snapapi: session 53 — security fix for free signup vulnerability
This commit is contained in:
Hoid
parent
a3848df0e9
commit
e4d9233ab7
3 changed files with 56 additions and 3 deletions
|
|
@ -78,6 +78,14 @@
|
||||||
- **Root cause:** v0.5.2 image was built before usage dashboard commit (5b59a7a)
|
- **Root cause:** v0.5.2 image was built before usage dashboard commit (5b59a7a)
|
||||||
- **Fix:** Needs new production deploy after staging verified
|
- **Fix:** Needs new production deploy after staging verified
|
||||||
|
|
||||||
|
### BUG-016: Free signup route still mounted in production (HIGH) — FIXED (staging)
|
||||||
|
- **Found:** Session 53 (self-discovered)
|
||||||
|
- **Impact:** /v1/signup/free still active on production — anyone can generate unlimited free API keys despite free tier being "removed" in v0.3.0
|
||||||
|
- **Root cause:** Route was removed from pricing/landing page but `signupRouter` was never unmounted from `index.ts`
|
||||||
|
- **Fix:** Removed signup import + route registration, deleted dead `signup.ts` file, added test verifying 404. Cleaned up leaked test key + verified 5 remaining keys are all QA artifacts.
|
||||||
|
- **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
|
||||||
|
- **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
|
||||||
|
|
||||||
## Open
|
## Open
|
||||||
|
|
||||||
### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED
|
### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,50 @@
|
||||||
# SnapAPI Session Log
|
# SnapAPI Session Log
|
||||||
|
|
||||||
|
## Session 53 — 2026-03-03 21:00 CET (Security Fix: Free Signup Route)
|
||||||
|
|
||||||
|
**Goal:** Evening housekeeping — discovered and fixed a security vulnerability.
|
||||||
|
|
||||||
|
**Health Check:**
|
||||||
|
- Production: ✅ healthy, 2 replicas, 5+ days uptime (still v0.5.2)
|
||||||
|
- Staging: ✅ healthy, deployed f3a363f
|
||||||
|
|
||||||
|
**Work Done:**
|
||||||
|
|
||||||
|
### 1. BUG-016: Free signup route still live in production (HIGH)
|
||||||
|
- **Discovery:** During code review, noticed `/v1/signup/free` endpoint still mounted despite free tier removal in v0.3.0
|
||||||
|
- **Verified on production:** `POST /v1/signup/free` returns an API key — confirmed vulnerability
|
||||||
|
- **Fix (TDD):**
|
||||||
|
- Wrote `signup-removed.test.ts` (2 tests verifying POST/GET return 404)
|
||||||
|
- Removed signupRouter import and mount from index.ts
|
||||||
|
- Deleted dead `src/routes/signup.ts`
|
||||||
|
- 334 tests passing
|
||||||
|
- **Cleanup:** Deleted the test API key created during verification. 5 remaining free keys are all QA artifacts from Feb 19.
|
||||||
|
- **Deployed to staging:** commit f3a363f, verified 404 on staging
|
||||||
|
- **⚠️ Production still vulnerable** — needs v* tag to fix
|
||||||
|
|
||||||
|
**Test Suite:** 334 tests passing (up from 332)
|
||||||
|
|
||||||
|
**TDD Compliance:** ✅ Test written first, then route removed
|
||||||
|
|
||||||
|
**Git Commits:**
|
||||||
|
- `f3a363f` security: remove dead free signup route (abuse vector) + add test
|
||||||
|
|
||||||
|
**Investor Test:**
|
||||||
|
1. Stranger trust with money? **Yes on staging**
|
||||||
|
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||||
|
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still generates free keys. Fixed on staging.
|
||||||
|
4. Key recovery? **Yes on staging**
|
||||||
|
5. All website features work? **Yes on staging**
|
||||||
|
|
||||||
|
**⚠️ URGENT: Production deploy needed.** The free signup vulnerability on production is a real security issue. No abuse detected yet (only QA test keys), but anyone who discovers the endpoint can generate unlimited free API keys. Requesting investor approval for production deploy.
|
||||||
|
|
||||||
|
**Blockers:**
|
||||||
|
- **Production deploy: URGENT** — security fix for free signup + all staging improvements (v0.5.2 → v0.7.3)
|
||||||
|
- Stripe production webhook: needs investor
|
||||||
|
- CI/CD: No Forgejo runner (manual docker build workaround)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## Session 52 — 2026-03-03 18:00 CET (Blog Post + Status Route Tests)
|
## Session 52 — 2026-03-03 18:00 CET (Blog Post + Status Route Tests)
|
||||||
|
|
||||||
**Goal:** Add SEO content (new blog post) and fill test coverage gaps (status/health routes).
|
**Goal:** Add SEO content (new blog post) and fill test coverage gaps (status/health routes).
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
{
|
{
|
||||||
"phase": "production-live",
|
"phase": "production-live",
|
||||||
"version": "0.5.2-prod (missing usage dashboard+v0.6.0 fixes) / 0.7.2-staging (image 740c70f, 332 tests)",
|
"version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (image f3a363f, 334 tests)",
|
||||||
"staging": {
|
"staging": {
|
||||||
"status": "running",
|
"status": "running",
|
||||||
"namespace": "snapapi-staging",
|
"namespace": "snapapi-staging",
|
||||||
"replicas": 1,
|
"replicas": 1,
|
||||||
"image": "git.cloonar.com/openclawd/snapapi:740c70f",
|
"image": "git.cloonar.com/openclawd/snapapi:f3a363f",
|
||||||
"healthCheck": "passing"
|
"healthCheck": "passing"
|
||||||
},
|
},
|
||||||
"production": {
|
"production": {
|
||||||
|
|
@ -102,6 +102,6 @@
|
||||||
"priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
|
"priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"lastSession": "2026-03-03T17:00:00Z",
|
"lastSession": "2026-03-03T20:00:00Z",
|
||||||
"codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
|
"codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue