Skip to content

Security: auth-methods-testing playground auto-enrolls the caller's real FACE/VOICE into prod (no admin guard) #225

Description

@ahmetabdullahgultekin

The dashboard 'auth-methods-testing' surface (meant as a training/testing playground) silently enrolls the caller's real biometrics into the production biometric store on the first not-enrolled/404 attempt, and the route has no admin/role gate.

Evidence (origin/main):

  • src/features/auth-methods-testing/puzzles/useAuthMethodPuzzleApi.ts — on isNotEnrolledError it calls real enroll endpoints: face ~line 118-120 biometric.enrollFace(u.id, image)POST /biometric/enroll/{userId}; voice ~line 158-162 POST /biometric/voice/enroll/{userId}. No training-mode/flag gate around the enroll calls.
  • src/App.tsx:269 mounts the route under <ProtectedRoute> only (any logged-in user), NOT <AdminRoute> like admin-flows/enrollments.

Impact: any non-admin dashboard user can navigate there, attempt FACE/VOICE, and have their biometrics enrolled in prod without explicit consent.

Fix: wrap the route in <AdminRoute> AND/OR make the testing surface verify-only (never auto-enroll), or gate auto-enroll behind an explicit consent + a disposable/test account.

Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-2), re-verified on origin/main 2026-06-13.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-sensitive correctness or hardeningsurface/webweb-app (React dashboard + hosted login)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions