Skip to content

fix(security): secure admin endpoints with authentication (#99) #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
NiklasSkulll merged 1 commit into from
Nov 20, 2025
Merged

fix(security): secure admin endpoints with authentication (#99) #116

NiklasSkulll merged 1 commit into from
Nov 20, 2025

Conversation

@jonasyr
Copy link
Owner

@jonasyr jonasyr commented Nov 19, 2025
edited
Loading

Summary

Implements admin authentication middleware to secure cache administration endpoints and metrics endpoint, resolving the security vulnerability reported in #99.

Changes

  • Created adminAuth middleware (apps/backend/src/middlewares/adminAuth.ts)

    • X-Admin-Token header-based authentication
    • Constant-time token comparison to prevent timing attacks
    • Comprehensive audit logging for security events

  • Updated configuration (apps/backend/src/config.ts)

    • Added adminAuth configuration with ADMIN_AUTH_ENABLED and REQUIRE_AUTH_FOR_METRICS flags
    • Added adminRateLimit with stricter limits (100 req/15min) for admin endpoints
    • Added validation for admin authentication configuration

  • Protected endpoints:

    • /api/commits/cache/stats - cache statistics
    • /api/commits/cache/repositories - cached repositories list
    • /api/commits/cache/invalidate - cache invalidation
    • /metrics - Prometheus metrics

  • Testing:

    • 13 unit tests for adminAuth middleware
    • 4 integration tests for protected routes
    • All 856 backend tests pass

Test Plan

  • All 856 backend tests pass
  • Build and lint pass with no errors
  • Manual verification:
    • Unauthenticated requests return 403 Forbidden
    • Authenticated requests with valid token succeed (200 OK)
    • Invalid tokens are rejected (403 Forbidden)

Security Considerations

  • Uses crypto.timingSafeEqual() for constant-time token comparison
  • Audit logging for all authentication events (success, failure, misconfiguration)
  • Token validation includes length check before comparison
  • Rate limiting applied specifically to admin endpoints

Configuration

# Required environment variables
ADMIN_AUTH_ENABLED=true
ADMIN_TOKEN=your-secret-admin-token-here

# Optional configuration
REQUIRE_AUTH_FOR_METRICS=true
ADMIN_RATE_LIMIT_WINDOW_MS=900000
ADMIN_RATE_LIMIT_MAX=100

Migration Notes

  • Default behavior: admin authentication is enabled (`ADMIN_AUTH_ENABLED=true`)
  • Operators must set `ADMIN_TOKEN` environment variable before deploying
  • Existing deployments without `ADMIN_TOKEN` will return 500 errors for admin endpoints until configured

Closes #99

@jonasyr
fix(security): secure admin endpoints with
dcf75dc 
   authentication (#99)

   ## Summary
   - Implement admin authentication middleware for cache and metrics endpoints
   - Add X-Admin-Token header-based authentication with constant-time
   comparison
   - Apply authentication to 4 vulnerable endpoints: /api/commits/cache/stats,
   /api/commits/cache/repositories, /api/commits/cache/invalidate, /metrics
   - Add stricter rate limiting for admin endpoints (100 req/15min)

   ## Changes
   - Created adminAuth.ts middleware with timing-attack-safe token validation
   - Updated config.ts with adminAuth and adminRateLimit configuration
   - Protected all admin endpoints with requireAdminToken middleware
   - Added comprehensive unit and integration tests (17 new tests)
   - Updated .env.example with admin authentication documentation

   ## Test Plan
   - ✅ All 856 backend tests pass
   - ✅ Build and lint pass
   - ✅ Manual verification: unauthenticated requests return 403
   - ✅ Manual verification: authenticated requests succeed
   - ✅ Manual verification: invalid tokens rejected
@jonasyr jonasyr linked an issue Nov 19, 2025 that may be closed by this pull request
security: Cache admin endpoints and /metrics are unauthenticated #99
Closed
@jonasyr jonasyr self-assigned this Nov 19, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 19, 2025

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
86.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jonasyr jonasyr requested a review from NiklasSkulll November 19, 2025 21:52
@NiklasSkulll NiklasSkulll merged commit b8c7725 into dev Nov 20, 2025
7 checks passed
@NiklasSkulll NiklasSkulll deleted the 99-security-cache-admin-endpoints-and-metrics-are-unauthenticated branch November 23, 2025 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NiklasSkulll NiklasSkulll NiklasSkulll approved these changes

Assignees

@jonasyr jonasyr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: Cache admin endpoints and /metrics are unauthenticated

3 participants

@jonasyr @NiklasSkulll