You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: The Locator service (services/shieldx-gateway/locator/main.go) exposes /issue without any authentication. Anyone can POST arbitrary tenant/scope data to mint valid locator tokens signed with the service key, bypassing downstream authorization.
Location: handleIssue and Run in services/shieldx-gateway/locator/main.go (no auth middleware before handler).
Recommendation: Gate /issue behind strong auth (mTLS + admission secret/JWT), enforce tenant allowlists, and log/alert on issuance. Consider separating public introspection from privileged issuance endpoints.
Done when: Unauthenticated issuance attempts fail, token minting restricted to authorized callers, and coverage tests verify the control path.
