Skip to content

Fix API Authentication Bypass #7376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 4, 2025
Merged

Fix API Authentication Bypass #7376

merged 3 commits into from
Oct 4, 2025

Conversation

@DawoudIO
Copy link
Contributor

@DawoudIO DawoudIO commented Oct 4, 2025
edited
Loading

Description & Issue number it closes

Screenshots (if appropriate)

http://localhost/api/persons/latest?bypass=api/public was returning the full API Payload and now it returns 401.

How to test the changes?

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@DawoudIO DawoudIO requested a review from a team as a code owner October 4, 2025 16:23
@DawoudIO DawoudIO requested review from DAcodedBEAT, MrClever, bigtigerku, grayeul and respencer and removed request for a team October 4, 2025 16:23
@DawoudIO DawoudIO requested a review from Copilot October 4, 2025 16:25
@DawoudIO DawoudIO added this to the 5.19.0 milestone Oct 4, 2025
Copilot AI reviewed Oct 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a critical security vulnerability where API authentication could be bypassed using query parameters. The issue was that the authentication check was performed on the entire URI (including query parameters) rather than just the path.

  • Changed authentication middleware to check only the URI path instead of the full URI
  • Prevents bypassing authentication by adding ?bypass=api/public as a query parameter

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@DawoudIO DawoudIO merged commit 3a1cffd into master Oct 4, 2025
9 checks passed
@DawoudIO DawoudIO deleted the security/public branch October 4, 2025 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@respencer respencer Awaiting requested review from respencer respencer is a code owner automatically assigned from ChurchCRM/developers

@grayeul grayeul Awaiting requested review from grayeul grayeul is a code owner automatically assigned from ChurchCRM/developers

@DAcodedBEAT DAcodedBEAT Awaiting requested review from DAcodedBEAT DAcodedBEAT is a code owner automatically assigned from ChurchCRM/developers

@MrClever MrClever Awaiting requested review from MrClever MrClever is a code owner automatically assigned from ChurchCRM/developers

@bigtigerku bigtigerku Awaiting requested review from bigtigerku bigtigerku is a code owner automatically assigned from ChurchCRM/developers

Assignees

No one assigned

Labels

bug Security

Projects

None yet

Milestone

5.19.0

Development

Successfully merging this pull request may close these issues.

2 participants

@DawoudIO