@soulbatical/tetra-dev-toolkit 1.20.16 → 1.20.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/lib/checks/security/route-config-alignment.js +17 -5
  2. package/package.json +1 -1
package/lib/checks/security/route-config-alignment.js CHANGED
@@ -103,26 +103,38 @@ function hasOrgAdminMiddleware(content) {
103
103
  }
104
104
 
105
105
  /**
106
- * Check if admin routes are protected by a RouteManager group-level middleware.
107
- * Many projects apply auth middleware at the route group level (e.g., all /api/admin/* routes)
108
- * rather than in individual route files.
106
+ * Check if admin routes are protected by group-level middleware.
107
+ *
108
+ * Supports two patterns:
109
+ * 1. RouteManager: explicit authenticateToken in routes/index.ts or RouteManager.ts
110
+ * 2. createApp declarative routes: `access: 'admin'` in index.ts/app.ts
111
+ * → createApp auto-injects authenticateToken + requireOrgAdmin for access='admin'
109
112
  */
110
113
  function hasRouteManagerGroupAuth(projectRoot) {
111
114
  const candidates = [
112
115
  join(projectRoot, 'backend/src/core/RouteManager.ts'),
113
116
  join(projectRoot, 'src/core/RouteManager.ts'),
114
117
  join(projectRoot, 'backend/src/routes/index.ts'),
115
- join(projectRoot, 'src/routes/index.ts')
118
+ join(projectRoot, 'src/routes/index.ts'),
119
+ join(projectRoot, 'backend/src/index.ts'),
120
+ join(projectRoot, 'src/index.ts'),
121
+ join(projectRoot, 'backend/src/app.ts'),
122
+ join(projectRoot, 'src/app.ts')
116
123
  ]
117
124
 
118
125
  for (const file of candidates) {
119
126
  if (!existsSync(file)) continue
120
127
  try {
121
128
  const content = readFileSync(file, 'utf-8')
122
- // Check for group middleware pattern: prefix '/api/admin' with authenticateToken
129
+ // Pattern 1: RouteManager with explicit authenticateToken for /api/admin
123
130
  if (/\/api\/admin/.test(content) && /authenticateToken/.test(content)) {
124
131
  return true
125
132
  }
133
+ // Pattern 2: createApp declarative routes — access: 'admin' auto-injects auth
134
+ // createApp guarantees authenticateToken + requireOrgAdmin for access='admin'
135
+ if (/createApp/.test(content) && /access:\s*['"]admin['"]/.test(content)) {
136
+ return true
137
+ }
126
138
  } catch { /* skip */ }
127
139
  }
128
140
  return false
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@soulbatical/tetra-dev-toolkit",
3
- "version": "1.20.16",
3
+ "version": "1.20.17",
4
4
  "publishConfig": {
5
5
  "access": "restricted"
6
6
  },