fix(auth): prevent authentication bypass and fix Authorization header

asithade · asithade · commit f8bb7644da0d · 2025-09-09T14:41:51.000-07:00
- Fix critical security vulnerability where non-GET requests to protected SSR routes bypassed authentication - Add proper 401 error handling for non-GET requests to protected SSR routes - Fix Authorization header being set to 'Bearer undefined' when bearerToken is not provided - Make Authorization header conditional in ApiClientService based on bearerToken presence LFXV2-417 Signed-off-by: Asitha de Silva <asithade@gmail.com>
diff --git a/apps/lfx-pcc/src/server/middleware/auth.middleware.ts b/apps/lfx-pcc/src/server/middleware/auth.middleware.ts
@@ -187,6 +187,23 @@ function makeAuthDecision(result: AuthMiddlewareResult, req: Request): AuthDecis
         };
       }
 
+      // Non-GET SSR routes - return 401 error
+      if (route.type === 'ssr' && req.method !== 'GET') {
+        req.log.warn(
+          {
+            path: req.path,
+            routeType: route.type,
+            method: req.method,
+          },
+          'SSR route requires authentication for non-GET request - returning 401'
+        );
+        return {
+          action: 'error',
+          errorType: 'authentication',
+          statusCode: 401,
+        };
+      }
+
       // API routes - return 401 error
       if (route.type === 'api') {
         req.log.warn(
diff --git a/apps/lfx-pcc/src/server/services/api-client.service.ts b/apps/lfx-pcc/src/server/services/api-client.service.ts
@@ -35,15 +35,21 @@ export class ApiClientService {
   }
 
   private async makeRequest<T>(method: string, url: string, bearerToken?: string, data?: any, customHeaders?: Record<string, string>): Promise<ApiResponse<T>> {
+    const headers: Record<string, string> = {
+      ...customHeaders,
+      Accept: 'application/json',
+      ['Content-Type']: 'application/json',
+      ['User-Agent']: 'LFX-PCC-Server/1.0',
+    };
+
+    // Only add Authorization header if bearerToken is provided
+    if (bearerToken) {
+      headers['Authorization'] = `Bearer ${bearerToken}`;
+    }
+
     const requestInit: RequestInit = {
       method,
-      headers: {
-        ...customHeaders,
-        Authorization: `Bearer ${bearerToken}`,
-        Accept: 'application/json',
-        ['Content-Type']: 'application/json',
-        ['User-Agent']: 'LFX-PCC-Server/1.0',
-      },
+      headers,
       signal: AbortSignal.timeout(this.config.timeout),
     };
 
