Security/unexpected auth header guard#356
Open
martinshub-tech wants to merge 7 commits into
Open
Conversation
Contributor
|
Hi 👋 Appreciate this PR! The CI is flagging a failing check — could you take a peek at the failed job and push a fix? Happy to help if you need a hand 🙏 |
…b.com/martinshub-tech/ChainForge into security/unexpected-auth-header-guard
Author
okay..please help |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #214
Description
This PR addresses a potential authorization bypass security issue where routes without a @roles() decorator (undecorated routes) would silently accept and ignore an Authorization header containing credentials. Under the new defense-in-depth security posture, any undecorated route that receives an unexpected Authorization credential will automatically be rejected with 401 Unauthorized.
To bypass this check for intentionally public anonymous routes, developers can opt-in explicitly using @NoAuthStrict() or specify path exceptions in the PUBLIC_AUTH_BYPASS environment variable. A CI check (nestjs-route-doctor) enforces this rule.
Changes Made
Guards & Decorators:
Created @NoAuthStrict() decorator to explicitly opt-in to public anonymous access for routes.
Implemented UnexpectedAuthHeaderGuard which intercepts and rejects Authorization headers on undecorated endpoints.
Registered UnexpectedAuthHeaderGuard globally in AppModule.
CI Lint Check (nestjs-route-doctor):
Built a command-line script to inspect routes at boot time and verify they are either decorated (with @roles() or @NoAuthStrict()) or bypassed via the PUBLIC_AUTH_BYPASS list.
Added pnpm run nestjs-route-doctor to scripts in package.json.
Integrated the route doctor scan as a lint step in .github/workflows/backend-ci.yml.
Test Optimization:
Added detailed e2e test cases in security.e2e-spec.ts.
Created lightweight mocks for ioredis and @nestjs/bullmq in the e2e test environment to prevent infinite Redis connection retries on local/CI tests.