Skip to content

🔐 Add auth tests & harden API security #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pemulis merged 7 commits into from
Oct 30, 2025
Merged

🔐 Add auth tests & harden API security #51

pemulis merged 7 commits into from
Oct 30, 2025
+410 −22

Conversation

@KagemniKarimu
Copy link
Collaborator

@KagemniKarimu KagemniKarimu commented Oct 30, 2025
edited
Loading

Building upon #49, this PR adds 18 integration tests for bearer token authentication middleware and significantly hardens API security.

Mainly, the PR does two distinct things:

  1. Adds comprehensive auth tests (18 tests covering bearer token validation)
  2. Hardens security by removing internal POST endpoints that could allow external DB writes

Changes

  • Security Improvement: Removes internal POST endpoints (/bundle, /cid, /balance, /nonce, /vault/*). As @pemulis pointed out, this allowed external services with the API bearer token to write directly to the node's database (Big no no!). Only /intention remains as a public POST endpoint. Internal operations (bundle creation, balance updates, vault management) continue to work as direct function calls.
  • Testing: Comprehensive auth tests verify bearer token validation, endpoint protection, edge cases, and stateless authentication behavior.
  • Test Infrastructure: Creates shared test fixtures (testFixtures.ts) with addresses, endpoints, and sample data for reuse across test suites, reducing duplication. This can be gradually incorporated into other tests in separate PRs.

@KagemniKarimu
Merge branch 'main' into add-ratelimit-tests
ec02f31
@KagemniKarimu
✨ add shared test fixtures and constants
da8259b 
- Test addresses, vault IDs, and endpoint lists
- Centralized test data for reuse across test suites
@KagemniKarimu
✅ add comprehensive authentication integration tests
d381b7f 
- 18 tests covering bearer token validation
- Tests for all POST/GET endpoint protection
- Edge cases and stateless auth verification
- Reduced from 38 to 18 tests via consolidation
@KagemniKarimu KagemniKarimu changed the title Add auth tests 🔐 Add auth tests Oct 30, 2025
@KagemniKarimu KagemniKarimu mentioned this pull request Oct 30, 2025
Merged
@KagemniKarimu
🔒 remove internal POST endpoints, keep only /intention public
aa18e9c 
- Remove POST routes for /bundle, /cid, /balance, /nonce, /vault
- Only /intention remains as public POST endpoint
- Internal operations (bundle creation, balance updates, etc.) still work via direct function calls
- Prevents external services from writing to node database via HTTP
- Reduces attack surface while maintaining functionality
@KagemniKarimu
🎨 format routes.ts
7be1aea
@KagemniKarimu KagemniKarimu changed the title 🔐 Add auth tests 🔐 Add auth tests & harden API security Oct 30, 2025
@KagemniKarimu KagemniKarimu marked this pull request as ready for review October 30, 2025 04:32
@pemulis pemulis merged commit f9ee836 into oyaprotocol:main Oct 30, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pemulis pemulis pemulis approved these changes

@paulomilitante paulomilitante paulomilitante approved these changes

@dkuthoore dkuthoore Awaiting requested review from dkuthoore

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KagemniKarimu @pemulis @paulomilitante