Security: Usage history and spending statistics are publicly accessible

[tomaioo]

Summary

Security: Usage history and spending statistics are publicly accessible

Problem

Severity: Medium | File: apps/api/src/billing/routes/usage/usage.router.ts:L12

Both usage routes (/v1/usage/history and /v1/usage/history/stats) are configured with SECURITY_NONE. These endpoints expose billing/usage-derived information for any provided wallet address, which can reveal sensitive behavioral and financial metadata at scale (profiling users, competitors, or high-value accounts).

Solution

Require authentication and authorization tied to the requesting user/wallet owner. If public analytics are intended, provide only coarse/aggregated data and remove per-address detailed outputs.

Changes

• apps/api/src/billing/routes/usage/usage.router.ts (modified)

Summary by CodeRabbit

• Documentation
  • Updated API documentation for usage endpoints to explicitly indicate bearer token authentication is required, improving clarity on endpoint security requirements for API consumers.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated OpenAPI security configuration for two usage endpoints (GET /v1/usage/history and GET /v1/usage/history/stats) by removing SECURITY_NONE import and adding explicit [{ bearerAuth: [] }] requirement, affecting only OpenAPI documentation metadata without runtime behavior changes.

Changes

Cohort / File(s)	Summary
OpenAPI Security Configuration apps/api/src/billing/routes/usage/usage.router.ts	Replaced SECURITY_NONE with explicit bearer token authentication requirement on usage endpoints, clarifying auth expectations in generated OpenAPI schema.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/api/src/billing/routes/usage/usage.router.ts`:
- Line 13: The OpenAPI "security: [{ bearerAuth: [] }]" metadata does not
enforce auth at runtime and AuthInterceptor allows unauthenticated requests, so
update the usage routes to require auth at runtime and validate ownership before
calling UsageController.getHistory: add middleware enforcement (e.g.,
usageRouter.use("/v1/usage/history", authMiddleware) and same for
"/v1/usage/history/stats") so requests must be authenticated, then in the route
handler (getUsageHistoryRoute) obtain the current user from context
(authService.currentUser or c.get("user")) and verify they own the queried
address (call a method like currentUser.ownsWalletAddress(address) or compare
user id to wallet owner) and throw a 403 if not, only then call
UsageController.getHistory(address, startDate, endDate).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bb520ad9-237e-42ce-a5a1-4eabf3816029

📥 Commits

Reviewing files that changed from the base of the PR and between db24592 and a690415.

📒 Files selected for processing (1)

• apps/api/src/billing/routes/usage/usage.router.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) How is usageRouter mounted? Any middleware wrapping it?
rg -nP --type=ts -C3 '\busageRouter\b'

# 2) Any auth middleware already in the api app?
fd -e ts . apps/api/src | xargs rg -nP -l '\b(auth|bearer|requireAuth|currentUser|authenticate)\b' | head -50
rg -nP --type=ts -C3 '\b(bearerAuth|requireAuth|authMiddleware|authenticate)\s*\(' apps/api/src | head -80

# 3) How do OTHER billing routes enforce auth? Compare security + middleware usage.
fd -e ts 'router' apps/api/src/billing/routes | xargs rg -nP -C2 'security\s*:|\.use\('

# 4) Does UsageController do any ownership/authorization check on `address`?
rg -nP --type=ts -C5 'class UsageController|getHistory\s*\(|getHistoryStats\s*\('

# 5) Confirm `@hono/zod-openapi` `security` is docs-only (no runtime enforcement hook).
rg -nP -C3 "security" node_modules/@hono/zod-openapi/dist 2>/dev/null | head -40

Repository: akash-network/console

Length of output: 47588

---

🏁 Script executed:

#!/bin/bash
# Search for how other billing routes handle authentication at runtime
# Look for middleware application patterns

# Check wallet-settings router implementation
fd -e ts wallet-settings apps/api/src/billing/routes | xargs cat | head -150

# Check stripe-transactions router implementation  
fd -e ts stripe-transactions apps/api/src/billing/routes | xargs cat | head -150

Repository: akash-network/console

Length of output: 8247

---

🏁 Script executed:

#!/bin/bash
# Check rest-app.ts for auth middleware setup
cat apps/api/src/rest-app.ts | head -200

