This is a bounty to fix a missing role-based access control (RBAC) check on admin API routes in a Node.js application. Currently, any authenticated user can access admin endpoints, leading to a privilege escalation vulnerability. The fix involves adding an `adminMiddleware` to verify the user's role.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert full-stack Node.js developer. I need you to implement a fix for a bug bounty issue in the `SecureBananaLabs/bug-bounty` repository. The issue is that the `/api/admin` routes lack role-based access control, allowing any authenticated user to access them. Your task is to implement an `adminMiddleware` that checks if `req.user.role === "admin"` and applies it to the admin routes. Use standard Node.js/Express.js practices.
Here's the plan:
1. **Fork the repository**: Ensure you have a local clone of `SecureBananaLabs/bug-bounty`.
2. **Locate `adminRoutes.js`**: The file is `apps/api/src/routes/adminRoutes.js`.
3. **Create `adminMiddleware`**: Create a new middleware function, potentially in a new file like `apps/api/src/middlewares/adminMiddleware.js`. This middleware should:
* Check `req.user` for a `role` property.
* If `req.user.role !== 'admin'`, send a 403 Forbidden response.
* Otherwise, call `next()`.
4. **Integrate middleware**: In `adminRoutes.js`, import `adminMiddleware` and insert it into the route handler chain for `/api/admin` routes, ensuring it runs *after* `authMiddleware`.
```javascript
// Example of integration
const authMiddleware = require('../../middlewares/authMiddleware'); // Assuming path
const adminMiddleware = require('../../middlewares/adminMiddleware'); // New middleware
adminRoutes.use(authMiddleware);
adminRoutes.use(adminMiddleware); // Apply after authMiddleware
adminRoutes.get('/metrics', metrics);
```
5. **Develop unit tests**: Create a test file (e.g., `apps/api/src/routes/adminRoutes.test.js` or similar if tests exist) that specifically tests this new middleware.
* Test cases should include: an admin user accessing an admin route (should pass) and a non-admin authenticated user accessing an admin route (should return 403).
* Use `jest` or `mocha` if already configured in the project; otherwise, suggest a simple testing approach using `supertest` for API endpoints.
6. **Verify**: Confirm the new middleware correctly blocks non-admin users from admin routes while allowing admin users. Provide the new middleware code, the modified `adminRoutes.js`, and the test code. Explain how to run the tests and verify the fix.Bounty (amount on the issue). ## Bug: Missing Admin Role Check on Admin Routes **Description:** The `/api/admin` routes only apply `authMiddleware`, which verifies the JWT is valid but does **not** check if the user has an admin role. Any authenticated user (client, freelancer) can access admin-only endpoints like `/api/admin/metrics`. **File:** `apps/api/src/routes/adminRoutes.js` **Current code:** ```js adminRoutes.use(authMiddleware); adminRoutes.get("/metrics", metrics); ``` **Expected behavior:** A separate `adminMiddleware` should verify that `req.user.role === "admin"` and return 403 for non-admin users. **Impact:** High — privilege escalation vulnerability allowing unauthorized access to admin data. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Standard for any GitHub-based development
Standard for JavaScript/TypeScript development
Standard web framework knowledge
Comment on the GitHub issue #1770 to signal intent and then open a draft pull request linking back to the issue.
“I've implemented a robust fix for the missing admin role check as described in issue #1770, including unit tests to ensure proper functionality and prevent regression. Here's a link to my draft PR, ready for your review.”
Open the original ↗