fix(security): implement widget API authentication with JWT verification#548
Open
JasonOA888 wants to merge 1 commit into
Open
fix(security): implement widget API authentication with JWT verification#548JasonOA888 wants to merge 1 commit into
JasonOA888 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability: Widget API Endpoints Have No Authentication (P0)
Summary
The Widget API authentication functions
authCheckandclientIdCheckinapps/rowboat/app/api/widget/v1/utils.tswere returning501 Not Implementedwith the actual JWT verification code commented out. This means all Widget API endpoints that depend on these middleware functions are effectively unauthenticated — any request is rejected, but more critically, the intended security boundary does not exist.Impact
Fix
Uncommented and activated
authCheck: Now properly verifies JWT tokens usingjose.jwtVerifywith theCHAT_WIDGET_SESSION_JWT_SECRETenvironment variable. Returns appropriate 400/403 errors for missing or invalid tokens.Uncommented and activated
clientIdCheck: Validates thex-client-idheader and looks up the project using the existingIProjectsRepository.fetch()method. Returns 400 if missing, 403 if invalid.Added startup validation: If
CHAT_WIDGET_SESSION_JWT_SECRETis not set or empty, the application throws a fatal error at startup rather than silently running without authentication. This ensures misconfigured deployments fail loudly.Removed the
return new Response("Not implemented", { status: 501 })stubs — both functions now perform real authentication.Test Plan
CHAT_WIDGET_SESSION_JWT_SECRETset — should throw a startup errorAuthorizationheader — should return 400x-client-idheader — should return 400