kgod/sub2api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity

fix(security): add JWT auth + visibility check to pages API

Browse Source 
- GET /pages/:slug now requires JWT + checks custom_menu_items visibility
- GET /pages (list) is admin-only
- GET /pages/:slug/images/* uses visibility check without JWT (browser
  img tags cannot carry auth headers), blocks admin-only page images
- Frontend fetch adds Authorization header from authStore.token
- settingService nil guard changed to fail-closed (deny access)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Michael-Jetson
2026-05-05 07:00:08 -07:00
parent 4cbd4932a0
commit cf2d5067c3
4 changed files with 108 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
frontend/src/views/user/CustomPageView.vue
+3 -1
View File
@@ -202,7 +202,9 @@ async function fetchAndRenderMarkdown(slug: string) {
tocItems.value = []
activeHeadingId.value = ''
try {
const resp = await fetch(`/api/v1/pages/${encodeURIComponent(slug)}`)
const resp = await fetch(`/api/v1/pages/${encodeURIComponent(slug)}`, {
headers: authStore.token ? { Authorization: `Bearer ${authStore.token}` } : {},
})
if (!resp.ok) {
renderedHtml.value = '<p class="text-red-500">Page not found</p>'
return