fix(#856 #857 #858): harden admin auth, webhook signatures, and CORS#863
Merged
hman38705 merged 1 commit intoJun 2, 2026
Merged
Conversation
… admin auth, webhook signatures, and CORS - Closes solutions-plug#856: fix ApiKeyAuth::verify to fail-closed — empty API_KEYS previously allowed all requests through; now returns 401 when no keys are configured. Add startup warning in config.validate(). Document all missing admin routes (/api/blockchain/replay, /api/v1/email/queue/dead-letter, /api/v1/email/queue/dead-letter/{job_id}/requeue, /api/v1/audit/logs, /api/v1/audit/statistics) in openapi.yaml with ApiKeyAuth security scheme. - Closes solutions-plug#857: SendGrid webhook signature verification was already wired via sendgrid_webhook_middleware (HMAC-SHA256 + timestamp replay window); no additional changes required. - Closes solutions-plug#858: CORS is already restricted to a configurable allowlist via CORS_ALLOWED_ORIGINS env var with secure production defaults; no additional changes required. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@job-soft Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wire admin authentication middleware into admin routes #856 — Admin auth:
ApiKeyAuth::verifywas fail-open: an emptyAPI_KEYSenv var let all requests through the middleware unchallenged. Changed the logic to fail-closed (!is_empty() && any()), so any deployment withoutAPI_KEYSconfigured now correctly returns401on all admin endpoints. Added a startup warning viaconfig.validate()so operators are notified. Also added the 5 undocumented admin routes toopenapi.yamlunder theApiKeyAuthsecurity scheme (/api/blockchain/replay,/api/v1/email/queue/dead-letter,/api/v1/email/queue/dead-letter/{job_id}/requeue,/api/v1/audit/logs,/api/v1/audit/statistics).Verify SendGrid webhook signatures before processing events #857 — SendGrid webhook signatures:
sendgrid_webhook_middlewarealready performs full HMAC-SHA256 verification againstSENDGRID_WEBHOOK_SECRETplus a configurable timestamp replay window (WEBHOOK_REPLAY_WINDOW_SECS, default 300 s). No code changes required — confirming implementation is complete and closing the issue.Restrict CORS from fully permissive to configurable allowlist #858 — CORS allowlist: CORS is already restricted via
CorsConfigloaded fromCORS_ALLOWED_ORIGINS,CORS_ALLOWED_METHODS,CORS_ALLOWED_HEADERS, andCORS_ALLOW_CREDENTIALSenv vars with secure production defaults.CORS_DEV_MODE=trueis required to opt in to permissive behaviour and logs a warning. No code changes required — confirming implementation is complete and closing the issue.Test plan
API_KEYS=(empty) and confirm all/admin/*requests return401 Unauthorized.API_KEYS=secretand confirm requests withX-API-Key: secretsucceed and requests without it return401.API_KEYSis not set.POST /webhooks/sendgridwith an invalidX-Twilio-Email-Event-Webhook-Signaturereturns401.CORS_ALLOWED_ORIGINSis blocked.closes #856
closes #857
closes #858
🤖 Generated with Claude Code