Security: Usage history and spending statistics are publicly accessible #3077

coderabbitai · 2026-04-17T12:27:48Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # 1) How is usageRouter mounted? Any middleware wrapping it? rg -nP --type=ts -C3 '\busageRouter\b' # 2) Any auth middleware already in the api app? fd -e ts . apps/api/src | xargs rg -nP -l '\b(auth|bearer|requireAuth|currentUser|authenticate)\b' | head -50 rg -nP --type=ts -C3 '\b(bearerAuth|requireAuth|authMiddleware|authenticate)\s*\(' apps/api/src | head -80 # 3) How do OTHER billing routes enforce auth? Compare security + middleware usage. fd -e ts 'router' apps/api/src/billing/routes | xargs rg -nP -C2 'security\s*:|\.use\(' # 4) Does UsageController do any ownership/authorization check on `address`? rg -nP --type=ts -C5 'class UsageController|getHistory\s*\(|getHistoryStats\s*\(' # 5) Confirm `@hono/zod-openapi` `security` is docs-only (no runtime enforcement hook). rg -nP -C3 "security" node_modules/@hono/zod-openapi/dist 2>/dev/null | head -40

Repository: akash-network/console

Length of output: 47588

🏁 Script executed:

#!/bin/bash # Search for how other billing routes handle authentication at runtime # Look for middleware application patterns # Check wallet-settings router implementation fd -e ts wallet-settings apps/api/src/billing/routes | xargs cat | head -150 # Check stripe-transactions router implementation fd -e ts stripe-transactions apps/api/src/billing/routes | xargs cat | head -150

Repository: akash-network/console

Length of output: 8247

🏁 Script executed:

#!/bin/bash # Check rest-app.ts for auth middleware setup cat apps/api/src/rest-app.ts | head -200 # Also look for auth.provider or similar middleware setup fd -e ts auth apps/api/src/core | head -20 fd -e ts middleware apps/api/src | xargs ls -la

Repository: akash-network/console

Length of output: 7707

🏁 Script executed:

#!/bin/bash # Check AuthInterceptor implementation cat apps/api/src/auth/services/auth.interceptor.ts # Also check if there's a way to get current user context rg -nP --type=ts 'currentUser|getCurrentUser' apps/api/src/auth | head -30

Repository: akash-network/console

Length of output: 7246

🏁 Script executed:

#!/bin/bash # Check if other routes that take an address parameter validate ownership # Look at getBalancesRouter since it's another billing route fd -e ts get-balances apps/api/src/billing/routes | xargs cat # Check what the controllers do with address - especially wallet-settings to see the contrast fd -e ts wallet-settings apps/api/src/billing/controllers | xargs cat | head -100

Repository: akash-network/console

Length of output: 4659

🏁 Script executed:

#!/bin/bash # Confirm: check if usage router has any direct auth enforcement or if address is validated cat apps/api/src/billing/controllers/usage/usage.controller.ts # Check if there's any ownership validation in the repository or service rg -nP 'resolveAddresses|ownsWallet|authorization|currentUser' apps/api/src/billing/services/usage/usage.service.ts rg -nP 'resolveAddresses|ownsWallet|authorization|currentUser' apps/api/src/billing/repositories/usage/usage.repository.ts

Repository: akash-network/console

Length of output: 901

🏁 Script executed:

#!/bin/bash # Final verification: confirm that usageRouter has NO middleware and routes are truly public # Check rest-app.ts more closely for any conditional routing or middleware specific to usageRouter rg -nP -B5 -A5 'usageRouter' apps/api/src/rest-app.ts | grep -A 10 -B 10 'usageRouter'

Repository: akash-network/console

Length of output: 749

Fix is cosmetic — routes remain publicly accessible and lack authorization checks.

The security: [{ bearerAuth: [] }] field in @hono/zod-openapi is pure OpenAPI documentation metadata; it does not enforce authentication at runtime. The AuthInterceptor applied globally allows unauthenticated requests to proceed (the currentUser context is simply undefined). A request to /v1/usage/history?address=akash1... with no Authorization header will still reach UsageController.getHistory() and return that wallet's data.

Additionally, even if bearer auth were enforced, there is no authorization check. Any authenticated user can request ?address=<any-wallet> and access that wallet's billing history (IDOR).

Compare to walletSettingRouter: protected routes implicitly use authService.currentUser.id, making ownership implicit. The usage routes must explicitly validate the authenticated user owns the queried address:

usageRouter.use("/v1/usage/history", authMiddleware); usageRouter.use("/v1/usage/history/stats", authMiddleware); usageRouter.openapi(getUsageHistoryRoute, async (c) => { const { address, startDate, endDate } = c.req.valid("query"); const currentUser = c.get("user"); if (!currentUser?.ownsWalletAddress(address)) { throw createHttpError(403, "Forbidden"); } const usageHistory = await container.resolve(UsageController).getHistory(address, startDate!, endDate!); return c.json(usageHistory); });

Without both authentication enforcement and address ownership validation, this remains unresolved.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@apps/api/src/billing/routes/usage/usage.router.ts` at line 13, The OpenAPI "security: [{ bearerAuth: [] }]" metadata does not enforce auth at runtime and AuthInterceptor allows unauthenticated requests, so update the usage routes to require auth at runtime and validate ownership before calling UsageController.getHistory: add middleware enforcement (e.g., usageRouter.use("/v1/usage/history", authMiddleware) and same for "/v1/usage/history/stats") so requests must be authenticated, then in the route handler (getUsageHistoryRoute) obtain the current user from context (authService.currentUser or c.get("user")) and verify they own the queried address (call a method like currentUser.ownsWalletAddress(address) or compare user id to wallet owner) and throw a 403 if not, only then call UsageController.getHistory(address, startDate, endDate).

-Original file line number
+Diff line change
@@ Expand Up @@
     import { GetUsageHistoryQuerySchema, UsageHistoryResponseSchema, UsageHistoryStatsResponseSchema } from "@src/billing/http-schemas/usage.schema";
     import { createRoute } from "@src/core/lib/create-route/create-route";
     import { OpenApiHonoHandler } from "@src/core/services/open-api-hono-handler/open-api-hono-handler";
-    import { SECURITY_NONE } from "@src/core/services/openapi-docs/openapi-security";
     const getUsageHistoryRoute = createRoute({
       method: "get",
       path: "/v1/usage/history",
       summary: "Get historical data of billing and usage for a wallet address.",
       tags: ["Billing"],
-      security: SECURITY_NONE,
+      security: [{ bearerAuth: [] }],
       request: {
         query: GetUsageHistoryQuerySchema
@@ Expand All / @@ -36,7 +35,7 @@ const getUsageHistoryStatsRoute = createRoute({ @@
       path: "/v1/usage/history/stats",
       summary: "Get historical usage stats for a wallet address.",
       tags: ["Billing"],
-      security: SECURITY_NONE,
+      security: [{ bearerAuth: [] }],
       request: {
         query: GetUsageHistoryQuerySchema
       },
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Usage history and spending statistics are publicly accessible #3077

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Apr 17, 2026

Uh oh!

Uh oh!

Security: Usage history and spending statistics are publicly accessible #3077

Are you sure you want to change the base?

Security: Usage history and spending statistics are publicly accessible #3077

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Apr 17, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!