Skip to content

🔐 Add auth tests & harden API security#51

Merged
pemulis merged 7 commits intooyaprotocol:mainfrom
KagemniKarimu:add-auth-tests
Oct 30, 2025
Merged

🔐 Add auth tests & harden API security#51
pemulis merged 7 commits intooyaprotocol:mainfrom
KagemniKarimu:add-auth-tests

Conversation

@KagemniKarimu
Copy link
Collaborator

@KagemniKarimu KagemniKarimu commented Oct 30, 2025
edited
Loading

Building upon #49, this PR adds 18 integration tests for bearer token authentication middleware and significantly hardens API security.

Mainly, the PR does two distinct things:

  1. Adds comprehensive auth tests (18 tests covering bearer token validation)
  2. Hardens security by removing internal POST endpoints that could allow external DB writes

Changes

  • Security Improvement: Removes internal POST endpoints (/bundle, /cid, /balance, /nonce, /vault/*). As @pemulis pointed out, this allowed external services with the API bearer token to write directly to the node's database (Big no no!). Only /intention remains as a public POST endpoint. Internal operations (bundle creation, balance updates, vault management) continue to work as direct function calls.
  • Testing: Comprehensive auth tests verify bearer token validation, endpoint protection, edge cases, and stateless authentication behavior.
  • Test Infrastructure: Creates shared test fixtures (testFixtures.ts) with addresses, endpoints, and sample data for reuse across test suites, reducing duplication. This can be gradually incorporated into other tests in separate PRs.

@KagemniKarimu
Merge branch 'main' into add-ratelimit-tests
ec02f31
@KagemniKarimu
✨ add shared test fixtures and constants
da8259b 
- Test addresses, vault IDs, and endpoint lists
- Centralized test data for reuse across test suites
@KagemniKarimu
✅ add comprehensive authentication integration tests
d381b7f 
- 18 tests covering bearer token validation
- Tests for all POST/GET endpoint protection
- Edge cases and stateless auth verification
- Reduced from 38 to 18 tests via consolidation
@KagemniKarimu KagemniKarimu changed the title Add auth tests 🔐 Add auth tests Oct 30, 2025
@KagemniKarimu KagemniKarimu mentioned this pull request Oct 30, 2025
Merged
@KagemniKarimu
🔒 remove internal POST endpoints, keep only /intention public
aa18e9c 
- Remove POST routes for /bundle, /cid, /balance, /nonce, /vault
- Only /intention remains as public POST endpoint
- Internal operations (bundle creation, balance updates, etc.) still work via direct function calls
- Prevents external services from writing to node database via HTTP
- Reduces attack surface while maintaining functionality
@KagemniKarimu
🎨 format routes.ts
7be1aea
@KagemniKarimu KagemniKarimu changed the title 🔐 Add auth tests 🔐 Add auth tests & harden API security Oct 30, 2025
@KagemniKarimu KagemniKarimu marked this pull request as ready for review October 30, 2025 04:32
@pemulis pemulis merged commit f9ee836 into oyaprotocol:main Oct 30, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pemulis pemulis pemulis approved these changes

@paulomilitante paulomilitante paulomilitante approved these changes

@dkuthoore dkuthoore Awaiting requested review from dkuthoore

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KagemniKarimu @pemulis @paulomilitante