singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/web/app/api
History
Jeremy McSpadden ab03677567 fix(security): activate auth middleware and harden shutdown/update routes (#4023) 
The Next.js auth middleware (proxy.ts) was never wired in — it exported
`proxy` from a file named proxy.ts, but Next.js requires a `middleware`
export from middleware.ts. The middleware-manifest.json was empty,
leaving all 42 API routes accessible without authentication.

Fixes:
- Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy`
- Add defense-in-depth auth-guard to /api/shutdown and /api/update routes
- Remove shell: true from update-service spawn (command injection surface)
- Update contract tests to verify middleware file name and export

Closes #4014

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 07:52:43 -04:00
..
boot fix: resolve Node v24 web boot failure — ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING (#1864) 2026-03-21 15:24:07 -06:00
bridge-terminal feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
browse-directories fix: show external drives in directory browser on Linux 2026-03-28 00:45:22 +02:00
captures feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
cleanup feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
dev-mode feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
doctor feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
experimental chore: rename preferences.md to PREFERENCES.md for consistency (#2700) (#2738) 2026-03-26 16:09:59 -06:00
export-data feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
files feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
forensics feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
git feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
history feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
hooks feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
inspect feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
knowledge feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
live-state feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
notifications feat(gsd): persistent notification panel with TUI overlay, widget, and web API 2026-04-05 22:13:28 -05:00
onboarding feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
preferences feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
projects feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
recovery feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
remote-questions chore: rename preferences.md to PREFERENCES.md for consistency (#2700) (#2738) 2026-03-26 16:09:59 -06:00
session feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
settings-data feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
shutdown fix(security): activate auth middleware and harden shutdown/update routes (#4023) 2026-04-13 07:52:43 -04:00
skill-health feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
steer feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
switch-root feat(web): add "Change project root" button to web UI (#2355) 2026-03-24 07:18:05 -06:00
terminal feat: managed RTK integration with opt-in preference and web UI toggle (#2620) 2026-03-26 09:33:07 -06:00
undo feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00
update fix(security): activate auth middleware and harden shutdown/update routes (#4023) 2026-04-13 07:52:43 -04:00
visualizer feat(web): browser-based web interface (#1717) 2026-03-21 12:16:54 -06:00