ryyst/kalzu-value-store
1
0
Fork 1
Code Issues 6 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Secure User and Group Management Endpoints with Authentication Middleware #4

New Issue
Closed
opened 2025-09-12 22:20:09 +03:00 by MrKalzu · 2 comments
MrKalzu commented 2025-09-12 22:20:09 +03:00
Contributor
Copy Link

The user management (/api/users) and group management (/api/groups) API endpoints, along with the token creation endpoint (/api/tokens), are currently exposed without any authentication or authorization checks. This means any client can create, read, update, or delete users, groups, and API tokens, leading to a critical security vulnerability.

Proposed Solution:
Apply the existing authMiddleware to all user, group, and token management endpoints defined in setupRoutes.

  1. Define specific scopes: Introduce new, granular scopes for these administrative operations, e.g.:
    • admin:users:create, admin:users:read, admin:users:update, admin:users:delete
    • admin:groups:create, admin:groups:read, admin:groups:update, admin:groups:delete
    • admin:tokens:create, admin:tokens:read, admin:tokens:delete (read/delete for tokens would imply listing/revoking tokens, which might need separate handlers).
  2. Apply middleware to handlers: For each of the createUserHandler, getUserHandler, updateUserHandler, deleteUserHandler, createGroupHandler, getGroupHandler, updateGroupHandler, deleteGroupHandler, and createTokenHandler, wrap them with s.authMiddleware and specify the appropriate required scopes. For example, s.authMiddleware([]string{"admin:users:create"}, nil, "")(s.createUserHandler).

This change will ensure that only authenticated users with explicitly granted administrative privileges can manage users, groups, and API tokens, significantly enhancing the security of the application.

Relevant Code Sections:

  • setupRoutes function where handlers are registered.
  • authMiddleware function.
  • createUserHandler, getUserHandler, updateUserHandler, deleteUserHandler.
  • createGroupHandler, getGroupHandler, updateGroupHandler, deleteGroupHandler.
  • createTokenHandler.
  • JWTClaims and APIToken for scope definitions.
The user management (`/api/users`) and group management (`/api/groups`) API endpoints, along with the token creation endpoint (`/api/tokens`), are currently exposed without any authentication or authorization checks. This means any client can create, read, update, or delete users, groups, and API tokens, leading to a critical security vulnerability. **Proposed Solution:** Apply the existing `authMiddleware` to all user, group, and token management endpoints defined in `setupRoutes`. 1. **Define specific scopes:** Introduce new, granular scopes for these administrative operations, e.g.: * `admin:users:create`, `admin:users:read`, `admin:users:update`, `admin:users:delete` * `admin:groups:create`, `admin:groups:read`, `admin:groups:update`, `admin:groups:delete` * `admin:tokens:create`, `admin:tokens:read`, `admin:tokens:delete` (read/delete for tokens would imply listing/revoking tokens, which might need separate handlers). 2. **Apply middleware to handlers:** For each of the `createUserHandler`, `getUserHandler`, `updateUserHandler`, `deleteUserHandler`, `createGroupHandler`, `getGroupHandler`, `updateGroupHandler`, `deleteGroupHandler`, and `createTokenHandler`, wrap them with `s.authMiddleware` and specify the appropriate required scopes. For example, `s.authMiddleware([]string{"admin:users:create"}, nil, "")(s.createUserHandler)`. This change will ensure that only authenticated users with explicitly granted administrative privileges can manage users, groups, and API tokens, significantly enhancing the security of the application. **Relevant Code Sections:** * `setupRoutes` function where handlers are registered. * `authMiddleware` function. * `createUserHandler`, `getUserHandler`, `updateUserHandler`, `deleteUserHandler`. * `createGroupHandler`, `getGroupHandler`, `updateGroupHandler`, `deleteGroupHandler`. * `createTokenHandler`. * `JWTClaims` and `APIToken` for scope definitions.
MrKalzu commented 2025-09-12 22:24:20 +03:00
Author
Contributor
Copy Link

This has dependency in the #3.
I was unable to edit the tickets dependency section...

This has dependency in the https://git.rauhala.info/ryyst/kalzu-value-store/issues/3. I was unable to edit the tickets dependency section...
MrKalzu commented 2025-10-05 22:57:08 +03:00
Author
Contributor
Copy Link

Toimii!

Toimii!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ryyst
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: ryyst/kalzu-value-store#4
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?