@objectstack/rest 11.10.0 → 12.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +9 -3
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +9 -3
- package/dist/index.js.map +1 -1
- package/package.json +7 -7
package/dist/index.cjs
CHANGED
|
@@ -1924,7 +1924,8 @@ var RestServer = class {
|
|
|
1924
1924
|
enableSearch: api.enableSearch ?? true,
|
|
1925
1925
|
enableProjectScoping: api.enableProjectScoping ?? false,
|
|
1926
1926
|
projectResolution: api.projectResolution ?? "auto",
|
|
1927
|
-
requireAuth: api.requireAuth ??
|
|
1927
|
+
requireAuth: api.requireAuth ?? true,
|
|
1928
|
+
// secure-by-default (ADR-0056 D2; mirrors RestApiConfigSchema)
|
|
1928
1929
|
documentation: api.documentation,
|
|
1929
1930
|
responseFormat: api.responseFormat
|
|
1930
1931
|
},
|
|
@@ -5577,9 +5578,14 @@ function createRestApiPlugin(config = {}) {
|
|
|
5577
5578
|
const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider, serviceExistsProvider);
|
|
5578
5579
|
restServer.registerRoutes();
|
|
5579
5580
|
ctx.logger.info("REST API successfully registered");
|
|
5580
|
-
if (
|
|
5581
|
+
if (config.api?.api?.requireAuth === false) {
|
|
5581
5582
|
ctx.logger.warn(
|
|
5582
|
-
"[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable.
|
|
5583
|
+
"[security] anonymous access to the data API is ALLOWED (api.requireAuth=false, explicit opt-out) \u2014 objects without OWD/RLS are world-readable. Remove the opt-out for secure-by-default and expose public records via share-links / publicSharing / public forms (ADR-0056 D2)."
|
|
5584
|
+
);
|
|
5585
|
+
}
|
|
5586
|
+
if (config.api?.requireAuth !== void 0) {
|
|
5587
|
+
ctx.logger.warn(
|
|
5588
|
+
`[security] \`api.requireAuth\` is set at the WRONG nesting level and has NO effect \u2014 move it to \`api.api.requireAuth\` (RestServerConfig.api.requireAuth). The effective value this boot is ${config.api?.api?.requireAuth ?? true}.`
|
|
5583
5589
|
);
|
|
5584
5590
|
}
|
|
5585
5591
|
} catch (err) {
|