[pingrelay] Dashboard SSE endpoints have no authentication #26

New issue

Closed

opened 2026-02-25 03:03:28 +00:00 by ash · 0 comments

ash commented

2026-02-25 03:03:28 +00:00

Owner

Security Concern

The SSE dashboard endpoints (/sse/endpoints, /sse/stream, etc.) and the sseDeleteEndpoint handler have no authentication. They operate on a hardcoded "demo" org.

Impact

Anyone can list all demo endpoints
Anyone can delete any endpoint via DELETE /sse/endpoints/{id}
Anyone can create endpoints via POST /sse/endpoints
The SSE stream exposes all captured webhook data in real-time

Recommendation

Either:

Add auth to dashboard SSE endpoints (session cookies or API keys)
If demo mode is intentional, rate-limit and add a warning banner
Add ownership checks to sseDeleteEndpoint

Found by red team audit 2026-02-25.

## Security Concern The SSE dashboard endpoints (`/sse/endpoints`, `/sse/stream`, etc.) and the `sseDeleteEndpoint` handler have **no authentication**. They operate on a hardcoded `"demo"` org. ### Impact - Anyone can list all demo endpoints - Anyone can delete any endpoint via `DELETE /sse/endpoints/{id}` - Anyone can create endpoints via `POST /sse/endpoints` - The SSE stream exposes all captured webhook data in real-time ### Recommendation Either: 1. Add auth to dashboard SSE endpoints (session cookies or API keys) 2. If demo mode is intentional, rate-limit and add a warning banner 3. Add ownership checks to `sseDeleteEndpoint` Found by red team audit 2026-02-25.