Summary
The `GET /api/v1/reauth` endpoint sets the OSC Service Access Token (SAT) as a secure `httpOnly` cookie — which is correct. However, it also returns the raw token value in the JSON response body:
```typescript
// src/api_re_auth.ts ~line 58-59
reply
.setCookie('sat', json.token, { httpOnly: true, secure: true, sameSite: 'strict' })
.send({ token: json.token }); // ← raw token leaked in body
```
Impact
Any unauthenticated caller who can reach this endpoint (no auth guard exists on it; CORS_ORIGIN is the only boundary) can retrieve a valid SAT by parsing the JSON body. They can then use it to make authenticated requests to the OSC API directly — bypassing the cookie-only intent entirely.
Recommendation
Remove the raw token from the response body. Return only a success indicator:
```typescript
reply
.setCookie('sat', json.token, { httpOnly: true, secure: true, sameSite: 'strict' })
.send({ ok: true });
```
The frontend should rely on the cookie being sent automatically rather than extracting the token from the body.
Note
This is distinct from issue #226, which is about validating the format of the OSC_ACCESS_TOKEN env var. This issue concerns the response leaking the token to the caller.
Severity
Medium — requires network access to the endpoint and a permissive CORS configuration, but directly exposes a live bearer token.
Found by automated security audit 2026-07-06.
Summary
The `GET /api/v1/reauth` endpoint sets the OSC Service Access Token (SAT) as a secure `httpOnly` cookie — which is correct. However, it also returns the raw token value in the JSON response body:
```typescript
// src/api_re_auth.ts ~line 58-59
reply
.setCookie('sat', json.token, { httpOnly: true, secure: true, sameSite: 'strict' })
.send({ token: json.token }); // ← raw token leaked in body
```
Impact
Any unauthenticated caller who can reach this endpoint (no auth guard exists on it; CORS_ORIGIN is the only boundary) can retrieve a valid SAT by parsing the JSON body. They can then use it to make authenticated requests to the OSC API directly — bypassing the cookie-only intent entirely.
Recommendation
Remove the raw token from the response body. Return only a success indicator:
```typescript
reply
.setCookie('sat', json.token, { httpOnly: true, secure: true, sameSite: 'strict' })
.send({ ok: true });
```
The frontend should rely on the cookie being sent automatically rather than extracting the token from the body.
Note
This is distinct from issue #226, which is about validating the format of the OSC_ACCESS_TOKEN env var. This issue concerns the response leaking the token to the caller.
Severity
Medium — requires network access to the endpoint and a permissive CORS configuration, but directly exposes a live bearer token.
Found by automated security audit 2026-07-06.