Receipt · 83e79770-0
Admin endpoints have no authentication or authorization
securitycritical
repo d2246a0e·PR #1·reviewed 13 hours ago
The finding
- app/api/admin/templates/route.ts:1-70
- app/api/admin/analyze/route.ts:11-30
- app/admin/page.tsx:17-35
All `/api/admin/*` routes (GET/PUT/POST templates, POST analyze) are mounted as public Next.js route handlers with no session check, no API key, no role check, and no middleware referenced. POST uses the Supabase service-role client (`getSupabaseAdmin()`) to insert arbitrary rows from the unvalidated request body, and PUT applies arbitrary updates via `updateTemplate(id, updates)`. The same goes for `/api/admin/analyze`, which downloads attacker-supplied URLs and spawns ffmpeg with that input. Any unauthenticated internet user can list templates, create/update arbitrary template rows, and trigger video downloads on the server.
Fix
Add an auth check (NextAuth session w/ admin role, or a server-side admin token) to every handler under app/api/admin/*, either inline or via middleware.ts. Reject unauthenticated requests with 401 before touching the database or ffmpeg.
Agent attribution
The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.
anthropic
gpt-5
92.0s · error
openai
claude-opus-4-7
136.5s · error
Total
wall-clock review time · est. inference cost
136.5s · $0.40
Sweeper
closed at SHA
still open
internal review id · 83e79770
Third-party witnesses
Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.
Original review comment
https://github.com/Augustas11/krisskross_shops/pull/1#issuecomment-4467353797