Skip to content

[security] Fix API demo auth bypass and dashboard token validation #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
toolate28 merged 4 commits into from
Feb 10, 2026
Merged

[security] Fix API demo auth bypass and dashboard token validation #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9c8bad5
Initial plan
Copilot Jan 24, 2026
bb0e9cb
[security] Address code review feedback: improve API demo and token s…
Copilot Jan 24, 2026
7168583
[refactor] Improve dashboard token validation - use named function an…
Copilot Jan 24, 2026
0288443
Merge branch 'Integrate-quantum-logic-module' into copilot/sub-pr-192
toolate28 Jan 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions public/admin/dashboard.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,35 @@ <h3 class="text-lg font-bold text-purple-300 mb-4">Quick Actions</h3>
})();
});

// Validate token and initialize dashboard
async function validateAndInit() {
const token = localStorage.getItem('spiralsafe_admin_token') ||
sessionStorage.getItem('spiralsafe_admin_token');

try {
const response = await fetch(`${API_BASE}/admin/auth/me`, {
method: 'GET',
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});
Comment on lines +456 to +467
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If validateAndInit() is intended to be the single entry point, it should explicitly handle the "no token" case before making the /admin/auth/me request. As written, a missing token will send Authorization: Bearer null, which is unnecessary and may cause confusing server logs/metrics; redirect to login (and clear storage) early when token is falsy.

Copilot uses AI. Check for mistakes.

if (!response.ok) {
// Invalid or expired token, clear it and redirect to login
logout();
return;
}

// Token is valid - initialize charts and load metrics
initCharts();
loadMetrics();
} catch (error) {
// On network or other errors, clear token and redirect to login
logout();
}
}
Comment on lines +455 to +482
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validateAndInit() is added but never called (only its definition exists), and the dashboard already performs token validation inside the existing DOMContentLoaded IIFE above. This leaves dead/duplicated logic that can drift. Either call validateAndInit() from the DOMContentLoaded handler and remove the inline IIFE, or delete this new function and keep a single validation flow (optionally reusing logout() for the existing validation failure branches).

Copilot uses AI. Check for mistakes.

// Logout function
function logout() {
localStorage.removeItem('spiralsafe_admin_token');
Expand Down
3 changes: 3 additions & 0 deletions public/admin/login.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,9 @@ <h3 class="font-semibold text-cyan-400 mb-2">🔐 ATOM-AUTH: Conversational Cohe

if (response.ok && data.token) {
// Store token
// SECURITY NOTE: Storing tokens in localStorage/sessionStorage exposes them to XSS attacks.
// For production deployments, consider using httpOnly cookies set by the backend
// or implementing additional security measures (strict CSP, token rotation, etc.)
if (remember) {
localStorage.setItem('spiralsafe_admin_token', data.token);
} else {
Expand Down
20 changes: 17 additions & 3 deletions public/api/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -605,10 +605,24 @@ <h3 class="text-lg font-bold text-green-400 mb-2">RapiDoc</h3>
responseEl.classList.remove('hidden');
codeEl.textContent = 'Loading...';

const response = await fetch(`${API_BASE}/api/health`);
const data = await response.json();
// Demo mode: simulated response for interactive preview
// For production API calls, include X-API-Key header in your request
const simulatedResponse = {
Comment on lines +608 to +610
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title says "auth bypass", but this change (and the PR description) indicates the issue was an unauthenticated demo request causing auth failures and is now handled by simulating a response. Consider updating wording (either title or in-page comments) to avoid implying there was a bypass vulnerability when this was a demo/UX mismatch.

Copilot uses AI. Check for mistakes.
status: "healthy",
timestamp: new Date().toISOString(),
version: "1.0.0",
services: {
database: "operational",
cache: "operational",
queue: "operational"
},
_note: "Interactive demo - use curl or your preferred HTTP client with a valid X-API-Key header for actual results"
};

codeEl.textContent = JSON.stringify(data, null, 2);
// Simulate network delay
await new Promise(resolve => setTimeout(resolve, 500));

codeEl.textContent = JSON.stringify(simulatedResponse, null, 2);
hljs.highlightElement(codeEl);
} catch (error) {
codeEl.textContent = JSON.stringify({ error: error.message }, null, 2);
Expand Down
Loading