Description
Board data endpoints do not verify user authentication. Any unauthenticated request can access all user boards by guessing or enumerating board IDs.
Steps to Reproduce
- GET /api/boards/1 without authentication token
- Returns full board data including private user boards
- Enumerate board IDs to access all user data
Environment Information
- Endpoint: GET /api/boards/:id
- Authentication: Required but not enforced
- Visibility: Unauthorized access possible
Expected Behavior
All board endpoints require valid authentication. Returns 401 Unauthorized if token missing or invalid.
Actual Behavior
File: src/api/boards.js
No authentication check: router.get('/boards/:id', (req, res) => {})
Code Reference
File: src/api/boards.js
Missing: Authentication middleware on board endpoints
Additional Context
Add authentication middleware:
router.get('/boards/:id', authenticateToken, (req, res) => {
if (req.user.id !== board.userId) return res.status(403);
});GSSoC Points Estimate: Level 2 (Security/IDOR)
Suggested Labels
- gssoc:approved
- type:bug
- severity:high
- area:security
Description
Board data endpoints do not verify user authentication. Any unauthenticated request can access all user boards by guessing or enumerating board IDs.
Steps to Reproduce
Environment Information
Expected Behavior
All board endpoints require valid authentication. Returns 401 Unauthorized if token missing or invalid.
Actual Behavior
File: src/api/boards.js
No authentication check: router.get('/boards/:id', (req, res) => {})
Code Reference
File: src/api/boards.js
Missing: Authentication middleware on board endpoints
Additional Context
Add authentication middleware:
GSSoC Points Estimate: Level 2 (Security/IDOR)
Suggested Labels