snapapi: session 53 — security fix for free signup vulnerability
This commit is contained in:
Hoid
parent
a3848df0e9
commit
e4d9233ab7
3 changed files with 56 additions and 3 deletions
|
|
@ -1,5 +1,50 @@
|
|||
# SnapAPI Session Log
|
||||
|
||||
## Session 53 — 2026-03-03 21:00 CET (Security Fix: Free Signup Route)
|
||||
|
||||
**Goal:** Evening housekeeping — discovered and fixed a security vulnerability.
|
||||
|
||||
**Health Check:**
|
||||
- Production: ✅ healthy, 2 replicas, 5+ days uptime (still v0.5.2)
|
||||
- Staging: ✅ healthy, deployed f3a363f
|
||||
|
||||
**Work Done:**
|
||||
|
||||
### 1. BUG-016: Free signup route still live in production (HIGH)
|
||||
- **Discovery:** During code review, noticed `/v1/signup/free` endpoint still mounted despite free tier removal in v0.3.0
|
||||
- **Verified on production:** `POST /v1/signup/free` returns an API key — confirmed vulnerability
|
||||
- **Fix (TDD):**
|
||||
- Wrote `signup-removed.test.ts` (2 tests verifying POST/GET return 404)
|
||||
- Removed signupRouter import and mount from index.ts
|
||||
- Deleted dead `src/routes/signup.ts`
|
||||
- 334 tests passing
|
||||
- **Cleanup:** Deleted the test API key created during verification. 5 remaining free keys are all QA artifacts from Feb 19.
|
||||
- **Deployed to staging:** commit f3a363f, verified 404 on staging
|
||||
- **⚠️ Production still vulnerable** — needs v* tag to fix
|
||||
|
||||
**Test Suite:** 334 tests passing (up from 332)
|
||||
|
||||
**TDD Compliance:** ✅ Test written first, then route removed
|
||||
|
||||
**Git Commits:**
|
||||
- `f3a363f` security: remove dead free signup route (abuse vector) + add test
|
||||
|
||||
**Investor Test:**
|
||||
1. Stranger trust with money? **Yes on staging**
|
||||
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still generates free keys. Fixed on staging.
|
||||
4. Key recovery? **Yes on staging**
|
||||
5. All website features work? **Yes on staging**
|
||||
|
||||
**⚠️ URGENT: Production deploy needed.** The free signup vulnerability on production is a real security issue. No abuse detected yet (only QA test keys), but anyone who discovers the endpoint can generate unlimited free API keys. Requesting investor approval for production deploy.
|
||||
|
||||
**Blockers:**
|
||||
- **Production deploy: URGENT** — security fix for free signup + all staging improvements (v0.5.2 → v0.7.3)
|
||||
- Stripe production webhook: needs investor
|
||||
- CI/CD: No Forgejo runner (manual docker build workaround)
|
||||
|
||||
---
|
||||
|
||||
## Session 52 — 2026-03-03 18:00 CET (Blog Post + Status Route Tests)
|
||||
|
||||
**Goal:** Add SEO content (new blog post) and fill test coverage gaps (status/health routes).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue