snapapi: session 53 — security fix for free signup vulnerability
This commit is contained in:
Hoid
parent
a3848df0e9
commit
e4d9233ab7
3 changed files with 56 additions and 3 deletions
|
|
@ -78,6 +78,14 @@
|
|||
- **Root cause:** v0.5.2 image was built before usage dashboard commit (5b59a7a)
|
||||
- **Fix:** Needs new production deploy after staging verified
|
||||
|
||||
### BUG-016: Free signup route still mounted in production (HIGH) — FIXED (staging)
|
||||
- **Found:** Session 53 (self-discovered)
|
||||
- **Impact:** /v1/signup/free still active on production — anyone can generate unlimited free API keys despite free tier being "removed" in v0.3.0
|
||||
- **Root cause:** Route was removed from pricing/landing page but `signupRouter` was never unmounted from `index.ts`
|
||||
- **Fix:** Removed signup import + route registration, deleted dead `signup.ts` file, added test verifying 404. Cleaned up leaked test key + verified 5 remaining keys are all QA artifacts.
|
||||
- **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
|
||||
- **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
|
||||
|
||||
## Open
|
||||
|
||||
### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED
|
||||
|
|
|
|||
|
|
@ -1,5 +1,50 @@
|
|||
# SnapAPI Session Log
|
||||
|
||||
## Session 53 — 2026-03-03 21:00 CET (Security Fix: Free Signup Route)
|
||||
|
||||
**Goal:** Evening housekeeping — discovered and fixed a security vulnerability.
|
||||
|
||||
**Health Check:**
|
||||
- Production: ✅ healthy, 2 replicas, 5+ days uptime (still v0.5.2)
|
||||
- Staging: ✅ healthy, deployed f3a363f
|
||||
|
||||
**Work Done:**
|
||||
|
||||
### 1. BUG-016: Free signup route still live in production (HIGH)
|
||||
- **Discovery:** During code review, noticed `/v1/signup/free` endpoint still mounted despite free tier removal in v0.3.0
|
||||
- **Verified on production:** `POST /v1/signup/free` returns an API key — confirmed vulnerability
|
||||
- **Fix (TDD):**
|
||||
- Wrote `signup-removed.test.ts` (2 tests verifying POST/GET return 404)
|
||||
- Removed signupRouter import and mount from index.ts
|
||||
- Deleted dead `src/routes/signup.ts`
|
||||
- 334 tests passing
|
||||
- **Cleanup:** Deleted the test API key created during verification. 5 remaining free keys are all QA artifacts from Feb 19.
|
||||
- **Deployed to staging:** commit f3a363f, verified 404 on staging
|
||||
- **⚠️ Production still vulnerable** — needs v* tag to fix
|
||||
|
||||
**Test Suite:** 334 tests passing (up from 332)
|
||||
|
||||
**TDD Compliance:** ✅ Test written first, then route removed
|
||||
|
||||
**Git Commits:**
|
||||
- `f3a363f` security: remove dead free signup route (abuse vector) + add test
|
||||
|
||||
**Investor Test:**
|
||||
1. Stranger trust with money? **Yes on staging**
|
||||
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still generates free keys. Fixed on staging.
|
||||
4. Key recovery? **Yes on staging**
|
||||
5. All website features work? **Yes on staging**
|
||||
|
||||
**⚠️ URGENT: Production deploy needed.** The free signup vulnerability on production is a real security issue. No abuse detected yet (only QA test keys), but anyone who discovers the endpoint can generate unlimited free API keys. Requesting investor approval for production deploy.
|
||||
|
||||
**Blockers:**
|
||||
- **Production deploy: URGENT** — security fix for free signup + all staging improvements (v0.5.2 → v0.7.3)
|
||||
- Stripe production webhook: needs investor
|
||||
- CI/CD: No Forgejo runner (manual docker build workaround)
|
||||
|
||||
---
|
||||
|
||||
## Session 52 — 2026-03-03 18:00 CET (Blog Post + Status Route Tests)
|
||||
|
||||
**Goal:** Add SEO content (new blog post) and fill test coverage gaps (status/health routes).
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
"phase": "production-live",
|
||||
"version": "0.5.2-prod (missing usage dashboard+v0.6.0 fixes) / 0.7.2-staging (image 740c70f, 332 tests)",
|
||||
"version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (image f3a363f, 334 tests)",
|
||||
"staging": {
|
||||
"status": "running",
|
||||
"namespace": "snapapi-staging",
|
||||
"replicas": 1,
|
||||
"image": "git.cloonar.com/openclawd/snapapi:740c70f",
|
||||
"image": "git.cloonar.com/openclawd/snapapi:f3a363f",
|
||||
"healthCheck": "passing"
|
||||
},
|
||||
"production": {
|
||||
|
|
@ -102,6 +102,6 @@
|
|||
"priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
|
||||
}
|
||||
},
|
||||
"lastSession": "2026-03-03T17:00:00Z",
|
||||
"lastSession": "2026-03-03T20:00:00Z",
|
||||
"codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue