[changebeacon] Dashboard endpoints have no authentication #29

New issue

Closed

opened 2026-02-25 03:03:28 +00:00 by ash · 0 comments

ash commented

2026-02-25 03:03:28 +00:00

Owner

Security Concern

The dashboard CRUD endpoints (DashboardCreateEntry, DashboardUpdateEntry, DashboardDeleteEntry) have no authentication. Anyone can:

Create entries in any project
Update any entry
Delete any entry

The API endpoints properly use auth.RequireAPIKey, but the Datastar SSE dashboard endpoints bypass auth entirely.

Recommendation

Add session-based auth or API key requirement to dashboard mutation endpoints.

Found by red team audit 2026-02-25.

## Security Concern The dashboard CRUD endpoints (`DashboardCreateEntry`, `DashboardUpdateEntry`, `DashboardDeleteEntry`) have **no authentication**. Anyone can: - Create entries in any project - Update any entry - Delete any entry The API endpoints properly use `auth.RequireAPIKey`, but the Datastar SSE dashboard endpoints bypass auth entirely. ### Recommendation Add session-based auth or API key requirement to dashboard mutation endpoints. Found by red team audit 2026-02-25.