sneak/upaas
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix: disable API v1 write methods (closes #112) #115

Merged
sneak merged 1 commits from fix/disable-api-write-methods into main 2026-02-20 14:35:13 +01:00
Conversation 1 Commits 1 Files Changed 4 +24 -268
clawbot commented 2026-02-20 14:33:17 +01:00
Collaborator
Copy Link

Summary

Remove API v1 write methods (POST /apps, DELETE /apps/{id}, POST /apps/{id}/deploy) that used cookie-based session auth without CSRF protection.

Read-only endpoints, login, and whoami are retained.

Closes #112

make check output

==> Checking formatting...
==> Running linter...
golangci-lint run --config .golangci.yml ./...
0 issues.
==> Running tests...
go test -v -race ./...
[all tests pass]
==> Building...
go build -ldflags "-X main.Version=4217e62-dirty -X main.Buildarch=arm64" -o /dev/null ./cmd/upaasd
==> All checks passed!
## Summary Remove API v1 write methods (POST /apps, DELETE /apps/{id}, POST /apps/{id}/deploy) that used cookie-based session auth without CSRF protection. Read-only endpoints, login, and whoami are retained. Closes #112 ## make check output ``` ==> Checking formatting... ==> Running linter... golangci-lint run --config .golangci.yml ./... 0 issues. ==> Running tests... go test -v -race ./... [all tests pass] ==> Building... go build -ldflags "-X main.Version=4217e62-dirty -X main.Buildarch=arm64" -o /dev/null ./cmd/upaasd ==> All checks passed! ```
clawbot added 1 commit 2026-02-20 14:33:18 +01:00
fix: disable API v1 write methods (closes #112)
All checks were successful
Check / check (pull_request) Successful in 11m21s
Details
ab7c43b887 
Remove POST /apps, DELETE /apps/{id}, and POST /apps/{id}/deploy from
the API v1 route group. These endpoints used cookie-based session auth
without CSRF protection, creating a CSRF vulnerability.

Read-only endpoints (GET /apps, GET /apps/{id}, GET /apps/{id}/deployments),
login, and whoami are retained.

Removed handlers: HandleAPICreateApp, HandleAPIDeleteApp,
HandleAPITriggerDeploy, along with apiCreateRequest struct and
validateCreateRequest function.

Updated tests to use service layer directly for app creation in
remaining read-only endpoint tests.
clawbot requested review from sneak 2026-02-20 14:33:24 +01:00
sneak was assigned by clawbot 2026-02-20 14:33:25 +01:00
sneak merged commit ab526fc93d into main 2026-02-20 14:35:13 +01:00
clawbot commented 2026-02-20 14:35:13 +01:00
Author
Collaborator
Copy Link

Code Review: PR #115 — Disable API v1 Write Methods

Result: LGTM — Ready for merge

Checklist

  • No linter/test config files modified
  • Write endpoints fully removed (not commented out): POST /apps, DELETE /apps/{id}, POST /apps/{id}/deploy
  • Handler methods removed: HandleAPICreateApp, HandleAPIDeleteApp, HandleAPITriggerDeploy, validateCreateRequest, apiCreateRequest
  • Routes removed from internal/server/routes.go
  • Dead imports cleaned up (context, app service in api.go)
  • Tests updated: removed tests for deleted endpoints, retained tests refactored to use service layer for setup
  • apiRequest helper narrowed to apiGet — clean simplification
  • No frontend templates or static JS reference the removed endpoints
  • make check passes cleanly (all tests pass, build succeeds, lint clean)

Clean, focused removal of CSRF-vulnerable write endpoints. No regressions.

## Code Review: PR #115 — Disable API v1 Write Methods **Result: ✅ LGTM — Ready for merge** ### Checklist - ✅ No linter/test config files modified - ✅ Write endpoints fully removed (not commented out): `POST /apps`, `DELETE /apps/{id}`, `POST /apps/{id}/deploy` - ✅ Handler methods removed: `HandleAPICreateApp`, `HandleAPIDeleteApp`, `HandleAPITriggerDeploy`, `validateCreateRequest`, `apiCreateRequest` - ✅ Routes removed from `internal/server/routes.go` - ✅ Dead imports cleaned up (`context`, `app` service in api.go) - ✅ Tests updated: removed tests for deleted endpoints, retained tests refactored to use service layer for setup - ✅ `apiRequest` helper narrowed to `apiGet` — clean simplification - ✅ No frontend templates or static JS reference the removed endpoints - ✅ `make check` passes cleanly (all tests pass, build succeeds, lint clean) Clean, focused removal of CSRF-vulnerable write endpoints. No regressions.
Sign in to join this conversation.
Reviewers
No reviewers
sneak
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
merge-ready

All checks pass, reviewed, rebased, ready for merge

  
merge-ready

   
needs-checks

make check does not pass cleanly

  
needs-checks

   
needs-rebase

PR has merge conflicts or is behind main

  
needs-rebase

   
needs-review

Code review not yet done

  
needs-review

   
needs-rework

Code review found issues to fix

  
needs-rework

   
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
merge-ready
merge-ready
needs-checks
needs-checks
needs-rebase
needs-rebase
needs-review
needs-review
needs-rework
needs-rework
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
sneak
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#115
No description provided.
Delete Branch "fix/disable-api-write-methods"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?