--- issue: 031 title: "POST /api/points/admin/add admin check is inside handler only — no middleware-level enforcement" severity: major domain: Admin status: resolved resolved: 2026-05-29 fix: "Replaced inline admin check with authorizeRoles('admin') middleware on POST /admin/add in pointsRoutes.ts." labels: [security, bug, backend, major, missing-auth] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 POST /api/points/admin/add admin check is inside handler only — no middleware-level enforcement **Severity:** major **Domain:** Admin **Labels:** security, bug, backend, major, missing-auth ## Description POST /api/points/admin/add registers authenticateToken only at the route level. Admin role check runs inside the handler. This means the handler code runs before the role is verified, creating potential for edge-case bypass. ## Current Behavior The handler code begins executing for any authenticated user before the role check fires. ## Expected Behavior Apply authorizeRoles('admin') middleware at the route level. ## Affected Files - `backend/src/routes/pointsRoutes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)