Bug
The message API is available without authentication. GET /api/messages lists message records and POST /api/messages creates new messages without requiring a bearer token.
Impact
Unauthenticated clients can read message data and send spam or spoofed messages through the API.
Expected fix
Require authMiddleware for the message router so both list and send operations are only available to authenticated users. Add regression tests for unauthenticated rejection and authenticated success.
Reference: #743.
This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Bug
The message API is available without authentication.
GET /api/messageslists message records andPOST /api/messagescreates new messages without requiring a bearer token.Impact
Unauthenticated clients can read message data and send spam or spoofed messages through the API.
Expected fix
Require
authMiddlewarefor the message router so both list and send operations are only available to authenticated users. Add regression tests for unauthenticated rejection and authenticated success.Reference: #743.
This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.