Bug: GET /tasks and GET /messages require no authentication, exposing all project data publicly

[anshul23102]

Description

Both GET /api/tasks and GET /api/messages are registered without any authentication middleware in backend/routes/tasks.routes.js and backend/routes/chat.routes.js respectively. Any unauthenticated HTTP client can retrieve the full task list and full chat history of the workspace.

// tasks.routes.js
router.get("/", getTasks);          // no authenticateUser

// chat.routes.js
router.get("/", getMessages);       // no authenticateUser

Both controllers fetch all records from Supabase with no user or project scope filter, so the entire dataset is exposed.

Steps to Reproduce

1. Start the FlowForge backend server.
2. Send GET /api/tasks with no Authorization header.
3. Observe that all task records are returned (id, title, description, status, position).
4. Send GET /api/messages with no Authorization header.
5. Observe that all chat messages are returned (text, username, image, audio, created_at).

Expected Behavior

Both endpoints should require a valid user session before returning any data. The pattern used for the mutation endpoints (router.post("/", authenticateUser, createTask)) should be applied to the GET endpoints too:

router.get("/", authenticateUser, getTasks);
router.get("/", authenticateUser, getMessages);

Actual Behavior

All tasks and all chat messages are publicly readable without authentication.

Root Cause

In both route files, the GET handler is registered without the authenticateUser middleware that protects every other verb. This is likely an omission when the middleware was first added.

A secondary issue exists in the same files: POST / is registered twice - once with authenticateUser and once with only validateMessage / validateTask. Express uses the first matching registration, making the second one silently dead code. This should be collapsed into a single registration that applies both middleware in order:

router.post("/", authenticateUser, validateMessage, sendMessage);

Environment

• Backend: Node.js / Express
• Files: backend/routes/tasks.routes.js, backend/routes/chat.routes.js

Additional Context

Expected NSOC points: level3 (security vulnerability exposing all workspace data publicly)

Suggested labels: bug, NSoC'26, level3

Checklist:

• Searched existing issues - not a duplicate (issue Security: Harden Middleware Route Protection Against Authentication Edge Cases #155 is vague about edge cases; this is a specific missing middleware)
• Read CONTRIBUTING.md and NSoC rules
• No AI/Claude mentions
• No em dashes or double hyphens
• Repository verified as NSOC

[github-actions]

👋 Hey @anshul23102!

Thanks for opening this issue! 🚀

📌 NSoC'26 Contribution Guidelines

⚠️ Please follow these rules carefully:

• Do NOT create a PR until this issue is assigned to you
• Include NSoC'26 tag
• Include screenshots if it's UI-related
• Follow all contribution guidelines properly

🧑‍💻 A mentor will review and assign this issue soon.

---

🙏 Thank you for raising this issue!
We’ll review it as soon as possible. We truly appreciate your contribution ✨

📖 Meanwhile, please make sure you have checked:

• README.md
• CONTRIBUTING.md
• CODE_OF_CONDUCT.md

🚫 Reminder: Do NOT create a PR until this issue has been assigned.

Happy coding! 💻🔥

[anshul23102]

@Shriii19 Could you please /assign this issue to me? I'd like to work on it under NSOC '26.

[Shriii19]

@anshul23102 you can start you work

[anshul23102]

Fixed in PR #163. Added authenticateUser to GET /tasks and GET /messages. Also removed duplicate route registrations and the unauthenticated DELETE /:id dead-code registration.