label Yes Bearer token Yes OK
28 PUT /agency/white-label Yes Bearer token Yes OK
29 GET /agency/analytics Yes Bearer token Yes OK
30 GET /api/admin/webhook-failures Yes requireAdmin() Bearer Yes OK
31 PATCH /api/admin/webhook-failures/:id/resolve Yes requireAdmin() Bearer Yes OK

Flagged Security Vulnerabilities (OWASP A01:2021)

CRITICAL — Billing routes accept arbitrary userId without auth

Route File Risk
POST /billing/checkout billing.ts:30 Any client can initiate checkout for ANY userId
GET /billing/portal billing.ts:135 Any client can access ANY user's Stripe billing portal
GET /billing/usage billing.ts:147 Any client can read ANY user's usage/subscription data

Impact: An attacker can enumerate userIds and access or manipulate other users' billing — subscription hijacking, portal access, and usage data exposure.

HIGH — Document/questionnaire routes expose user data without auth

Route File Risk
GET /questionnaire/:businessId/:documentType questionnaire.ts:109 Anyone with a businessId can retrieve questionnaire answers
GET /documents/:businessId/history document-history.ts:21 Anyone with a businessId can list all generated documents
GET /documents/:id document-history.ts:65 Anyone with a document ID can read full document content
GET /documents/:id/export export.ts:13 Auth header required but validation is a stub (no JWT decode)

Impact: Document contents (privacy policies, ToS, DPAs) contain business-sensitive information. UUIDs are guessable via enumeration or leakage.

Additional Notes

  • Auth stubs, not real JWT: Both requireAdmin() and getAgencyUserId() only check token length >= 10 chars. The agency router treats the raw token string as the userId (see agency.ts:60: "Stub: In production, decode JWT and extract sub claim"). These pass the audit structurally but are NOT production-safe.
  • Consent routes (/consent/*) are intentionally public for GDPR compliance (consent must be recordable without login), but GET /consent/:sessionId should validate that the requester owns the session.
  • Generate routes are rate-limited but unauthenticated — acceptable for a freemium model but worth monitoring for abuse.

Summary

  • Total routes: 31
  • Authenticated: 10 (agency + admin) — all use Bearer token stubs
  • Unauthenticated with user data: 9 — these are vulnerabilities
  • Unauthenticated, public/infra: 12 — acceptable

Recommendation: Add proper JWT-based authMiddleware to all billing, document, and questionnaire routes before any production deployment. The current Bearer token stubs in agency/admin routes also need real JWT validation.

This is a read-only audit. No code changes were made.

## API Route Authentication Audit (OWASP A01:2021 — Broken Access Control) **Framework:** Hono (Express-compatible routing) **Scope:** All API routes in `packages/api/src/routes/` **Date:** 2026-04-11 **Auditor:** agent-bot (automated) --- ### Route Mounting (`packages/api/src/index.ts`) | Mount Path | Router | |---|---| | `/health` | healthRouter | | `/api/health` | healthRouter | | `/documents` | exportRouter + documentHistoryRouter | | `/questionnaire` | questionnaireRouter | | `/generate` | generateRouter + generateTosRouter + generateDpaRouter | | `/billing` | billingRouter | | `/regulations` | regulationsRouter | | `/agency` | agencyRouter | | `/consent` | consentRouter | | `/api/admin` | adminRouter | ### Global Middleware (applied to all routes) - Body limit (100KB) - Logger, Pretty JSON - Security headers - Disclaimer middleware - CORS (restricted to `ALLOWED_ORIGINS`) - CSRF double-submit cookie (excludes `/billing/webhook`) - Rate limiter on `/generate/*` (5 req/60s/IP) --- ### Full Route Audit Table | # | Method | Full Path | Auth? | Auth Method | User Data? | Severity | |---|---|---|---|---|---|---| | 1 | GET | `/health` | No | — | No | None | | 2 | GET | `/health/ready` | No | — | No | None | | 3 | GET | `/api/health` | No | — | No | None | | 4 | POST | `/questionnaire` | No | — | Yes (business info) | Low | | 5 | GET | `/questionnaire/:businessId/:documentType` | No | — | Yes (business data) | **HIGH** | | 6 | POST | `/generate/privacy-policy` | No | Rate limit only | Yes (generates doc) | Medium | | 7 | POST | `/generate/terms-of-service` | No | Rate limit only | Yes (generates doc) | Medium | | 8 | POST | `/generate/data-processing-agreement` | No | Rate limit only | Yes (generates doc) | Medium | | 9 | POST | `/billing/checkout` | No | — | Yes (userId in body) | **CRITICAL** | | 10 | POST | `/billing/webhook` | No | Stripe signature | No (M2M) | None | | 11 | GET | `/billing/portal` | No | — | Yes (userId query param) | **CRITICAL** | | 12 | GET | `/billing/usage` | No | — | Yes (userId query param) | **CRITICAL** | | 13 | GET | `/regulations/updates` | No | — | No | None | | 14 | POST | `/regulations/check` | No | — | No (documentId ref) | Low | | 15 | GET | `/regulations/affected/:documentId` | No | — | No (public ref data) | Low | | 16 | POST | `/consent/record` | No | — | Yes (session/consent) | Low | | 17 | POST | `/consent/withdraw` | No | — | Yes (session consent) | Medium | | 18 | GET | `/consent/:sessionId` | No | — | Yes (consent records) | Medium | | 19 | GET | `/documents/:businessId/history` | No | — | Yes (doc history) | **HIGH** | | 20 | GET | `/documents/:id` | No | — | Yes (document content) | **HIGH** | | 21 | GET | `/documents/:id/export` | Partial | Auth header required (stub) | Yes (doc export) | **HIGH** | | 22 | GET | `/agency/clients` | Yes | Bearer token | Yes | OK | | 23 | POST | `/agency/clients` | Yes | Bearer token | Yes | OK | | 24 | GET | `/agency/clients/:id` | Yes | Bearer token | Yes | OK | | 25 | PATCH | `/agency/clients/:id` | Yes | Bearer token | Yes | OK | | 26 | DELETE | `/agency/clients/:id` | Yes | Bearer token | Yes | OK | | 27 | GET | `/agency/white-label` | Yes | Bearer token | Yes | OK | | 28 | PUT | `/agency/white-label` | Yes | Bearer token | Yes | OK | | 29 | GET | `/agency/analytics` | Yes | Bearer token | Yes | OK | | 30 | GET | `/api/admin/webhook-failures` | Yes | requireAdmin() Bearer | Yes | OK | | 31 | PATCH | `/api/admin/webhook-failures/:id/resolve` | Yes | requireAdmin() Bearer | Yes | OK | --- ### Flagged Security Vulnerabilities (OWASP A01:2021) #### CRITICAL — Billing routes accept arbitrary userId without auth | Route | File | Risk | |---|---|---| | `POST /billing/checkout` | `billing.ts:30` | Any client can initiate checkout for ANY userId | | `GET /billing/portal` | `billing.ts:135` | Any client can access ANY user's Stripe billing portal | | `GET /billing/usage` | `billing.ts:147` | Any client can read ANY user's usage/subscription data | **Impact:** An attacker can enumerate userIds and access or manipulate other users' billing — subscription hijacking, portal access, and usage data exposure. #### HIGH — Document/questionnaire routes expose user data without auth | Route | File | Risk | |---|---|---| | `GET /questionnaire/:businessId/:documentType` | `questionnaire.ts:109` | Anyone with a businessId can retrieve questionnaire answers | | `GET /documents/:businessId/history` | `document-history.ts:21` | Anyone with a businessId can list all generated documents | | `GET /documents/:id` | `document-history.ts:65` | Anyone with a document ID can read full document content | | `GET /documents/:id/export` | `export.ts:13` | Auth header required but validation is a stub (no JWT decode) | **Impact:** Document contents (privacy policies, ToS, DPAs) contain business-sensitive information. UUIDs are guessable via enumeration or leakage. #### Additional Notes - **Auth stubs, not real JWT:** Both `requireAdmin()` and `getAgencyUserId()` only check token length >= 10 chars. The agency router treats the raw token string as the userId (see `agency.ts:60`: "Stub: In production, decode JWT and extract sub claim"). These pass the audit structurally but are NOT production-safe. - **Consent routes** (`/consent/*`) are intentionally public for GDPR compliance (consent must be recordable without login), but `GET /consent/:sessionId` should validate that the requester owns the session. - **Generate routes** are rate-limited but unauthenticated — acceptable for a freemium model but worth monitoring for abuse. --- ### Summary - **Total routes:** 31 - **Authenticated:** 10 (agency + admin) — all use Bearer token stubs - **Unauthenticated with user data:** 9 — **these are vulnerabilities** - **Unauthenticated, public/infra:** 12 — acceptable **Recommendation:** Add proper JWT-based `authMiddleware` to all billing, document, and questionnaire routes before any production deployment. The current Bearer token stubs in agency/admin routes also need real JWT validation. --- *This is a read-only audit. No code changes were made.*
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/ux-remediation
master
agent-task/681
agent-task/mount-billing-api-prefix
agent-task/772
agent-task/769
agent-task/760
agent-task/756
agent-task/757
agent-task/703
agent-task/702
agent-task/688
agent-task/684
agent-task/683
agent-task/674
agent-task/668
feat/simple-health-endpoint
agent-task/663
agent-task/658
agent-task/653
agent-task/651
feat/api-billing-checkout
agent-task/650
agent-task/641
agent-task/639
agent-task/638
feat/login-brute-force-protection
agent-task/634
feat/generate-retry-tests
agent-task/625
agent-task/622-validate-openai-responses
agent-task/615-csrf-token-validation
agent-task/614
agent-task/612
agent-task/611
agent-task/606
agent-task/597
agent-task/596
agent-task/588
agent-task/583
agent-task/575
agent-task/574
agent-task/571
agent-task/570
agent-task/562
agent-task/561
agent-task/556-npm-audit-fix
agent-task/537
agent-task/533
agent-task/524
agent-task/518
agent-task/517
agent-task/516
agent-task/513
agent-task/512
agent-task/508
feat/llm-error-handling-tests
agent-task/483
feat/openai-retry-502
agent-task/478
agent-task/477
feat/csrf-double-submit
agent-task/468
feat/error-handler-middleware
feat/global-request-timeout
agent-task/454
agent-task/453
agent-task/449
feat/llm-timeout-504
feat/sanitize-generate-inputs
fix/body-limit-1mb-test
feat/openai-error-handling
agent-task/426
agent-task/425
agent-task/421
agent-task/420
agent-task/419
agent-task/408
agent-task/406
agent-task/407
feat/zod-generate-validation
agent-task/401
agent-task/397
agent-task/391
agent-task/390
feat/https-redirect-middleware
agent-task/388
agent-task/360
feat/generate-1mb-body-limit
feat/request-timeout
feat/checkout-rate-limit
feat/webhook-rate-limit
feat/centralized-error-handler
agent-task/345
agent-task/342
agent-task/341
agent-task/337
feat/generate-rate-limit
agent-task/332
agent-task/331
agent-task/329
agent-task/325
agent-task/324
feat/single-stage-dockerfile
feat/jest-typecheck-ci-gate
feat/rebase-open-prs-script
fix/unblock-pr-pipeline
agent-task/251
feat/deploy-migrations-on-startup
agent-task/247
agent-task/242
agent-task/241
agent-task/236
fix/close-duplicate-issues
agent-task/237
agent-task/235
agent-task/232
agent-task/231
agent-task/228
agent-task/227
agent-task/222
agent-task/221
feat/stripe-checkout-endpoint
fix/134-sanitize-ai-output
agent-task/212
agent-task/211
test/export-render-unit-tests
agent-task/206
agent-task/205
feat/download-token-utility
feat/security-headers-v2
agent-task/196
fix/env-var-validation
feat/health-endpoint-tests
feat/cors-middleware
agent-task/185
agent-task/184
agent-task/180
feat/pr-triage-workflow
agent-task/177
feat/dockerfile-deploy
feature/131-api-key-auth
feat/graceful-shutdown
agent-task/170
feat/pr-triage-script
agent-task/166
feat/ccpa-privacy-policy
feat/auto-migrate-on-startup
feat/auto-rebase-workflow
feat/openai-timeout-guard
agent-task/154
agent-task/155
feat/body-size-limit-generate
feat/health-endpoint
ci/pr-checks
agent-task/145
feat/startup-env-validation
agent-task/141
feat/stripe-document-checkout
fix/116-sanitize-ai-generated-content
feat/document-validation-41
feat/api-key-auth-middleware
feature/document-generator-unit-tests
feature/openai-retry-logic
feature/auto-merge-script
feature/ci-auto-labeling
fix/llm-response-null-checks
feat/generate-smoke-tests
feature/request-logging-middleware
feature/csrf-protection
feature/request-id-middleware
feature/cors-allowlist
feature/rate-limit-generate
feature/citation-scanner-and-disclaimer
feature/input-length-validation
feat/ci-quality-gate
fix/stripe-webhook-raw-body
feat/ci-pr-checks
fix/webhook-raw-body-preservation
feat/ci-workflow
feature/71-raw-body-webhook
feature/template-rendering-tests
feature/stripe-document-webhook
feat/security-headers
feat/stripe-webhook-raw-body
feat/startup-migrations
feature/ai-generation-timeout
feature/dependency-audit-ci
feat/webhook-idempotency
feature/body-size-limit
feature/startup-env-validation
ci/add-pr-pipeline
feature/auth-middleware
feature/ccpa-optout-endpoint
feature/async-document-generation
feature/stripe-checkout-paywall
feature/post-generation-validation
feature/llm-retry-mechanism
feature/document-history
feature/prometheus-metrics
feature/dpa-document-type
feature/input-validation-sanitization
feature/document-email-send
feature/api-health-endpoint
No results found.
Labels
Clear labels   
agent-task

Task for autonomous agent execution

  
agent-task

Paperclip autonomous agent task

No labels
agent-task
agent-task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pook/compliancebot#561
No description provided.