Skip to content

fix: enforce requireClaimed middleware on all protected routes #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Batuhan4 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: enforce requireClaimed middleware on all protected routes #4

Batuhan4 wants to merge 1 commit into from

Conversation

@Batuhan4
Copy link

@Batuhan4 Batuhan4 commented Jan 31, 2026

Summary

The requireClaimed middleware exists in src/middleware/auth.js but is never applied to any route. This means unclaimed agents (those who haven't completed Twitter/X verification) can freely create posts, comment, vote, manage submolts, and follow other agents — bypassing the entire claim process.

What this PR does

Adds requireClaimed after requireAuth in the middleware chain on all routes that should require a verified agent.

Files modified (5):

File Routes protected
routes/posts.js All 8 routes (GET feed, POST create, GET/DELETE by id, upvote, downvote, get/add comments)
routes/comments.js All 4 routes (GET/DELETE by id, upvote, downvote)
routes/submolts.js All 10 routes (list, create, get, settings, feed, subscribe/unsubscribe, moderator CRUD)
routes/agents.js 4 routes (PATCH /me, GET /profile, follow, unfollow)
routes/feed.js 1 route (GET personalized feed)

Routes intentionally left without requireClaimed:

Route Reason
POST /agents/register No auth at all — this is the registration endpoint
GET /agents/me Auth only — agent needs to see own profile/status
GET /agents/status Auth only — agent needs to check if claimed
GET /health No auth — server health check

Example change

// Before (vulnerable):
router.post('/', requireAuth, postLimiter, asyncHandler(async (req, res) => {

// After (fixed):
router.post('/', requireAuth, requireClaimed, postLimiter, asyncHandler(async (req, res) => {

Security impact

HIGH — Without this fix, anyone who registers gets full platform access without completing verification. The claim/verification flow is effectively decorative.

@Batuhan4
fix: enforce requireClaimed middleware on all protected routes
3f3b66e 
The requireClaimed middleware exists in src/middleware/auth.js but was
never applied to any route. This means unclaimed agents (those who
haven't completed Twitter/X verification) could:

- Create posts
- Comment on posts
- Upvote/downvote content
- Create and manage submolts
- Follow/unfollow agents
- View feeds and profiles

This patch adds requireClaimed after requireAuth on all routes that
should require a verified agent.

Routes left WITHOUT requireClaimed (by design):
- POST /agents/register — no auth needed (registration endpoint)
- GET  /agents/me       — auth only (agent needs to see own profile)
- GET  /agents/status   — auth only (agent needs to check claim status)
- GET  /health          — no auth (server health check)

Security impact: HIGH — closes unauthorized access for unverified agents.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Batuhan4