@objectstack/rest 11.9.0 → 12.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +9 -3
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +9 -3
- package/dist/index.js.map +1 -1
- package/package.json +7 -7
package/dist/index.js
CHANGED
|
@@ -1884,7 +1884,8 @@ var RestServer = class {
|
|
|
1884
1884
|
enableSearch: api.enableSearch ?? true,
|
|
1885
1885
|
enableProjectScoping: api.enableProjectScoping ?? false,
|
|
1886
1886
|
projectResolution: api.projectResolution ?? "auto",
|
|
1887
|
-
requireAuth: api.requireAuth ??
|
|
1887
|
+
requireAuth: api.requireAuth ?? true,
|
|
1888
|
+
// secure-by-default (ADR-0056 D2; mirrors RestApiConfigSchema)
|
|
1888
1889
|
documentation: api.documentation,
|
|
1889
1890
|
responseFormat: api.responseFormat
|
|
1890
1891
|
},
|
|
@@ -5537,9 +5538,14 @@ function createRestApiPlugin(config = {}) {
|
|
|
5537
5538
|
const restServer = new RestServer(server, protocol, config.api, kernelManager, envRegistry, defaultEnvironmentIdProvider, authServiceProvider, objectQLProvider, emailServiceProvider, sharingServiceProvider, reportsServiceProvider, approvalsServiceProvider, sharingRulesServiceProvider, i18nServiceProvider, analyticsServiceProvider, settingsServiceProvider, serviceExistsProvider);
|
|
5538
5539
|
restServer.registerRoutes();
|
|
5539
5540
|
ctx.logger.info("REST API successfully registered");
|
|
5540
|
-
if (
|
|
5541
|
+
if (config.api?.api?.requireAuth === false) {
|
|
5541
5542
|
ctx.logger.warn(
|
|
5542
|
-
"[security] anonymous access to the data API is ALLOWED (api.requireAuth=false) \u2014 objects without OWD/RLS are world-readable.
|
|
5543
|
+
"[security] anonymous access to the data API is ALLOWED (api.requireAuth=false, explicit opt-out) \u2014 objects without OWD/RLS are world-readable. Remove the opt-out for secure-by-default and expose public records via share-links / publicSharing / public forms (ADR-0056 D2)."
|
|
5544
|
+
);
|
|
5545
|
+
}
|
|
5546
|
+
if (config.api?.requireAuth !== void 0) {
|
|
5547
|
+
ctx.logger.warn(
|
|
5548
|
+
`[security] \`api.requireAuth\` is set at the WRONG nesting level and has NO effect \u2014 move it to \`api.api.requireAuth\` (RestServerConfig.api.requireAuth). The effective value this boot is ${config.api?.api?.requireAuth ?? true}.`
|
|
5543
5549
|
);
|
|
5544
5550
|
}
|
|
5545
5551
|
} catch (err) {
|