From 6d7619a9c50e978e1cb724e5b167152d5f5f138c Mon Sep 17 00:00:00 2001
From: Kaj Kowalski <dev@kajkowalski.nl>
Date: Sun, 13 Jul 2025 16:19:51 +0200
Subject: [PATCH] fix: strengthen CSP metrics endpoint authentication

- Replace isPlatformUser check with ADMIN role requirement
- Return 403 Forbidden for non-admin users (was 401)
- Align with other admin endpoints and documentation requirements
- CSP metrics contain sensitive security data requiring admin access
---
 app/api/csp-metrics/route.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/api/csp-metrics/route.ts b/app/api/csp-metrics/route.ts
index 34fbba1..057786f 100644
--- a/app/api/csp-metrics/route.ts
+++ b/app/api/csp-metrics/route.ts
@@ -9,9 +9,17 @@ export async function GET(request: NextRequest) {
     // Authentication check for security metrics endpoint
     const session = await getServerSession(authOptions);
 
-    if (!session?.user || !session.user.isPlatformUser) {
+    if (!session?.user) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }
+
+    // Check for ADMIN role as CSP metrics contain sensitive security data
+    if (session.user.role !== "ADMIN") {
+      return NextResponse.json(
+        { error: "Forbidden - Admin access required" },
+        { status: 403 }
+      );
+    }
     // Rate limiting for metrics endpoint
     const ip = extractClientIP(request);
     const rateLimitResult = await rateLimiter.check(