fix(security): require authentication on public events endpoint#4020
Open
0xcucumbersalad wants to merge 1 commit into
Open
fix(security): require authentication on public events endpoint#40200xcucumbersalad wants to merge 1 commit into
0xcucumbersalad wants to merge 1 commit into
Conversation
The `POST /api/:org/events/:type` handler had no authentication check. Since `resolveOrgFromPath` intentionally lets unauthenticated callers through (for MCP OAuth discovery), anyone with a valid org slug could publish arbitrary events to the org's event bus — including scheduled and cron events — without any credentials. Add auth check matching the pattern used by the adjacent `watchHandler`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Collaborator
|
i remember this decision was intentional at the time, i think we might delete this route, ill come back to this PR tho |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
POST /api/:org/events/:type— the events handler had no authentication check. SinceresolveOrgFromPathintentionally allows unauthenticated callers through (needed for MCP OAuth discovery), anyone with a valid org slug could publish arbitrary events — including scheduled (deliverAt) and recurring (cron) events — to any org's event bus without credentials. Adds the same auth pattern used by the adjacentwatchHandler.Test plan
bun run check— passesbun run fmt— passesbun run lint— passes (0 errors)POST /api/:org/events/:typereturns 401POST /org/:organizationId/events/:typealso requires auth (shares the same handler)🤖 Generated with Claude Code
Summary by cubic
Require authentication for event publishing endpoints to prevent unauthorized event injection. Unauthenticated requests to
POST /api/:org/events/:type(and legacyPOST /org/:organizationId/events/:type) now return 401; authenticated behavior is unchanged.watchHandlerpattern.deliverAt), and recurring (cron) events using only an org slug.Written for commit 4ef64ca. Summary will update on new commits.