Skip to content

Authentication bypass risk: oidc mode api routes (medium severity) #525

Description

@itsmiso-ai

Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01

Original recommendation

Authentication bypass risk: oidc mode api routes (medium severity)

Evidence: src/middleware.ts line 68 — in OIDC mode, all API routes are passed through without middleware auth: if (isApiRoute) { return NextResponse.next(); }. The route handlers are expected to call authorizeRequest(), but there are routes that do NOT call it:

  • src/app/api/sync/route.ts — no auth check visible in the route handler
  • src/app/api/sync/scheduled/route.ts — no explicit auth check
  • src/app/api/issues/groom/route.ts — legacy groom endpoint
  • Several other API endpoints rely on middleware-level protection in basic mode only

In OIDC mode, a missing authorizeRequest() call means the route is fully open. This is acceptable for some read-only endpoints, but mutating endpoints (sync, groom, issue move) without explicit auth could be exploited if the deployment exposes these ports.

Affected routes (potentially missing auth in OIDC mode): /api/sync, /api/sync/scheduled, /api/issues/groom, and endpoints that authenticate only via middleware (which skips API routes in OIDC mode).


Matched top finding

Evidence: src/middleware.ts line 68 — in OIDC mode, all API routes are passed through without middleware auth: if (isApiRoute) { return NextResponse.next(); }. The route handlers are expected to call authorizeRequest(), but there are routes that do NOT call it:

  • src/app/api/sync/route.ts — no auth check visible in the route handler
  • src/app/api/sync/scheduled/route.ts — no explicit auth check
  • src/app/api/issues/groom/route.ts — legacy groom endpoint
  • Several other API endpoints rely on middleware-level protection in basic mode only

In OIDC mode, a missing authorizeRequest() call means the route is fully open. This is acceptable for some read-only endpoints, but mutating endpoints (sync, groom, issue move) without explicit auth could be exploited if the deployment exposes these ports.

Affected routes (potentially missing auth in OIDC mode): /api/sync, /api/sync/scheduled, /api/issues/groom, and endpoints that authenticate only via middleware (which skips API routes in OIDC mode).


Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions