From 8e32deaa94feb824c42264df40edf6045566231e Mon Sep 17 00:00:00 2001
From: Miracle656 <iupacnumen2020@gmail.com>
Date: Fri, 27 Mar 2026 16:16:23 +0100
Subject: [PATCH] fix: require auth on /api/contracts endpoint

Unauthenticated callers could enumerate all 17 Soroban contract
addresses in a single request. Added requireAuth middleware to gate
the endpoint behind a valid Bearer token. Closes #299.
---
 backend/src/api/routes.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/src/api/routes.ts b/backend/src/api/routes.ts
index a0b373f..c3d33a4 100644
--- a/backend/src/api/routes.ts
+++ b/backend/src/api/routes.ts
@@ -5,6 +5,7 @@ import {
   getFeeStats,
 } from "../services/horizon";
 import { stellarConfig, CONTRACT_IDS } from "../config/stellar";
+import { requireAuth } from "../middleware/auth";
 import campaignRoutes from "../routes/campaigns";
 import publisherRoutes from "../routes/publishers";
 import auctionRoutes from "../routes/auctions";
@@ -91,8 +92,8 @@ router.get(
   },
 );
 
-// List deployed contract IDs
-router.get("/contracts", (_req: Request, res: Response) => {
+// List deployed contract IDs (auth required)
+router.get("/contracts", requireAuth, (_req: Request, res: Response) => {
   res.json({ contracts: CONTRACT_IDS });
 });