Skip to content

Security: /reauth endpoint returns raw OSC service access token in JSON response body #264

Description

@LucasMaupin

Summary

The `GET /api/v1/reauth` endpoint sets the OSC Service Access Token (SAT) as a secure `httpOnly` cookie — which is correct. However, it also returns the raw token value in the JSON response body:

```typescript
// src/api_re_auth.ts ~line 58-59
reply
.setCookie('sat', json.token, { httpOnly: true, secure: true, sameSite: 'strict' })
.send({ token: json.token }); // ← raw token leaked in body
```

Impact

Any unauthenticated caller who can reach this endpoint (no auth guard exists on it; CORS_ORIGIN is the only boundary) can retrieve a valid SAT by parsing the JSON body. They can then use it to make authenticated requests to the OSC API directly — bypassing the cookie-only intent entirely.

Recommendation

Remove the raw token from the response body. Return only a success indicator:

```typescript
reply
.setCookie('sat', json.token, { httpOnly: true, secure: true, sameSite: 'strict' })
.send({ ok: true });
```

The frontend should rely on the cookie being sent automatically rather than extracting the token from the body.

Note

This is distinct from issue #226, which is about validating the format of the OSC_ACCESS_TOKEN env var. This issue concerns the response leaking the token to the caller.

Severity

Medium — requires network access to the endpoint and a permissive CORS configuration, but directly exposes a live bearer token.


Found by automated security audit 2026-07-06.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions