security: add authentication to logs endpoint and filter by user#409
security: add authentication to logs endpoint and filter by user#409its-me-abhishek merged 2 commits intomainfrom
Conversation
|
Thank you for opening this PR! Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools. Please take a moment to:
More information on how to conduct a self review: This helps make the review process smoother and gives us a clearer understanding of your thought process. Once you've added your self-review, we'll continue from our side. Thank you! |
| // Get user's UUID to filter logs | ||
| userUUID, _ := userInfo["uuid"].(string) | ||
|
|
||
| // Get the 'last' query parameter, default to 100 |
There was a problem hiding this comment.
should also add a cap to the last value. one may request for a pretty big number which can cause crashes. Also maybe just maintain the same threshold, overall as well. To prevent unnecessary overheads
There was a problem hiding this comment.
A hard cap of 20 should probably be enough
Add session authentication to /sync/logs endpoint and filter logs by user UUID so users can only see their own logs. - Require valid session to access logs endpoint - Add GetLogsByUser() to filter logs by user UUID - Return 401 Unauthorized for unauthenticated requests - Update SyncLogsHandler signature to accept session store Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change default from 100 to 20 - Enforce maximum of 20 entries regardless of request - Prevents resource exhaustion from large requests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
cfsmp3
force-pushed
the
security/auth-logs-endpoint
branch
from
b3c5c38 to
ccba488
Compare
|
Addressed the feedback in commit ccba488:
The cap is enforced with a simple check after parsing the parameter. |
2 participants
Summary
Security Issue Addressed
Unauthenticated Logs Endpoint (Medium) - Previously, the /sync/logs endpoint had no authentication, allowing anyone to view sync operation logs. Logs could contain sensitive information like user UUIDs and operation details.
Changes
backend/controllers/get_logs.go:backend/models/logs.go:backend/main.go:Test plan
🤖 Generated with Claude Code