upaas

History

user ab7c43b887 All checks were successful Check / check (pull_request) Successful in 11m21s Details fix: disable API v1 write methods (closes #112 ) Remove POST /apps, DELETE /apps/{id}, and POST /apps/{id}/deploy from the API v1 route group. These endpoints used cookie-based session auth without CSRF protection, creating a CSRF vulnerability. Read-only endpoints (GET /apps, GET /apps/{id}, GET /apps/{id}/deployments), login, and whoami are retained. Removed handlers: HandleAPICreateApp, HandleAPIDeleteApp, HandleAPITriggerDeploy, along with apiCreateRequest struct and validateCreateRequest function. Updated tests to use service layer directly for app creation in remaining read-only endpoint tests.	2026-02-20 05:33:07 -08:00
..
routes.go	fix: disable API v1 write methods (closes #112 )	2026-02-20 05:33:07 -08:00
server.go	Initial commit with server startup infrastructure	2025-12-29 15:46:03 +07:00

Check / check (pull_request) Successful in 11m21s

Details

fix: disable API v1 write methods (closes #112 )

Remove POST /apps, DELETE /apps/{id}, and POST /apps/{id}/deploy from
the API v1 route group. These endpoints used cookie-based session auth
without CSRF protection, creating a CSRF vulnerability.

Read-only endpoints (GET /apps, GET /apps/{id}, GET /apps/{id}/deployments),
login, and whoami are retained.

Removed handlers: HandleAPICreateApp, HandleAPIDeleteApp,
HandleAPITriggerDeploy, along with apiCreateRequest struct and
validateCreateRequest function.

Updated tests to use service layer directly for app creation in
remaining read-only endpoint tests.

2026-02-20 05:33:07 -08:00

routes.go

fix: disable API v1 write methods (closes #112 )

2026-02-20 05:33:07 -08:00

server.go

Initial commit with server startup infrastructure

2025-12-29 15:46:03 +07:00