Remove optional auth mode from achievement code endpoints#253
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the achievement “code” endpoints by removing Hapi auth.mode: 'try', ensuring authentication failures don’t fall through as unauthenticated requests (which could expose achievement codes).
Changes:
- Removed
auth.mode: 'try'fromGET /achievements/codeandGET /achievements/{id}/coderoute options. - Restores default “required” auth behavior for these team/admin-scoped endpoints.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -389,7 +389,6 @@ exports.listWithCode = { | |||
| auth: { | |||
| strategies: ['default'], | |||
| scope: ['team', 'admin'], | |||
There was a problem hiding this comment.
After removing mode: 'try', scope is now the last property in this object but still has a dangling trailing comma. The repo uses standard linting (package.json lint script), which will fail on trailing commas—please remove the trailing comma here to satisfy the style/lint rules.
| scope: ['team', 'admin'], | |
| scope: ['team', 'admin'] |
| @@ -389,7 +389,6 @@ exports.listWithCode = { | |||
| auth: { | |||
| strategies: ['default'], | |||
| scope: ['team', 'admin'], | |||
There was a problem hiding this comment.
This change fixes an auth-mode bypass for the code endpoints; there are existing tests for admin/team/user access, but no regression test asserting that unauthenticated requests (no auth header) are rejected (expected 401) for /achievements/code and /achievements/{id}/code. Adding that test would prevent this vulnerability from reappearing.
| scope: ['team', 'admin'], | |
| scope: ['team', 'admin'], | |
| mode: 'required' |
This PR fixes a security issue caused by using mode: try in achievement routes protected by team/admin scope.
With mode: authentication failures can still pass through as unauthenticated requests, which makes that anyone can do the request and have the codes of each achievement.
🧙