Skip to content

fix: require authentication on user-balance stats endpoint#241

Open
Dextheking1 wants to merge 580 commits into
linux-do:mainfrom
Dextheking1:fix/auth-user-balance-stats
Open

fix: require authentication on user-balance stats endpoint#241
Dextheking1 wants to merge 580 commits into
linux-do:mainfrom
Dextheking1:fix/auth-user-balance-stats

Conversation

@Dextheking1

Copy link
Copy Markdown

Summary

The /api/v1/dashboard/stats/user-balance route is registered directly on apiV1Router (internal/router/router.go:156), outside the dashboardRouter group that applies oauth.LoginRequired().

Its two sibling dashboard-stats routes are gated:

dashboardRouter := apiV1Router.Group("/dashboard")
dashboardRouter.Use(oauth.LoginRequired())
{
    dashboardRouter.GET("/stats/daily", dashboard.GetDailyStats)
    dashboardRouter.GET("/stats/top-customers", dashboard.GetTopCustomers)
}

apiV1Router.GET("/dashboard/stats/user-balance", dashboard.GetUserBalanceStats) // <-- not gated

As a result this endpoint is reachable unauthenticated and returns aggregate balance statistics over all users (total user count, and sum/avg/median/min/max/stddev of available_balance).

Fix

Move the route into the dashboardRouter group so it inherits oauth.LoginRequired(). The route path is unchanged (/api/v1/dashboard/stats/user-balance); only the middleware chain changes.

Impact

Low: the data is aggregate only (no per-user PII), but it discloses the size and distribution of the credit economy to anonymous callers, and it is inconsistent with the other dashboard routes.

Testing

gofmt parses cleanly. I could not run a full go build locally (the module requires Go 1.26; I have 1.22 available), but the change is a one-line relocation of an existing route registration into a sibling group already in scope.

6512345 and others added 30 commits January 7, 2026 20:19
fix: the income and expand static which was displayed on the homepage is for 7 days.
feat: add a upright arrow icon to the new-paged link
fix: copy button on home does not work
feat: utilizing the service layer mechanism, a rate layer is establis…
fix: redenvelope api limit error
fix: rate release for API interception
Noxiven and others added 30 commits May 13, 2026 20:47
refactor(middlewares): enhance logging format in LoginRequired middle…
feat(risk): add risk block dialog and related components
fix(risk-warning-toast): enable close button and dismissible option
feat(risk): add risk items to risk response and update headers
refactor(oauth): centralize audit logging with `LogForAudit` function
fix(payment): preserve disputed quota and add csrf guard
feat(table-data): link app names to their homepage if URL is available
feat: implement probe services for scheduler and worker
fix(oauth): release conflicted username without disabling account
feat(admin): add order management and refund support
The /api/v1/dashboard/stats/user-balance route was registered directly
on apiV1Router, outside the dashboardRouter group that applies
oauth.LoginRequired(). Its two sibling dashboard stats routes
(/stats/daily, /stats/top-customers) are gated, but this one was
reachable unauthenticated, exposing aggregate balance statistics
(total user count, sum/avg/median/min/max/stddev of all balances).

Move the route into the dashboardRouter group so it inherits the same
authentication middleware. The route path is unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants