Skip to content

Security/unexpected auth header guard#356

Open
martinshub-tech wants to merge 7 commits into
ChainForgee:mainfrom
martinshub-tech:security/unexpected-auth-header-guard
Open

Security/unexpected auth header guard#356
martinshub-tech wants to merge 7 commits into
ChainForgee:mainfrom
martinshub-tech:security/unexpected-auth-header-guard

Conversation

@martinshub-tech

@martinshub-tech martinshub-tech commented Jul 16, 2026

Copy link
Copy Markdown

Closes #214

Description
This PR addresses a potential authorization bypass security issue where routes without a @roles() decorator (undecorated routes) would silently accept and ignore an Authorization header containing credentials. Under the new defense-in-depth security posture, any undecorated route that receives an unexpected Authorization credential will automatically be rejected with 401 Unauthorized.

To bypass this check for intentionally public anonymous routes, developers can opt-in explicitly using @NoAuthStrict() or specify path exceptions in the PUBLIC_AUTH_BYPASS environment variable. A CI check (nestjs-route-doctor) enforces this rule.

Changes Made
Guards & Decorators:
Created @NoAuthStrict() decorator to explicitly opt-in to public anonymous access for routes.
Implemented UnexpectedAuthHeaderGuard which intercepts and rejects Authorization headers on undecorated endpoints.
Registered UnexpectedAuthHeaderGuard globally in AppModule.
CI Lint Check (nestjs-route-doctor):
Built a command-line script to inspect routes at boot time and verify they are either decorated (with @roles() or @NoAuthStrict()) or bypassed via the PUBLIC_AUTH_BYPASS list.
Added pnpm run nestjs-route-doctor to scripts in package.json.
Integrated the route doctor scan as a lint step in .github/workflows/backend-ci.yml.
Test Optimization:
Added detailed e2e test cases in security.e2e-spec.ts.
Created lightweight mocks for ioredis and @nestjs/bullmq in the e2e test environment to prevent infinite Redis connection retries on local/CI tests.

Copy link
Copy Markdown
Contributor

Hi 👋 Appreciate this PR! The CI is flagging a failing check — could you take a peek at the failed job and push a fix? Happy to help if you need a hand 🙏

@martinshub-tech

Copy link
Copy Markdown
Author

Hi 👋 Appreciate this PR! The CI is flagging a failing check — could you take a peek at the failed job and push a fix? Happy to help if you need a hand 🙏

okay..please help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reject Authorization headers on routes that do not expect them

2 participants