security: fix critical auth gaps, SSRF, IDOR, and embedding error handling
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s
Some checks failed
Deploy to Production / Build and Deploy (push) Failing after 39s
CRITICAL: - Add auth + admin check to 10 unprotected API routes (test-*, debug/*, config, models, fix-labels) - Add CRON_SECRET bearer auth to /api/cron/reminders (was fully open) - Add SSRF protection to getOllamaModels (blocks private/internal IPs) HIGH: - Fix getAllLabels() missing userId filter (leaked all users' labels) - Fix /api/labels OR clause leaking other users' labels - Fix IDOR in toggleAgent/getAgentActions (add ownership check) - Fix getEmbeddings() returning [] on error in all 5 providers (corrupted semantic search with NaN cosine similarity) — now throws instead Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -246,6 +246,13 @@ export async function getAgentActions(agentId: string) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
// Verify the agent belongs to the user
|
||||||
|
const agent = await prisma.agent.findFirst({
|
||||||
|
where: { id: agentId, userId: session.user.id },
|
||||||
|
select: { id: true }
|
||||||
|
})
|
||||||
|
if (!agent) throw new Error('Agent non trouve')
|
||||||
|
|
||||||
const actions = await prisma.agentAction.findMany({
|
const actions = await prisma.agentAction.findMany({
|
||||||
where: { agentId },
|
where: { agentId },
|
||||||
orderBy: { createdAt: 'desc' },
|
orderBy: { createdAt: 'desc' },
|
||||||
@@ -276,7 +283,7 @@ export async function toggleAgent(id: string, isEnabled: boolean) {
|
|||||||
|
|
||||||
try {
|
try {
|
||||||
const agent = await prisma.agent.update({
|
const agent = await prisma.agent.update({
|
||||||
where: { id },
|
where: { id, userId: session.user.id },
|
||||||
data: { isEnabled }
|
data: { isEnabled }
|
||||||
})
|
})
|
||||||
return { success: true, agent }
|
return { success: true, agent }
|
||||||
|
|||||||
@@ -1169,8 +1169,13 @@ export async function updateSize(id: string, size: 'small' | 'medium' | 'large')
|
|||||||
|
|
||||||
// Get all unique labels
|
// Get all unique labels
|
||||||
export async function getAllLabels() {
|
export async function getAllLabels() {
|
||||||
|
const session = await auth();
|
||||||
|
if (!session?.user?.id) return [];
|
||||||
try {
|
try {
|
||||||
const notes = await prisma.note.findMany({ select: { labels: true } })
|
const notes = await prisma.note.findMany({
|
||||||
|
where: { userId: session.user.id },
|
||||||
|
select: { labels: true }
|
||||||
|
})
|
||||||
const labelsSet = new Set<string>()
|
const labelsSet = new Set<string>()
|
||||||
notes.forEach((note: any) => {
|
notes.forEach((note: any) => {
|
||||||
const labels = note.labels ? JSON.parse(note.labels) : null
|
const labels = note.labels ? JSON.parse(note.labels) : null
|
||||||
|
|||||||
@@ -26,6 +26,24 @@ export async function getOllamaModels(baseUrl: string): Promise<{ success: boole
|
|||||||
// Ensure URL doesn't end with slash
|
// Ensure URL doesn't end with slash
|
||||||
const cleanUrl = baseUrl.replace(/\/$/, '')
|
const cleanUrl = baseUrl.replace(/\/$/, '')
|
||||||
|
|
||||||
|
// SSRF protection: block internal/private IPs
|
||||||
|
try {
|
||||||
|
const parsed = new URL(cleanUrl)
|
||||||
|
const hostname = parsed.hostname.toLowerCase()
|
||||||
|
const blockedHosts = ['localhost', '127.0.0.1', '0.0.0.0', '::1', '169.254.169.254']
|
||||||
|
if (blockedHosts.includes(hostname)) {
|
||||||
|
return { success: false, models: [], error: 'Private/internal URLs are not allowed' }
|
||||||
|
}
|
||||||
|
if (hostname.startsWith('10.') || hostname.startsWith('172.') || hostname.startsWith('192.168.') || hostname.startsWith('fc') || hostname.startsWith('fd')) {
|
||||||
|
return { success: false, models: [], error: 'Private/internal URLs are not allowed' }
|
||||||
|
}
|
||||||
|
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
|
||||||
|
return { success: false, models: [], error: 'Only http/https protocols allowed' }
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
return { success: false, models: [], error: 'Invalid URL' }
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const response = await fetch(`${cleanUrl}/api/tags`, {
|
const response = await fetch(`${cleanUrl}/api/tags`, {
|
||||||
method: 'GET',
|
method: 'GET',
|
||||||
|
|||||||
@@ -1,7 +1,16 @@
|
|||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
export async function GET(request: NextRequest) {
|
export async function GET(request: NextRequest) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
// Modèles populaires pour chaque provider (2025)
|
// Modèles populaires pour chaque provider (2025)
|
||||||
const PROVIDER_MODELS = {
|
const PROVIDER_MODELS = {
|
||||||
@@ -41,6 +42,14 @@ const PROVIDER_MODELS = {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export async function GET(request: NextRequest) {
|
export async function GET(request: NextRequest) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
const provider = (config.AI_PROVIDER || 'ollama').toLowerCase()
|
const provider = (config.AI_PROVIDER || 'ollama').toLowerCase()
|
||||||
|
|||||||
@@ -1,8 +1,17 @@
|
|||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
import { getChatProvider } from '@/lib/ai/factory'
|
import { getChatProvider } from '@/lib/ai/factory'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
export async function POST(request: NextRequest) {
|
export async function POST(request: NextRequest) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
const provider = getChatProvider(config)
|
const provider = getChatProvider(config)
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
import { getEmbeddingsProvider } from '@/lib/ai/factory'
|
import { getEmbeddingsProvider } from '@/lib/ai/factory'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
function getProviderDetails(config: Record<string, string>, providerType: string) {
|
function getProviderDetails(config: Record<string, string>, providerType: string) {
|
||||||
const provider = providerType.toLowerCase()
|
const provider = providerType.toLowerCase()
|
||||||
@@ -34,6 +35,14 @@ function getProviderDetails(config: Record<string, string>, providerType: string
|
|||||||
}
|
}
|
||||||
|
|
||||||
export async function POST(request: NextRequest) {
|
export async function POST(request: NextRequest) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
const provider = getEmbeddingsProvider(config)
|
const provider = getEmbeddingsProvider(config)
|
||||||
|
|||||||
@@ -1,8 +1,17 @@
|
|||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
import { getTagsProvider } from '@/lib/ai/factory'
|
import { getTagsProvider } from '@/lib/ai/factory'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
export async function POST(request: NextRequest) {
|
export async function POST(request: NextRequest) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
const provider = getTagsProvider(config)
|
const provider = getTagsProvider(config)
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
import { NextRequest, NextResponse } from 'next/server'
|
import { NextRequest, NextResponse } from 'next/server'
|
||||||
import { getTagsProvider, getEmbeddingsProvider } from '@/lib/ai/factory'
|
import { getTagsProvider, getEmbeddingsProvider } from '@/lib/ai/factory'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
function getProviderDetails(config: Record<string, string>, providerType: string) {
|
function getProviderDetails(config: Record<string, string>, providerType: string) {
|
||||||
const provider = providerType.toLowerCase()
|
const provider = providerType.toLowerCase()
|
||||||
@@ -34,6 +35,14 @@ function getProviderDetails(config: Record<string, string>, providerType: string
|
|||||||
}
|
}
|
||||||
|
|
||||||
export async function GET(request: NextRequest) {
|
export async function GET(request: NextRequest) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
const tagsProvider = getTagsProvider(config)
|
const tagsProvider = getTagsProvider(config)
|
||||||
|
|||||||
@@ -1,7 +1,13 @@
|
|||||||
import { NextResponse } from 'next/server'
|
import { NextResponse } from 'next/server'
|
||||||
import { getSystemConfig } from '@/lib/config'
|
import { getSystemConfig } from '@/lib/config'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
export async function GET() {
|
export async function GET() {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig()
|
const config = await getSystemConfig()
|
||||||
const available = !!(
|
const available = !!(
|
||||||
|
|||||||
@@ -1,9 +1,19 @@
|
|||||||
import { NextResponse } from 'next/server';
|
import { NextRequest, NextResponse } from 'next/server';
|
||||||
import prisma from '@/lib/prisma';
|
import prisma from '@/lib/prisma';
|
||||||
|
|
||||||
export const dynamic = 'force-dynamic'; // No caching
|
export const dynamic = 'force-dynamic'; // No caching
|
||||||
|
|
||||||
export async function POST(request: Request) {
|
export async function POST(request: NextRequest) {
|
||||||
|
// Optional auth: set CRON_SECRET env var, callers must pass
|
||||||
|
// Authorization: Bearer <CRON_SECRET>
|
||||||
|
const cronSecret = process.env.CRON_SECRET
|
||||||
|
if (cronSecret) {
|
||||||
|
const authHeader = request.headers.get('authorization')
|
||||||
|
if (authHeader !== `Bearer ${cronSecret}`) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const now = new Date();
|
const now = new Date();
|
||||||
|
|
||||||
|
|||||||
@@ -1,11 +1,20 @@
|
|||||||
import { NextResponse } from 'next/server';
|
import { NextResponse } from 'next/server';
|
||||||
import { getSystemConfig } from '@/lib/config';
|
import { getSystemConfig } from '@/lib/config';
|
||||||
|
import { auth } from '@/auth';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Debug endpoint to check AI configuration
|
* Debug endpoint to check AI configuration
|
||||||
* This helps verify that OpenAI is properly configured
|
* This helps verify that OpenAI is properly configured
|
||||||
*/
|
*/
|
||||||
export async function GET() {
|
export async function GET() {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const config = await getSystemConfig();
|
const config = await getSystemConfig();
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,16 @@
|
|||||||
import { NextResponse } from 'next/server';
|
import { NextResponse } from 'next/server';
|
||||||
import { chatService } from '@/lib/ai/services/chat.service';
|
import { chatService } from '@/lib/ai/services/chat.service';
|
||||||
|
import { auth } from '@/auth';
|
||||||
|
|
||||||
export async function POST(req: Request) {
|
export async function POST(req: Request) {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const body = await req.json();
|
const body = await req.json();
|
||||||
console.log("TEST ROUTE INCOMING BODY:", body);
|
console.log("TEST ROUTE INCOMING BODY:", body);
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
import { NextResponse } from 'next/server'
|
import { NextResponse } from 'next/server'
|
||||||
import prisma from '@/lib/prisma'
|
import prisma from '@/lib/prisma'
|
||||||
import { revalidatePath } from 'next/cache'
|
import { revalidatePath } from 'next/cache'
|
||||||
|
import { auth } from '@/auth'
|
||||||
|
|
||||||
function getHashColor(name: string): string {
|
function getHashColor(name: string): string {
|
||||||
const colors = ['red', 'blue', 'green', 'yellow', 'purple', 'pink', 'orange', 'gray']
|
const colors = ['red', 'blue', 'green', 'yellow', 'purple', 'pink', 'orange', 'gray']
|
||||||
@@ -12,6 +13,14 @@ function getHashColor(name: string): string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export async function POST() {
|
export async function POST() {
|
||||||
|
const session = await auth()
|
||||||
|
if (!session?.user?.id) {
|
||||||
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||||
|
}
|
||||||
|
if ((session.user as any).role !== 'ADMIN') {
|
||||||
|
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const result = { created: 0, deleted: 0, missing: [] as string[] }
|
const result = { created: 0, deleted: 0, missing: [] as string[] }
|
||||||
|
|
||||||
|
|||||||
@@ -25,11 +25,8 @@ export async function GET(request: NextRequest) {
|
|||||||
// Get labels for a specific notebook
|
// Get labels for a specific notebook
|
||||||
where.notebookId = notebookId
|
where.notebookId = notebookId
|
||||||
} else {
|
} else {
|
||||||
// Get all labels for the user (both old and new system)
|
// Get all labels for the user
|
||||||
where.OR = [
|
where.userId = session.user.id
|
||||||
{ notebookId: { not: null } },
|
|
||||||
{ userId: session.user.id }
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const labels = await prisma.label.findMany({
|
const labels = await prisma.label.findMany({
|
||||||
|
|||||||
@@ -64,7 +64,7 @@ export class CustomOpenAIProvider implements AIProvider {
|
|||||||
return embedding;
|
return embedding;
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error('Error generating embeddings (Custom OpenAI):', e);
|
console.error('Error generating embeddings (Custom OpenAI):', e);
|
||||||
return [];
|
throw e;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ export class DeepSeekProvider implements AIProvider {
|
|||||||
return embedding;
|
return embedding;
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error('Error generating embeddings (DeepSeek):', e);
|
console.error('Error generating embeddings (DeepSeek):', e);
|
||||||
return [];
|
throw e;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -105,7 +105,7 @@ Note content: "${content}"`;
|
|||||||
return data.embedding;
|
return data.embedding;
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error('Error generating embeddings (Ollama):', e);
|
console.error('Error generating embeddings (Ollama):', e);
|
||||||
return [];
|
throw e;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ export class OpenAIProvider implements AIProvider {
|
|||||||
return embedding;
|
return embedding;
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error('Error generating embeddings (OpenAI):', e);
|
console.error('Error generating embeddings (OpenAI):', e);
|
||||||
return [];
|
throw e;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ export class OpenRouterProvider implements AIProvider {
|
|||||||
return embedding;
|
return embedding;
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error('Error generating embeddings (OpenRouter):', e);
|
console.error('Error generating embeddings (OpenRouter):', e);
|
||||||
return [];
|
throw e;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user