This is a bounty to fix two specific bugs in a Node.js API: allowing admin role self-assignment during registration and a missing argument in a refresh token function. The project involves modifying validation schema and a controller function in an existing codebase. It's a straightforward fix with a clear definition.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are a senior Node.js developer. Your task is to fix two specific security bugs in the `SecureBananaLabs/bug-bounty` repository.
**Goal:** Deliver a pull request that addresses the two bugs described in issue #1823: admin role self-assignment and improper refresh token handling.
**Stack:** The existing project uses Node.js. Implement the fixes within the current project's structure and conventions.
**Steps:**
1. **Clone the repository:** `SecureBananaLabs/bug-bounty`.
2. **Locate and modify `apps/api/src/validators/auth.js`:** In the `registerSchema`, restrict the `role` options to `['client', 'freelancer']`. Remove 'admin' as a selectable role during registration.
3. **Locate and modify `apps/api/src/controllers/authController.js`:** In the `refresh` controller, ensure that `refreshToken()` is called with the `token` extracted from `req.body`. The current implementation calls `refreshToken()` without arguments, which is incorrect.
4. **Implement Unit Tests:** Add new tests to cover these specific fixes.
* One test should attempt to register a user with `role: 'admin'` and assert that it fails.
* Another test should verify that the `refreshToken` endpoint correctly processes a refresh token passed in `req.body`.
5. **Verify:** All existing tests must pass, and your new tests must also pass, demonstrating the fixes are functional and haven't introduced regressions. Ensure the application still registers 'client' and 'freelancer' roles correctly.
6. **Output:** Provide the modified code files for `auth.js` and `authController.js`, along with the new unit test code and instructions on how to run the tests.Developers and solo operators who are looking to secure their applications and automate their development workflow could benefit from a tool that helps identify and fix common security vulnerabilities like those in the bug bounty.
Bounty (amount on the issue). ### Bug Description 1. The `registerSchema` in `apps/api/src/validators/auth.js` allows any user to register with `role: "admin"` by simply including it in the request body. 2. `refreshToken()` in `authController.js` is called without arguments, so the refresh token from the request is never passed to the service, preventing proper user identification. ### Expected Behavior 1. The registerSchema role options must be restricted to `["client", "freelancer"]`, removing `"admin"`. 2. The `refresh` controller must extract `token` from `req.body` and pass it to `refreshToken()`. ### Disclaimer This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Standard for any GitHub project
Standard for JS development
Standard version control
Create a new issue on the SecureBananaLabs/bug-bounty repository with the same contents as #1823, referring to issue #743 for context, and mention your intent to work on it.
“I've reviewed issue #1823 and understand the admin role self-assignment and refresh token bugs. I've successfully implemented similar security fixes and can deliver a pull request with a tested solution this week.”
Open the original ↗