sneak/upaas
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: disable API v1 write methods (closes #112) #115

Merged
sneak merged 1 commits from fix/disable-api-write-methods into main 2026-02-20 14:35:13 +01:00
Conversation 1 Commits 1 Files Changed 4 +24 -268
clawbot commented 2026-02-20 14:33:17 +01:00
Collaborator
Copy Link

Summary

Remove API v1 write methods (POST /apps, DELETE /apps/{id}, POST /apps/{id}/deploy) that used cookie-based session auth without CSRF protection.

Read-only endpoints, login, and whoami are retained.

Closes #112

make check output

==> Checking formatting...
==> Running linter...
golangci-lint run --config .golangci.yml ./...
0 issues.
==> Running tests...
go test -v -race ./...
[all tests pass]
==> Building...
go build -ldflags "-X main.Version=4217e62-dirty -X main.Buildarch=arm64" -o /dev/null ./cmd/upaasd
==> All checks passed!
## Summary Remove API v1 write methods (POST /apps, DELETE /apps/{id}, POST /apps/{id}/deploy) that used cookie-based session auth without CSRF protection. Read-only endpoints, login, and whoami are retained. Closes #112 ## make check output ``` ==> Checking formatting... ==> Running linter... golangci-lint run --config .golangci.yml ./... 0 issues. ==> Running tests... go test -v -race ./... [all tests pass] ==> Building... go build -ldflags "-X main.Version=4217e62-dirty -X main.Buildarch=arm64" -o /dev/null ./cmd/upaasd ==> All checks passed! ```
clawbot added 1 commit 2026-02-20 14:33:18 +01:00
fix: disable API v1 write methods (closes #112)
All checks were successful
Check / check (pull_request) Successful in 11m21s
Details
ab7c43b887 
Remove POST /apps, DELETE /apps/{id}, and POST /apps/{id}/deploy from
the API v1 route group. These endpoints used cookie-based session auth
without CSRF protection, creating a CSRF vulnerability.

Read-only endpoints (GET /apps, GET /apps/{id}, GET /apps/{id}/deployments),
login, and whoami are retained.

Removed handlers: HandleAPICreateApp, HandleAPIDeleteApp,
HandleAPITriggerDeploy, along with apiCreateRequest struct and
validateCreateRequest function.

Updated tests to use service layer directly for app creation in
remaining read-only endpoint tests.
clawbot requested review from sneak 2026-02-20 14:33:24 +01:00
sneak was assigned by clawbot 2026-02-20 14:33:25 +01:00
sneak merged commit ab526fc93d into main 2026-02-20 14:35:13 +01:00
clawbot commented 2026-02-20 14:35:13 +01:00
Author
Collaborator
Copy Link

Code Review: PR #115 — Disable API v1 Write Methods

Result: LGTM — Ready for merge

Checklist

  • No linter/test config files modified
  • Write endpoints fully removed (not commented out): POST /apps, DELETE /apps/{id}, POST /apps/{id}/deploy
  • Handler methods removed: HandleAPICreateApp, HandleAPIDeleteApp, HandleAPITriggerDeploy, validateCreateRequest, apiCreateRequest
  • Routes removed from internal/server/routes.go
  • Dead imports cleaned up (context, app service in api.go)
  • Tests updated: removed tests for deleted endpoints, retained tests refactored to use service layer for setup
  • apiRequest helper narrowed to apiGet — clean simplification
  • No frontend templates or static JS reference the removed endpoints
  • make check passes cleanly (all tests pass, build succeeds, lint clean)

Clean, focused removal of CSRF-vulnerable write endpoints. No regressions.

## Code Review: PR #115 — Disable API v1 Write Methods **Result: ✅ LGTM — Ready for merge** ### Checklist - ✅ No linter/test config files modified - ✅ Write endpoints fully removed (not commented out): `POST /apps`, `DELETE /apps/{id}`, `POST /apps/{id}/deploy` - ✅ Handler methods removed: `HandleAPICreateApp`, `HandleAPIDeleteApp`, `HandleAPITriggerDeploy`, `validateCreateRequest`, `apiCreateRequest` - ✅ Routes removed from `internal/server/routes.go` - ✅ Dead imports cleaned up (`context`, `app` service in api.go) - ✅ Tests updated: removed tests for deleted endpoints, retained tests refactored to use service layer for setup - ✅ `apiRequest` helper narrowed to `apiGet` — clean simplification - ✅ No frontend templates or static JS reference the removed endpoints - ✅ `make check` passes cleanly (all tests pass, build succeeds, lint clean) Clean, focused removal of CSRF-vulnerable write endpoints. No regressions.
Sign in to join this conversation.
Reviewers
No Reviewers
sneak
Labels
Clear labels
bot
Agent's turn to work
 bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 merge-ready
All checks pass, reviewed, rebased, ready for merge
 needs-checks
make check does not pass cleanly
 needs-rebase
PR has merge conflicts or is behind main
 needs-review
Code review not yet done
 needs-rework
Code review found issues to fix
 notplanned
question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
clawbot sneak
No Assignees sneak
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sneak/upaas#115
Delete Branch "fix/disable-api-write-methods"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?