GitHub Bounties💵 paid workby mvmax-devscored by google/gemini-2.5-flash

SecureBananaLabs/bug-bounty: Bug: Missing admin role authorization check on admin metrics endpoint

Visit project ↗Discussion ↗

💵 Funded work— see “Deliver it” below for how to respond.

Opportunity

AI-buildable

Traction

Creativity

The take

effort: ~weekend

This bounty involves adding a role-based authorization check to an existing admin metrics endpoint in a Node.js API. The current setup only validates the JWT, allowing any authenticated user to access admin-only data. The task is to ensure only users with the 'admin' role can access the `/api/admin/metrics` route.

Demand & gap

Painkillerdemand 79

Demand

Will. to pay

Gap

Buyer

Enterprise / orgs

The gap in what exists: Many existing APIs lack robust, fine-grained access control, leaving a gap for security-focused developers to fix and implement.
Wedge to win: Solve the specific, paid security issue for the SecureBananaLabs project, demonstrating immediate value and securing the bounty.
Reputation value (worth doing free for proof) — 70/100: Successfully completing a public bug bounty on a GitHub repo provides tangible proof of security development skills for future client work.
Likely monetization: bounty payment
Incumbents to beat: In-house security teamsFreelance security consultantsOther bug bounty participants

Deliver it

A starter prompt for Claude Code, what you'll need, and how to reach them.

You are an expert Node.js developer. The goal is to implement a role-based authorization check for an existing admin metrics endpoint in a `SecureBananaLabs/bug-bounty` repository. The target endpoint is `/api/admin/metrics` within `apps/api/src/routes/adminRoutes.js`. The current `authMiddleware` only verifies JWT validity, but any authenticated user (including 'client' or 'freelancer' roles) can access it. Implement a new middleware, `adminRoleMiddleware`, that verifies `req.user.role === 'admin'`. If the role is not 'admin', respond with a 403 Forbidden status and an appropriate error message. Integrate this `adminRoleMiddleware` specifically into the `/api/admin/metrics` route within `adminRoutes.js`. Assume `req.user.role` is reliably populated by the preceding `authMiddleware`. Provide the code changes for `adminRoutes.js` and any new middleware files, and include a simple test plan to verify the fix. Use Node.js, Express.js. Focus on minimal, effective changes.

Prerequisites — cost & what to learn

GitHub accountFree · Free✓ in your stack
Standard for any GitHub-based project.

How you'd build it

1Fork the SecureBananaLabs/bug-bounty repository.
2Locate `apps/api/src/routes/adminRoutes.js` and the `/api/admin/metrics` endpoint.
3Implement a new middleware function that checks `req.user.role === 'admin'` before the route handler executes.
4Integrate this new admin role middleware specifically for the `/api/admin/metrics` route.
5Add a test case to verify unauthorized users are blocked and authorized users can access the endpoint.
6Open a pull request to the forked repository's issue branch.

Risks & moats

Understanding the existing codebase and data structures (e.g., how `req.user.role` is populated) might take a small amount of time.
The bounty is limited to the issue creator, so directly solving this specific one is blocked unless a new, duplicate issue is created and accepted.
Potential for subtle errors if the existing authentication flow or user object structure is not fully understood.
The bounty amount might be low for the time invested if initial setup takes longer than expected.

Original context

Bounty (amount on the issue). ## Description The admin routes in `apps/api/src/routes/adminRoutes.js` currently only use `authMiddleware` which verifies that the JWT is valid, but they do not perform any role-based authorization check to ensure the user has the `admin` role. This allows any authenticated client or freelancer to access the admin metrics endpoint at `/api/admin/metrics`. ## Expected Behavior Access to `/api/admin/metrics` should be restricted to users with the `admin` role. An authorization check or middleware should be added to verify `req.user.role === 'admin'`. --- This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.