From 0de44af1de2ffdcba59f8fded0b8d136ec768e50 Mon Sep 17 00:00:00 2001
From: Matiss Janis Aboltins <matiss@mja.lv>
Date: Thu, 19 Feb 2026 22:46:10 +0000
Subject: [PATCH] Require authentication for SimpleFIN and Pluggy.ai endpoints
 (#7034)

* Add authentication middleware to SimpleFIN and Pluggy.ai endpoints

Protect /simplefin/* and /pluggyai/* routes with validateSessionMiddleware
so only authenticated users can access bank account and transaction data.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Release notes

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 packages/sync-server/src/app-pluggyai/app-pluggyai.js   | 8 ++++++--
 packages/sync-server/src/app-simplefin/app-simplefin.js | 8 ++++++--
 upcoming-release-notes/7034.md                          | 6 ++++++
 3 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 upcoming-release-notes/7034.md

diff --git a/packages/sync-server/src/app-pluggyai/app-pluggyai.js b/packages/sync-server/src/app-pluggyai/app-pluggyai.js
index aa8631428d..82c4ff7768 100644
--- a/packages/sync-server/src/app-pluggyai/app-pluggyai.js
+++ b/packages/sync-server/src/app-pluggyai/app-pluggyai.js
@@ -2,14 +2,18 @@ import express from 'express';
 
 import { handleError } from '../app-gocardless/util/handle-error';
 import { SecretName, secretsService } from '../services/secrets-service';
-import { requestLoggerMiddleware } from '../util/middlewares';
+import {
+  requestLoggerMiddleware,
+  validateSessionMiddleware,
+} from '../util/middlewares';
 
 import { pluggyaiService } from './pluggyai-service';
 
 const app = express();
 export { app as handlers };
-app.use(express.json());
 app.use(requestLoggerMiddleware);
+app.use(express.json());
+app.use(validateSessionMiddleware);
 
 app.post(
   '/status',
diff --git a/packages/sync-server/src/app-simplefin/app-simplefin.js b/packages/sync-server/src/app-simplefin/app-simplefin.js
index 0299e19fb8..a35e54f82a 100644
--- a/packages/sync-server/src/app-simplefin/app-simplefin.js
+++ b/packages/sync-server/src/app-simplefin/app-simplefin.js
@@ -4,12 +4,16 @@ import express from 'express';
 
 import { handleError } from '../app-gocardless/util/handle-error';
 import { SecretName, secretsService } from '../services/secrets-service';
-import { requestLoggerMiddleware } from '../util/middlewares';
+import {
+  requestLoggerMiddleware,
+  validateSessionMiddleware,
+} from '../util/middlewares';
 
 const app = express();
 export { app as handlers };
-app.use(express.json());
 app.use(requestLoggerMiddleware);
+app.use(express.json());
+app.use(validateSessionMiddleware);
 
 app.post(
   '/status',
diff --git a/upcoming-release-notes/7034.md b/upcoming-release-notes/7034.md
new file mode 100644
index 0000000000..51289c320c
--- /dev/null
+++ b/upcoming-release-notes/7034.md
@@ -0,0 +1,6 @@
+---
+category: Bugfixes
+authors: [MatissJanis]
+---
+
+Fix: simplefin and pluggy not requiring auth