Require authentication for SimpleFIN and Pluggy.ai endpoints (#7034)

* Add authentication middleware to SimpleFIN and Pluggy.ai endpoints

Protect /simplefin/* and /pluggyai/* routes with validateSessionMiddleware
so only authenticated users can access bank account and transaction data.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Release notes

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

packages/sync-server/src/app-pluggyai/app-pluggyai.js

@@ -2,14 +2,18 @@ import express from 'express';
 
 import { handleError } from '../app-gocardless/util/handle-error';
 import { SecretName, secretsService } from '../services/secrets-service';
-import { requestLoggerMiddleware } from '../util/middlewares';
+import {
+  requestLoggerMiddleware,
+  validateSessionMiddleware,
+} from '../util/middlewares';
 
 import { pluggyaiService } from './pluggyai-service';
 
 const app = express();
 export { app as handlers };
-app.use(express.json());
 app.use(requestLoggerMiddleware);
+app.use(express.json());
+app.use(validateSessionMiddleware);
 
 app.post(
   '/status',

packages/sync-server/src/app-simplefin/app-simplefin.js

@@ -4,12 +4,16 @@ import express from 'express';
 
 import { handleError } from '../app-gocardless/util/handle-error';
 import { SecretName, secretsService } from '../services/secrets-service';
-import { requestLoggerMiddleware } from '../util/middlewares';
+import {
+  requestLoggerMiddleware,
+  validateSessionMiddleware,
+} from '../util/middlewares';
 
 const app = express();
 export { app as handlers };
-app.use(express.json());
 app.use(requestLoggerMiddleware);
+app.use(express.json());
+app.use(validateSessionMiddleware);
 
 app.post(
   '/status',

upcoming-release-notes/7034.md

@@ -0,0 +1,6 @@
+---
+category: Bugfixes
+authors: [MatissJanis]
+---
+
+Fix: simplefin and pluggy not requiring auth