--- issue: "005" title: "GET /api/admin/scanner/status has no authentication despite /api/admin/ prefix" severity: critical domain: admin labels: [security, backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🔴 GET /api/admin/scanner/status has no authentication despite /api/admin/ prefix **Severity:** critical **Domain:** admin **Labels:** security, backend, bug ## Description `GET /api/admin/scanner/status` proxies to `AMN_SCANNER_URL` and returns scanner status data. Despite sitting under the `/api/admin/` prefix (which conventionally implies admin auth), this endpoint has **no `authenticateToken` middleware**. Any unauthenticated request returns scanner data. ## Current Behavior ```bash curl https://api.example.com/api/admin/scanner/status # Returns scanner data with 200, no credentials needed ``` ## Expected Behavior Should return `401` without a valid admin JWT. ## Affected Files - `backend/src/routes/adminRoutes.js` — scanner proxy route definition ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding C29 - Related: [[ISSUE-004-payment-endpoints-no-auth]]