fix(env-vars): require auth on GET, POST and DELETE handlers#133
Conversation
All three handlers were missing auth checks, allowing any unauthenticated client to read decrypted secrets or mutate env vars for any project. Added auth() guard at the top of each handler, matching the pattern used in /api/attack-pipeline/route.ts. Closes deekshithgowda85#120
|
@nyxsky404 is attempting to deploy a commit to the Deekshith Gowda HS's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Warning Review limit reached
More reviews will be available in 52 minutes and 12 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. 📝 WalkthroughWalkthroughAdds ChangesEnv-vars route authentication
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@app/api/env-vars/route.ts`:
- Around line 16-19: After verifying the user is authenticated with the session
check in the env-vars route handler, add an authorization check to ensure the
authenticated user has access to the specific project they are requesting. Query
the database to verify the user owns or has permission to access the project
before allowing them to read, create, or delete environment variables. This
authorization gap must be fixed not only in the current GET handler context but
also in the POST and DELETE handlers to prevent any authenticated user from
accessing or modifying environment variables for projects they do not have
access to.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
After authentication, each handler now verifies the authenticated user owns the requested project by checking for a matching deployment record (user_id + repo_name). Returns 403 if no match is found. Extracted into a shared userOwnsProject() helper used by all three handlers. Addresses CodeRabbit review on PR deekshithgowda85#133.
deekshithgowda85
added
gssoc:approved
2 participants
What
All three handlers in
app/api/env-vars/route.tshad no authentication checks. Any unauthenticated client couldGET /api/env-vars?project=x&reveal=1and receive fully decrypted secret values, or call POST/DELETE to write/remove vars for any project.Change
Added
auth()guard at the top of each handler — same pattern already used in/api/attack-pipeline/route.ts. Returns 401 before touching any data if the session is missing.Closes #120
Summary by CodeRabbit