Index: 47 open (8 critical, 39 major), 6 resolved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.4 KiB
1.4 KiB
issue, title, severity, domain, labels, status, resolved, fix, created, source
| issue | title | severity | domain | labels | status | resolved | fix | created | source | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 006 | GET /api/admin/scanner/status has no authentication middleware despite /api/admin/ prefix | critical | Admin |
|
resolved | 2026-05-29 | Added authenticateToken + authorizeRoles('admin') inline to the scanner status proxy route in app.ts | 2026-05-29 | Doc vs Code Audit 2026-05-29 |
🔴 GET /api/admin/scanner/status has no authentication middleware despite /api/admin/ prefix
Severity: critical Domain: Admin Labels: security, bug, backend, critical, missing-auth
Description
The scanner status proxy endpoint at GET /api/admin/scanner/status proxies directly to AMN_SCANNER_URL without any authentication check, despite sitting under the /api/admin/ route prefix which conventionally requires admin auth.
Current Behavior
Returns scanner data (200) to any unauthenticated request.
Expected Behavior
Return 401 without Authorization header, 403 for non-admin token. Apply authenticateToken + authorizeRoles('admin').
Reproduction Steps
curl https://api.example.com/api/admin/scanner/status — should return 401, currently returns scanner data.
Affected Files
backend/src/routes/adminRoutes.ts