@checkstack/backend-api 0.8.0 → 0.8.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +31 -0
- package/package.json +14 -10
- package/src/rpc.ts +21 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,36 @@
|
|
|
1
1
|
# @checkstack/backend-api
|
|
2
2
|
|
|
3
|
+
## 0.8.2
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 67158e2: Standardize package metadata, unify AJV versions to 8.18.0, and enforce monorepo architecture rules via updated ESLint configuration. This ensures consistent package discovery and runtime dependency safety across the platform.
|
|
8
|
+
- Updated dependencies [67158e2]
|
|
9
|
+
- @checkstack/common@0.6.4
|
|
10
|
+
- @checkstack/healthcheck-common@0.8.4
|
|
11
|
+
- @checkstack/queue-api@0.2.7
|
|
12
|
+
- @checkstack/signal-common@0.1.8
|
|
13
|
+
|
|
14
|
+
## 0.8.1
|
|
15
|
+
|
|
16
|
+
### Patch Changes
|
|
17
|
+
|
|
18
|
+
- 0ebbe56: Security Vulnerability Remediation completed:
|
|
19
|
+
- Refactored core authorization to Fail-Closed architecture with secure defaults.
|
|
20
|
+
- Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
|
|
21
|
+
- Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
|
|
22
|
+
- Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
|
|
23
|
+
- Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
|
|
24
|
+
- Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
|
|
25
|
+
- Enforced strict token/API Key parsing with URLSearchParams checking.
|
|
26
|
+
- Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
|
|
27
|
+
- Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
|
|
28
|
+
- Updated dependencies [0ebbe56]
|
|
29
|
+
- @checkstack/common@0.6.3
|
|
30
|
+
- @checkstack/queue-api@0.2.6
|
|
31
|
+
- @checkstack/healthcheck-common@0.8.3
|
|
32
|
+
- @checkstack/signal-common@0.1.7
|
|
33
|
+
|
|
3
34
|
## 0.8.0
|
|
4
35
|
|
|
5
36
|
### Minor Changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@checkstack/backend-api",
|
|
3
|
-
"version": "0.8.
|
|
3
|
+
"version": "0.8.2",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"main": "./src/index.ts",
|
|
6
6
|
"scripts": {
|
|
@@ -9,16 +9,17 @@
|
|
|
9
9
|
"lint:code": "eslint . --max-warnings 0"
|
|
10
10
|
},
|
|
11
11
|
"dependencies": {
|
|
12
|
-
"@checkstack/common": "0.6.
|
|
13
|
-
"@checkstack/healthcheck-common": "0.8.
|
|
14
|
-
"@checkstack/queue-api": "0.2.
|
|
15
|
-
"@checkstack/signal-common": "0.1.
|
|
16
|
-
"@orpc/client": "^1.13.
|
|
12
|
+
"@checkstack/common": "0.6.3",
|
|
13
|
+
"@checkstack/healthcheck-common": "0.8.3",
|
|
14
|
+
"@checkstack/queue-api": "0.2.6",
|
|
15
|
+
"@checkstack/signal-common": "0.1.7",
|
|
16
|
+
"@orpc/client": "^1.13.14",
|
|
17
|
+
"@orpc/contract": "^1.13.14",
|
|
17
18
|
"@orpc/openapi": "^1.13.2",
|
|
18
19
|
"@orpc/server": "^1.13.2",
|
|
19
20
|
"@orpc/zod": "^1.13.2",
|
|
20
|
-
"drizzle-orm": "^0.45.
|
|
21
|
-
"hono": "^4.
|
|
21
|
+
"drizzle-orm": "^0.45.0",
|
|
22
|
+
"hono": "^4.12.14",
|
|
22
23
|
"marked": "^17.0.1",
|
|
23
24
|
"zod": "^4.2.1"
|
|
24
25
|
},
|
|
@@ -28,7 +29,10 @@
|
|
|
28
29
|
"@checkstack/scripts": "0.1.1"
|
|
29
30
|
},
|
|
30
31
|
"peerDependencies": {
|
|
31
|
-
"hono": "^4.
|
|
32
|
-
"drizzle-orm": "^0.45.
|
|
32
|
+
"hono": "^4.12.14",
|
|
33
|
+
"drizzle-orm": "^0.45.0"
|
|
34
|
+
},
|
|
35
|
+
"checkstack": {
|
|
36
|
+
"type": "tooling"
|
|
33
37
|
}
|
|
34
38
|
}
|
package/src/rpc.ts
CHANGED
|
@@ -206,6 +206,23 @@ export const autoAuthMiddleware = os.middleware(
|
|
|
206
206
|
|
|
207
207
|
// 5. Skip remaining checks for services - they are trusted
|
|
208
208
|
if (user?.type === "service") {
|
|
209
|
+
// SECURITY: Check service-level scope restrictions
|
|
210
|
+
const serviceScope = meta?.serviceScope;
|
|
211
|
+
if (serviceScope && serviceScope.length > 0) {
|
|
212
|
+
const isAllowed = serviceScope.some((allowedPattern) => {
|
|
213
|
+
if (allowedPattern.endsWith("*")) {
|
|
214
|
+
const prefix = allowedPattern.slice(0, -1);
|
|
215
|
+
return user.pluginId.startsWith(prefix);
|
|
216
|
+
}
|
|
217
|
+
return allowedPattern === user.pluginId;
|
|
218
|
+
});
|
|
219
|
+
|
|
220
|
+
if (!isAllowed) {
|
|
221
|
+
throw new ORPCError("FORBIDDEN", {
|
|
222
|
+
message: `Service '${user.pluginId}' is not allowed to call this endpoint`,
|
|
223
|
+
});
|
|
224
|
+
}
|
|
225
|
+
}
|
|
209
226
|
return next({});
|
|
210
227
|
}
|
|
211
228
|
|
|
@@ -483,8 +500,8 @@ async function checkResourceAccessViaS2S({
|
|
|
483
500
|
});
|
|
484
501
|
return result.hasAccess;
|
|
485
502
|
} catch {
|
|
486
|
-
//
|
|
487
|
-
return
|
|
503
|
+
// SECURITY: Fail-Closed — deny access when S2S check fails
|
|
504
|
+
return false;
|
|
488
505
|
}
|
|
489
506
|
}
|
|
490
507
|
|
|
@@ -520,8 +537,8 @@ async function getAccessibleResourceIdsViaS2S({
|
|
|
520
537
|
hasGlobalAccess,
|
|
521
538
|
});
|
|
522
539
|
} catch {
|
|
523
|
-
//
|
|
524
|
-
return
|
|
540
|
+
// SECURITY: Fail-Closed — return empty set when S2S check fails
|
|
541
|
+
return [];
|
|
525
542
|
}
|
|
526
543
|
}
|
|
527
544
|
|