# Also look for auth.provider or similar middleware setup
fd -e ts auth apps/api/src/core | head -20
fd -e ts middleware apps/api/src | xargs ls -la

Repository: akash-network/console

Length of output: 7707

---

🏁 Script executed:

#!/bin/bash
# Check AuthInterceptor implementation
cat apps/api/src/auth/services/auth.interceptor.ts

# Also check if there's a way to get current user context
rg -nP --type=ts 'currentUser|getCurrentUser' apps/api/src/auth | head -30

Repository: akash-network/console

Length of output: 7246

---

🏁 Script executed:

#!/bin/bash
# Check if other routes that take an address parameter validate ownership
# Look at getBalancesRouter since it's another billing route
fd -e ts get-balances apps/api/src/billing/routes | xargs cat

# Check what the controllers do with address - especially wallet-settings to see the contrast
fd -e ts wallet-settings apps/api/src/billing/controllers | xargs cat | head -100

Repository: akash-network/console

Length of output: 4659

---

🏁 Script executed:

#!/bin/bash
# Confirm: check if usage router has any direct auth enforcement or if address is validated
cat apps/api/src/billing/controllers/usage/usage.controller.ts

# Check if there's any ownership validation in the repository or service
rg -nP 'resolveAddresses|ownsWallet|authorization|currentUser' apps/api/src/billing/services/usage/usage.service.ts
rg -nP 'resolveAddresses|ownsWallet|authorization|currentUser' apps/api/src/billing/repositories/usage/usage.repository.ts

Repository: akash-network/console

Length of output: 901

---

🏁 Script executed:

#!/bin/bash
# Final verification: confirm that usageRouter has NO middleware and routes are truly public
# Check rest-app.ts more closely for any conditional routing or middleware specific to usageRouter
rg -nP -B5 -A5 'usageRouter' apps/api/src/rest-app.ts | grep -A 10 -B 10 'usageRouter'

Repository: akash-network/console

Length of output: 749

---

Fix is cosmetic — routes remain publicly accessible and lack authorization checks.

The security: [{ bearerAuth: [] }] field in @hono/zod-openapi is pure OpenAPI documentation metadata; it does not enforce authentication at runtime. The AuthInterceptor applied globally allows unauthenticated requests to proceed (the currentUser context is simply undefined). A request to /v1/usage/history?address=akash1... with no Authorization header will still reach UsageController.getHistory() and return that wallet's data.

Additionally, even if bearer auth were enforced, there is no authorization check. Any authenticated user can request ?address=<any-wallet> and access that wallet's billing history (IDOR).

Compare to walletSettingRouter: protected routes implicitly use authService.currentUser.id, making ownership implicit. The usage routes must explicitly validate the authenticated user owns the queried address:

usageRouter.use("/v1/usage/history", authMiddleware);
usageRouter.use("/v1/usage/history/stats", authMiddleware);

usageRouter.openapi(getUsageHistoryRoute, async (c) => {
  const { address, startDate, endDate } = c.req.valid("query");
  const currentUser = c.get("user");
  if (!currentUser?.ownsWalletAddress(address)) {
    throw createHttpError(403, "Forbidden");
  }
  const usageHistory = await container.resolve(UsageController).getHistory(address, startDate!, endDate!);
  return c.json(usageHistory);
});

Without both authentication enforcement and address ownership validation, this remains unresolved.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/billing/routes/usage/usage.router.ts` at line 13, The OpenAPI
"security: [{ bearerAuth: [] }]" metadata does not enforce auth at runtime and
AuthInterceptor allows unauthenticated requests, so update the usage routes to
require auth at runtime and validate ownership before calling
UsageController.getHistory: add middleware enforcement (e.g.,
usageRouter.use("/v1/usage/history", authMiddleware) and same for
"/v1/usage/history/stats") so requests must be authenticated, then in the route
handler (getUsageHistoryRoute) obtain the current user from context
(authService.currentUser or c.get("user")) and verify they own the queried
address (call a method like currentUser.ownsWalletAddress(address) or compare
user id to wallet owner) and throw a 403 if not, only then call
UsageController.getHistory(address, startDate, endDate).