Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
Authentication bypass risk: oidc mode api routes (medium severity)
Evidence: src/middleware.ts line 68 — in OIDC mode, all API routes are passed through without middleware auth: if (isApiRoute) { return NextResponse.next(); }. The route handlers are expected to call authorizeRequest(), but there are routes that do NOT call it:
src/app/api/sync/route.ts — no auth check visible in the route handler
src/app/api/sync/scheduled/route.ts — no explicit auth check
src/app/api/issues/groom/route.ts — legacy groom endpoint
- Several other API endpoints rely on middleware-level protection in basic mode only
In OIDC mode, a missing authorizeRequest() call means the route is fully open. This is acceptable for some read-only endpoints, but mutating endpoints (sync, groom, issue move) without explicit auth could be exploited if the deployment exposes these ports.
Affected routes (potentially missing auth in OIDC mode): /api/sync, /api/sync/scheduled, /api/issues/groom, and endpoints that authenticate only via middleware (which skips API routes in OIDC mode).
Matched top finding
Evidence: src/middleware.ts line 68 — in OIDC mode, all API routes are passed through without middleware auth: if (isApiRoute) { return NextResponse.next(); }. The route handlers are expected to call authorizeRequest(), but there are routes that do NOT call it:
src/app/api/sync/route.ts — no auth check visible in the route handler
src/app/api/sync/scheduled/route.ts — no explicit auth check
src/app/api/issues/groom/route.ts — legacy groom endpoint
- Several other API endpoints rely on middleware-level protection in basic mode only
In OIDC mode, a missing authorizeRequest() call means the route is fully open. This is acceptable for some read-only endpoints, but mutating endpoints (sync, groom, issue move) without explicit auth could be exploited if the deployment exposes these ports.
Affected routes (potentially missing auth in OIDC mode): /api/sync, /api/sync/scheduled, /api/issues/groom, and endpoints that authenticate only via middleware (which skips API routes in OIDC mode).
Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
Authentication bypass risk: oidc mode api routes (medium severity)
Evidence:
src/middleware.tsline 68 — in OIDC mode, all API routes are passed through without middleware auth:if (isApiRoute) { return NextResponse.next(); }. The route handlers are expected to callauthorizeRequest(), but there are routes that do NOT call it:src/app/api/sync/route.ts— no auth check visible in the route handlersrc/app/api/sync/scheduled/route.ts— no explicit auth checksrc/app/api/issues/groom/route.ts— legacy groom endpointIn OIDC mode, a missing
authorizeRequest()call means the route is fully open. This is acceptable for some read-only endpoints, but mutating endpoints (sync, groom, issue move) without explicit auth could be exploited if the deployment exposes these ports.Affected routes (potentially missing auth in OIDC mode):
/api/sync,/api/sync/scheduled,/api/issues/groom, and endpoints that authenticate only via middleware (which skips API routes in OIDC mode).Matched top finding
Evidence:
src/middleware.tsline 68 — in OIDC mode, all API routes are passed through without middleware auth:if (isApiRoute) { return NextResponse.next(); }. The route handlers are expected to callauthorizeRequest(), but there are routes that do NOT call it:src/app/api/sync/route.ts— no auth check visible in the route handlersrc/app/api/sync/scheduled/route.ts— no explicit auth checksrc/app/api/issues/groom/route.ts— legacy groom endpointIn OIDC mode, a missing
authorizeRequest()call means the route is fully open. This is acceptable for some read-only endpoints, but mutating endpoints (sync, groom, issue move) without explicit auth could be exploited if the deployment exposes these ports.Affected routes (potentially missing auth in OIDC mode):
/api/sync,/api/sync/scheduled,/api/issues/groom, and endpoints that authenticate only via middleware (which skips API routes in OIDC mode).