Summary
The requireWhipAuth hook in api_whip.ts and api_whep.ts silently rejects invalid tokens with a 401 response but emits no log entry. This makes brute-force or credential-stuffing attacks invisible in the application logs.
Affected Files
src/api_whip.ts (~lines 58–83)src/api_whep.ts (same pattern)
Vulnerable Code
// No log on auth failure — attack attempts are invisible
reply
.header('WWW-Authenticate', 'Bearer realm="whip", charset="UTF-8"')
.code(401)
.send({ error: 'Unauthorized' });
return false;Recommendation
Add a warning-level log on each failure, including the client IP (never the token value):
import { Log } from './log.js';
// on failure:
Log().warn({
msg: 'WHIP auth failed',
ip: request.ip,
path: request.url,
});Ensure request.ip is populated correctly behind a reverse proxy by configuring trustProxy in Fastify.
Severity
Medium — Inability to detect and alert on authentication abuse.
Found by automated security audit.
Summary
The
requireWhipAuthhook inapi_whip.tsandapi_whep.tssilently rejects invalid tokens with a 401 response but emits no log entry. This makes brute-force or credential-stuffing attacks invisible in the application logs.Affected Files
src/api_whip.ts(~lines 58–83)src/api_whep.ts(same pattern)Vulnerable Code
Recommendation
Add a warning-level log on each failure, including the client IP (never the token value):
Ensure
request.ipis populated correctly behind a reverse proxy by configuringtrustProxyin Fastify.Severity
Medium — Inability to detect and alert on authentication abuse.
Found by automated security audit.