mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#290): Secure identity verification endpoint
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/pr/woodpecker Pipeline failed
Details

Browse Source 
Added @UseGuards(AuthGuard) and rate limiting (@Throttle) to
/api/v1/federation/identity/verify endpoint. Configured strict
rate limit (10 req/min) to prevent abuse of this previously
public endpoint. Added test to verify guards are applied.

Security improvement: Prevents unauthorized access and rate limit
abuse of identity verification endpoint.

Fixes #290

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-03 21:36:31 -06:00
parent 77d1d14e08
commit 1390da2e74
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
apps/api/src/federation/identity-linking.controller.spec.ts
View File

@@ -90,6 +90,15 @@ describe("IdentityLinkingController", () => {
});
describe("POST /identity/verify", () => {
it("should have AuthGuard and Throttle decorators applied", () => {
// Verify that the endpoint has proper guards and rate limiting
const verifyMetadata = Reflect.getMetadata(
"__guards__",
IdentityLinkingController.prototype.verifyIdentity
);
expect(verifyMetadata).toBeDefined();
});
it("should verify identity with valid request", async () => {
const dto: VerifyIdentityDto = {
localUserId: "local-user-id",

4
apps/api/src/federation/identity-linking.controller.ts
View File

@@ -5,6 +5,7 @@
*/
import { Controller, Post, Get, Patch, Delete, Body, Param, UseGuards } from "@nestjs/common";
import { Throttle } from "@nestjs/throttler";
import { AuthGuard } from "../auth/guards/auth.guard";
import { IdentityLinkingService } from "./identity-linking.service";
import { IdentityResolutionService } from "./identity-resolution.service";
@@ -45,8 +46,11 @@ export class IdentityLinkingController {
*
* Verify a user's identity from a remote instance.
* Validates signature and OIDC token.
* Rate limit: "strict" tier (10 req/min) - public endpoint requiring authentication
*/
@Post("verify")
@UseGuards(AuthGuard)
@Throttle({ strict: { limit: 10, ttl: 60000 } })
async verifyIdentity(@Body() dto: VerifyIdentityDto): Promise<IdentityVerificationResponse> {
return this.identityLinkingService.verifyIdentity(dto);
}