Make security policy mandatory per endpoint (#2118)

MarceloRGonc · web-flow · commit 6b9a581369dc · 2026-03-12T20:47:42.000Z
Fixes OPS-3899.
diff --git a/packages/server/api/src/app/app.ts b/packages/server/api/src/app/app.ts
@@ -114,7 +114,9 @@ export const setupApp = async (
   const openapiRoutePrefix = '/v1/openapi';
   app.addHook('onRoute', (route) => {
     if (route.url.startsWith(openapiRoutePrefix)) {
-      route.config ??= {};
+      route.config ??= {
+        security: PUBLIC_ROUTE_POLICY,
+      };
       route.config.skipAuth = true;
       route.config.security = PUBLIC_ROUTE_POLICY;
     }
diff --git a/packages/server/api/src/app/flows/flow/flow.controller.ts b/packages/server/api/src/app/flows/flow/flow.controller.ts
@@ -288,7 +288,7 @@ const UpdateFlowRequestOptions = {
   config: {
     security: getProjectScopedRoutePolicy({
       allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-      permission: Permission.UPDATE_FLOW_STATUS,
+      permission: Permission.WRITE_FLOW,
     }),
   },
   schema: {
diff --git a/packages/server/api/types/fastify.d.ts b/packages/server/api/types/fastify.d.ts
@@ -17,7 +17,7 @@ declare module 'fastify' {
   // eslint-disable-next-line @typescript-eslint/consistent-type-definitions
   export interface FastifyContextConfig {
     rawBody?: boolean;
-    security?: RouteSecurityPolicy; // TODO change to mandatory
+    security: RouteSecurityPolicy;
 
     // TODO: Prepare deprecation of the following properties
     allowedPrincipals?: PrincipalType[];
