[security] Fix API demo auth bypass and dashboard token validation#195
[security] Fix API demo auth bypass and dashboard token validation#195toolate28 merged 4 commits intoIntegrate-quantum-logic-modulefrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…ecurity Co-authored-by: toolate28 <105518313+toolate28@users.noreply.github.com>
…d eliminate duplication Co-authored-by: toolate28 <105518313+toolate28@users.noreply.github.com>
Signed-off-by: toolated <toolated@toolated.online>
toolate28
merged commit b445fbb
into
Integrate-quantum-logic-module
There was a problem hiding this comment.
Pull request overview
This PR updates the public API docs demo and admin console pages to avoid unauthenticated demo calls and to validate admin tokens before initializing the dashboard.
Changes:
- Replaced the
/api/health“Try it” call in the API docs with a simulated demo response and added guidance aboutX-API-Key. - Added an explicit security note in the admin login page about XSS risks of storing tokens in browser storage.
- Added token-validation logic intended to gate dashboard initialization on
/admin/auth/me.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| public/api/index.html | Removes unauthenticated live health fetch in the interactive demo; shows a simulated response with production auth guidance. |
| public/admin/login.html | Adds documentation warning about XSS risks of local/session storage token persistence. |
| public/admin/dashboard.html | Introduces token validation helper prior to init (but currently duplicates existing validation logic). |
| // Validate token and initialize dashboard | ||
| async function validateAndInit() { | ||
| const token = localStorage.getItem('spiralsafe_admin_token') || | ||
| sessionStorage.getItem('spiralsafe_admin_token'); | ||
|
|
||
| try { | ||
| const response = await fetch(`${API_BASE}/admin/auth/me`, { | ||
| method: 'GET', | ||
| headers: { | ||
| 'Authorization': `Bearer ${token}`, | ||
| 'Accept': 'application/json' | ||
| } | ||
| }); | ||
|
|
||
| if (!response.ok) { | ||
| // Invalid or expired token, clear it and redirect to login | ||
| logout(); | ||
| return; | ||
| } | ||
|
|
||
| // Token is valid - initialize charts and load metrics | ||
| initCharts(); | ||
| loadMetrics(); | ||
| } catch (error) { | ||
| // On network or other errors, clear token and redirect to login | ||
| logout(); | ||
| } | ||
| } |
There was a problem hiding this comment.
validateAndInit() is added but never called (only its definition exists), and the dashboard already performs token validation inside the existing DOMContentLoaded IIFE above. This leaves dead/duplicated logic that can drift. Either call validateAndInit() from the DOMContentLoaded handler and remove the inline IIFE, or delete this new function and keep a single validation flow (optionally reusing logout() for the existing validation failure branches).
| async function validateAndInit() { | ||
| const token = localStorage.getItem('spiralsafe_admin_token') || | ||
| sessionStorage.getItem('spiralsafe_admin_token'); | ||
|
|
||
| try { | ||
| const response = await fetch(`${API_BASE}/admin/auth/me`, { | ||
| method: 'GET', | ||
| headers: { | ||
| 'Authorization': `Bearer ${token}`, | ||
| 'Accept': 'application/json' | ||
| } | ||
| }); |
There was a problem hiding this comment.
If validateAndInit() is intended to be the single entry point, it should explicitly handle the "no token" case before making the /admin/auth/me request. As written, a missing token will send Authorization: Bearer null, which is unnecessary and may cause confusing server logs/metrics; redirect to login (and clear storage) early when token is falsy.
| // Demo mode: simulated response for interactive preview | ||
| // For production API calls, include X-API-Key header in your request | ||
| const simulatedResponse = { |
There was a problem hiding this comment.
The PR title says "auth bypass", but this change (and the PR description) indicates the issue was an unauthenticated demo request causing auth failures and is now handled by simulating a response. Consider updating wording (either title or in-page comments) to avoid implying there was a bypass vulnerability when this was a demo/UX mismatch.
|
@copilot apply changes based on the comments in this thread |
Summary
Addressed three security issues in the API documentation and admin console:
tryHealth()demo called/api/healthwithoutX-API-Keyheader, causing auth failures. Converted to simulated response matchingtryWaveAnalyze()pattern with explicit production auth requirements./admin/auth/mevalidation call before initialization, clears invalid tokens and redirects to login.Verification
Follow-ups
Labels: security, enhancement
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.