kjanat/livedash-node
1
0
Fork 0
mirror of https://github.com/kjanat/livedash-node.git synced 2026-01-16 12:32:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: strengthen CSP metrics endpoint authentication

Browse Source 
- Replace isPlatformUser check with ADMIN role requirement
- Return 403 Forbidden for non-admin users (was 401)
- Align with other admin endpoints and documentation requirements
- CSP metrics contain sensitive security data requiring admin access
This commit is contained in:
Kaj Kowalski
2025-07-13 16:19:51 +02:00
parent 40c80f5fe1
commit 6d7619a9c5
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/api/csp-metrics/route.ts
View File

@ -9,9 +9,17 @@ export async function GET(request: NextRequest) {
// Authentication check for security metrics endpoint // Authentication check for security metrics endpoint
const session = await getServerSession(authOptions); const session = await getServerSession(authOptions);
if (!session?.user || !session.user.isPlatformUser) { if (!session?.user) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
} }
// Check for ADMIN role as CSP metrics contain sensitive security data
if (session.user.role !== "ADMIN") {
return NextResponse.json(
{ error: "Forbidden - Admin access required" },
{ status: 403 }
);
}
// Rate limiting for metrics endpoint // Rate limiting for metrics endpoint
const ip = extractClientIP(request); const ip = extractClientIP(request);
const rateLimitResult = await rateLimiter.check( const rateLimitResult = await rateLimiter.check(