Skip to content

security: add authentication to logs endpoint and filter by user #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
its-me-abhishek merged 2 commits into from
Jan 19, 2026
Merged

security: add authentication to logs endpoint and filter by user #409

its-me-abhishek merged 2 commits into from
Jan 19, 2026

Conversation

@cfsmp3
Copy link
Collaborator

@cfsmp3 cfsmp3 commented Jan 19, 2026

Summary

  • Add session authentication to /sync/logs endpoint
  • Filter logs by user UUID so users can only see their own logs
  • Return 401 Unauthorized for unauthenticated requests

Security Issue Addressed

Unauthenticated Logs Endpoint (Medium) - Previously, the /sync/logs endpoint had no authentication, allowing anyone to view sync operation logs. Logs could contain sensitive information like user UUIDs and operation details.

Changes

  • backend/controllers/get_logs.go:

    • Require valid session to access endpoint
    • Pass session store to handler
    • Filter logs by authenticated user's UUID

  • backend/models/logs.go:

    • Add GetLogsByUser() method to filter logs by SyncID (user UUID)

  • backend/main.go:

    • Update SyncLogsHandler call to pass session store

Test plan

  • Test authenticated users can view their own logs
  • Verify unauthenticated requests return 401
  • Verify users cannot see other users' logs

🤖 Generated with Claude Code

@github-actions
Copy link

github-actions bot commented Jan 19, 2026

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

  • Check the "Files changed" tab
  • Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
  • Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
  • Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!

its-me-abhishek
its-me-abhishek requested changes Jan 19, 2026
View reviewed changes
backend/controllers/get_logs.go Outdated
// Get user's UUID to filter logs
userUUID, _ := userInfo["uuid"].(string)

// Get the 'last' query parameter, default to 100
Copy link
Collaborator

@its-me-abhishek its-me-abhishek Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should also add a cap to the last value. one may request for a pretty big number which can cause crashes. Also maybe just maintain the same threshold, overall as well. To prevent unnecessary overheads

Copy link
Collaborator

@its-me-abhishek its-me-abhishek Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A hard cap of 20 should probably be enough

cfsmp3 and others added 2 commits January 19, 2026 12:55
@cfsmp3 @claude
security: add authentication to logs endpoint and filter by user
3512783 
Add session authentication to /sync/logs endpoint and filter logs
by user UUID so users can only see their own logs.

- Require valid session to access logs endpoint
- Add GetLogsByUser() to filter logs by user UUID
- Return 401 Unauthorized for unauthenticated requests
- Update SyncLogsHandler signature to accept session store

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cfsmp3 @claude
fix: add hard cap of 20 to logs endpoint
ccba488 
- Change default from 100 to 20
- Enforce maximum of 20 entries regardless of request
- Prevents resource exhaustion from large requests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cfsmp3 cfsmp3 force-pushed the security/auth-logs-endpoint branch from b3c5c38 to ccba488 Compare January 19, 2026 20:55
@cfsmp3
Copy link
Collaborator Author

cfsmp3 commented Jan 19, 2026

Addressed the feedback in commit ccba488:

  • Changed default from 100 to 20
  • Added hard cap of 20 entries - even if user requests more, they get max 20
  • This prevents resource exhaustion from large requests

The cap is enforced with a simple check after parsing the parameter.

@its-me-abhishek its-me-abhishek merged commit 848956b into main Jan 19, 2026
5 checks passed
@its-me-abhishek its-me-abhishek deleted the security/auth-logs-endpoint branch January 19, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@its-me-abhishek its-me-abhishek its-me-abhishek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cfsmp3 @its-me-abhishek