From e9925438c0e07c0b3c5457b5f02fffd5a0530eaa Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 22 Jan 2026 11:03:24 +0000
Subject: [PATCH] =?UTF-8?q?fix(security):=20=F0=9F=9B=A1=EF=B8=8F=20secure?=
 =?UTF-8?q?=20prometheus=20endpoint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**🚨 Severity:** High

**🏗️ Stack Affected:** Backend

**🔍 Vulnerability Details:**

*   **Type:** Information Disclosure
*   **Location:** `server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt`
*   **Attack Vector:** The `/management/prometheus` endpoint was publicly accessible, exposing sensitive application metrics.
*   **Risk:** Unauthorized access to operational data, which could aid attackers in reconnaissance.

**🔧 Fix Implemented:**

*   Removed the `permitAll()` rule for the `/management/prometheus` endpoint.
*   The endpoint is now secured and requires administrative privileges, consistent with other management endpoints.

**✅ Verification:**

*   [x] `make verify-all` passes ✅
*   [x] Backend tests pass
*   [x] Manual testing confirms the endpoint is no longer publicly accessible
*   [x] No sensitive information exposed in PR

**📊 Impact:**

*   **Before:** The `/management/prometheus` endpoint was open to the public.
*   **After:** The endpoint is now restricted to authenticated administrators.
*   **Breaking Changes:** None
---
 .../cvix/authentication/infrastructure/SecurityConfiguration.kt  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt b/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt
index 670d58598..190adb165 100644
--- a/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt
+++ b/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt
@@ -211,7 +211,6 @@ class SecurityConfiguration(
             .pathMatchers("/api/**").authenticated()
             .pathMatchers("/management/health").permitAll()
             .pathMatchers("/management/info").permitAll()
-            .pathMatchers("/management/prometheus").permitAll()
             .pathMatchers("/management/**").hasAuthority(Role.ADMIN.key())
     }