From cf07a9af89af50e9a666bec388f7633f9843fbf6 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Feb 2026 11:13:55 +0000
Subject: [PATCH] =?UTF-8?q?fix(security):=20=F0=9F=9B=A1=EF=B8=8F=20harden?=
 =?UTF-8?q?=20actuator=20and=20management=20endpoints?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Restricted access to sensitive management and actuator endpoints in the backend.

- Removed `permitAll()` for `/management/prometheus` and `/management/info`.
- Fixed typo in `"actuator/info"` path (missing leading slash) and removed it from the `permitAll()` block.
- Explicitly allowed unauthenticated access only to `/actuator/health` and `/management/health` for monitoring/orchestration probes.
- Ensured all other `/management/**` endpoints require `ROLE_ADMIN` and `/actuator/**` endpoints require authentication.

These changes prevent information disclosure and improve the overall security posture of the application metrics and build details.

Security Concern: Exposed Actuator/Management endpoints without authentication.
Fix: Applied principle of least privilege to management endpoints.
Verification: Backend compilation passed, manual code review confirmed correct path matching and role enforcement.

Co-authored-by: yacosta738 <33158051+yacosta738@users.noreply.github.com>
---
 .../infrastructure/SecurityConfiguration.kt               | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt b/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt
index e3e0c5b92..d75616ece 100644
--- a/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt
+++ b/server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt
@@ -202,7 +202,6 @@ class SecurityConfiguration(
                 "/api/auth/refresh-token", "/api/auth/login", "/api/auth/logout",
                 "/api/auth/csrf",
                 "/api/auth/federated/**", "/oauth2/**", "/login/oauth2/**",
-                "actuator/info",
             ).permitAll()
             .pathMatchers(
                 "/swagger-ui/**", "/webjars/**", "/api-docs/**", "/swagger-ui.html",
@@ -213,11 +212,12 @@ class SecurityConfiguration(
             .pathMatchers(HttpMethod.POST, "/api/subscribers").permitAll()
             // Allow anonymous access to subscription form configuration (both v1 and non-v1 paths)
             .pathMatchers(HttpMethod.GET, "/api/subscription-forms/*").permitAll()
+            // Security: Secure all actuator endpoints except health checks
+            // health check is needed for external monitoring and orchestration (K8s)
+            .pathMatchers("/actuator/health", "/management/health").permitAll()
             .pathMatchers("/actuator/**").authenticated()
             .pathMatchers("/api/**").authenticated()
-            .pathMatchers("/management/health").permitAll()
-            .pathMatchers("/management/info").permitAll()
-            .pathMatchers("/management/prometheus").permitAll()
+            // Security: Prometheus and Info endpoints can leak sensitive data, restrict to ADMIN
             .pathMatchers("/management/**").hasAuthority(Role.ADMIN.key())
     }