Description
Operator surfaces such as the DLQ in src/api/jobs.ts and any deploy-status endpoints must require admin authentication. Add an auth guard with API-key/JWT verification so unauthenticated callers cannot inspect or replay webhook payloads.
Requirements and context
- Verify API key or JWT (jsonwebtoken) with constant-time key comparison; reject with safe
401/403.
- Apply to DLQ list/replay and deploy/status routes registered in
router.ts/app.ts.
- Redact credentials in logs via
redact.ts; document required env and key rotation.
- Acceptance: integration tests cover missing, invalid, and valid credentials for each protected route.
Suggested execution
- Fork the repo and create a branch:
git checkout -b security/admin-auth-guard
- Implement changes:
src/api/jobs.ts- Tests:
src/api/jobs.dlq.test.ts
- Docs:
docs/api-keys.md
- Include TSDoc/NatSpec-style doc comments
- Validate security assumptions (input validation, auth, signature verification, secret redaction, idempotency)
Test and commit
- Run tests:
npm test (coverage: npm run test:ci)
- Cover edge cases
- Include test output and security notes in the PR
Example commit message
feat(security): require admin auth on DLQ and deploy endpoints
Guidelines
- Minimum 95% line coverage on new/changed code
- No secrets in repo; use
.env + deployment secrets only
- Clear documentation
- Timeframe: 96 hours from assignment
Description
Operator surfaces such as the DLQ in
src/api/jobs.tsand any deploy-status endpoints must require admin authentication. Add an auth guard with API-key/JWT verification so unauthenticated callers cannot inspect or replay webhook payloads.Requirements and context
401/403.router.ts/app.ts.redact.ts; document required env and key rotation.Suggested execution
git checkout -b security/admin-auth-guardsrc/api/jobs.tssrc/api/jobs.dlq.test.tsdocs/api-keys.mdTest and commit
npm test(coverage:npm run test:ci)Example commit message
Guidelines
.env+ deployment secrets only