Skip to content

fix: apply requireAdmin middleware to admin user management routes#79

Open
FLASH2332 wants to merge 1 commit intoOneBusAway:mainfrom
FLASH2332:fix/admin-routes-require-admin-middleware
Open

fix: apply requireAdmin middleware to admin user management routes#79
FLASH2332 wants to merge 1 commit intoOneBusAway:mainfrom
FLASH2332:fix/admin-routes-require-admin-middleware

Conversation

@FLASH2332
Copy link
Copy Markdown

@FLASH2332 FLASH2332 commented Mar 27, 2026

Problem

The /api/v1/admin/users/* routes only validated JWT signature and expiry via requireAuth,
but did not check the caller's role. Any authenticated driver could create, delete, and modify
all user accounts—including promoting themselves to admin or deleting other admins.

Solution

Applied the existing requireAdmin middleware to all five admin user management routes:

  • GET /api/v1/admin/users
  • GET /api/v1/admin/users/{id}
  • POST /api/v1/admin/users
  • PUT /api/v1/admin/users/{id}
  • DELETE /api/v1/admin/users/{id}

Routes now use authMiddleware(adminMiddleware(...)) to verify both JWT validity and admin role.

Changes

  • main.go: Wrapped all admin user routes with adminMiddleware

Security Impact

  • Non-admin users now receive 403 Forbidden instead of succeeding
  • Prevents privilege escalation and unauthorized data modification
  • Aligns with existing admin route protection pattern (/api/v1/admin/status, /api/v1/admin/vehicles/*)

Closes #75

@diveshpatil9104 diveshpatil9104 mentioned this pull request Apr 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: add admin role authorization to /api/v1/admin/* endpoints

1 participant

@FLASH2332