[PR #186] [MERGED] security: enforce session-derived user identity on API routes #174

New issue

Closed

opened 2026-02-27 15:55:25 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 15:55:25 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/186
Author: @arunavo4
Created: 2/24/2026
Status: ✅ Merged
Merged: 2/24/2026
Merged by: @arunavo4

Base: main ← Head: codex/security-authz-hardening

📝 Commits (2)

34ccbcf security: enforce session user on api routes
f43fc42 test: harden auth guard failure path

📊 Changes

24 files changed (+325 additions, -192 deletions)

View changed files

➕ src/lib/auth-guards.test.ts (+66 -0)
➕ src/lib/auth-guards.ts (+45 -0)
📝 src/pages/api/activities/cleanup.ts (+5 -20)
📝 src/pages/api/activities/index.ts (+6 -11)
📝 src/pages/api/config/index.ts (+14 -16)
📝 src/pages/api/dashboard/index.ts (+6 -16)
📝 src/pages/api/events/index.ts (+6 -8)
📝 src/pages/api/github/organizations.ts (+6 -14)
📝 src/pages/api/github/repositories.ts (+6 -11)
📝 src/pages/api/job/mirror-org.ts (+16 -6)
📝 src/pages/api/job/mirror-repo.test.ts (+17 -6)
📝 src/pages/api/job/mirror-repo.ts (+16 -6)
📝 src/pages/api/job/reset-metadata.ts (+9 -4)
📝 src/pages/api/job/retry-repo.ts (+16 -6)
📝 src/pages/api/job/schedule-sync-repo.ts (+10 -15)
📝 src/pages/api/job/sync-repo.ts (+16 -6)
📝 src/pages/api/organizations/[id]/status.ts (+10 -5)
📝 src/pages/api/rate-limit/index.ts (+7 -10)
📝 src/pages/api/repositories/[id]/status.ts (+10 -5)
📝 src/pages/api/sse/index.ts (+5 -7)

...and 4 more files

📄 Description

Summary

add a shared API auth guard to require authenticated session identity
remove trust in client-supplied userId across API routes
scope ID-based mutation routes to the authenticated user
update mirror-repo API tests for unauthenticated 401 behavior

Security impact

closes IDOR-style access where callers could act on arbitrary user data by passing userId
blocks unauthenticated config creation/overwrite and token disclosure paths in /api/config

Validation

bun test src/pages/api/job/mirror-repo.test.ts
grep audit confirms API routes no longer read userId from request query/body

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/186 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 2/24/2026 **Status:** ✅ Merged **Merged:** 2/24/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `codex/security-authz-hardening` --- ### 📝 Commits (2) - [`34ccbcf`](https://github.com/RayLabsHQ/gitea-mirror/commit/34ccbcf7c63b78645c652c343407d3f90bb3eb74) security: enforce session user on api routes - [`f43fc42`](https://github.com/RayLabsHQ/gitea-mirror/commit/f43fc422b96f0231315a10b3314976075bdb47bd) test: harden auth guard failure path ### 📊 Changes **24 files changed** (+325 additions, -192 deletions) <details> <summary>View changed files</summary> ➕ `src/lib/auth-guards.test.ts` (+66 -0) ➕ `src/lib/auth-guards.ts` (+45 -0) 📝 `src/pages/api/activities/cleanup.ts` (+5 -20) 📝 `src/pages/api/activities/index.ts` (+6 -11) 📝 `src/pages/api/config/index.ts` (+14 -16) 📝 `src/pages/api/dashboard/index.ts` (+6 -16) 📝 `src/pages/api/events/index.ts` (+6 -8) 📝 `src/pages/api/github/organizations.ts` (+6 -14) 📝 `src/pages/api/github/repositories.ts` (+6 -11) 📝 `src/pages/api/job/mirror-org.ts` (+16 -6) 📝 `src/pages/api/job/mirror-repo.test.ts` (+17 -6) 📝 `src/pages/api/job/mirror-repo.ts` (+16 -6) 📝 `src/pages/api/job/reset-metadata.ts` (+9 -4) 📝 `src/pages/api/job/retry-repo.ts` (+16 -6) 📝 `src/pages/api/job/schedule-sync-repo.ts` (+10 -15) 📝 `src/pages/api/job/sync-repo.ts` (+16 -6) 📝 `src/pages/api/organizations/[id]/status.ts` (+10 -5) 📝 `src/pages/api/rate-limit/index.ts` (+7 -10) 📝 `src/pages/api/repositories/[id]/status.ts` (+10 -5) 📝 `src/pages/api/sse/index.ts` (+5 -7) _...and 4 more files_ </details> ### 📄 Description ## Summary - add a shared API auth guard to require authenticated session identity - remove trust in client-supplied userId across API routes - scope ID-based mutation routes to the authenticated user - update mirror-repo API tests for unauthenticated 401 behavior ## Security impact - closes IDOR-style access where callers could act on arbitrary user data by passing userId - blocks unauthenticated config creation/overwrite and token disclosure paths in /api/config ## Validation - bun test src/pages/api/job/mirror-repo.test.ts - grep audit confirms API routes no longer read userId from request query/body --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>