[PR #7862] [MERGED] [AI] Restrict secrets API access to admins in OpenID mode #105144

Closed
opened 2026-05-30 07:26:58 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/7862
Author: @MatissJanis
Created: 5/16/2026
Status: Merged
Merged: 5/16/2026
Merged by: @MatissJanis

Base: masterHead: claude/fix-secret-endpoint-auth-3TTTC


📝 Commits (6)

  • 6f774d0 [AI] Require admin for GET /secret/:name in OpenID mode
  • 118cfe0 [AI] Simplify secrets auth guard after review
  • 08f9007 [AI] Move response building back into the secrets handlers
  • 065ddeb [AI] Undo testSecretName -> validSecretName rename
  • dd319af [AI] Add release note for #7862
  • 5beb6cf [AI] Validate POST secret name and tighten GET auth ordering

📊 Changes

3 files changed (+134 additions, -31 deletions)

View changed files

📝 packages/sync-server/src/app-secrets.js (+37 -27)
📝 packages/sync-server/src/secrets.test.js (+91 -4)
upcoming-release-notes/7862.md (+6 -0)

📄 Description

Description

Restrict secret enumeration when using non-admin users.

A super low priority security issue, but.. simple enough to fix

https://github.com/actualbudget/actual/security/advisories/GHSA-3f62-qv96-4p78

Testing

n/a - unit tests cover this

Checklist

  • Release notes added (see link above)
  • No obvious regressions in affected areas
  • Self-review has been performed - I understand what each change in the code does and why it is needed

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/7862 **Author:** [@MatissJanis](https://github.com/MatissJanis) **Created:** 5/16/2026 **Status:** ✅ Merged **Merged:** 5/16/2026 **Merged by:** [@MatissJanis](https://github.com/MatissJanis) **Base:** `master` ← **Head:** `claude/fix-secret-endpoint-auth-3TTTC` --- ### 📝 Commits (6) - [`6f774d0`](https://github.com/actualbudget/actual/commit/6f774d0e11d1c413bbd30ab7ce8931c9d7acc66f) [AI] Require admin for GET /secret/:name in OpenID mode - [`118cfe0`](https://github.com/actualbudget/actual/commit/118cfe03b672aca68259a4349ca6aeaabc43c1e5) [AI] Simplify secrets auth guard after review - [`08f9007`](https://github.com/actualbudget/actual/commit/08f9007edb8a616bf88ab7c61c02807a80d62ba9) [AI] Move response building back into the secrets handlers - [`065ddeb`](https://github.com/actualbudget/actual/commit/065ddeb1d4562b72068a86c64f28f72b36a7bc8b) [AI] Undo testSecretName -> validSecretName rename - [`dd319af`](https://github.com/actualbudget/actual/commit/dd319afe15cd11f941495b9925ec655767ee61a1) [AI] Add release note for #7862 - [`5beb6cf`](https://github.com/actualbudget/actual/commit/5beb6cf4294e157e1fd9de1a9e12ec10990e9805) [AI] Validate POST secret name and tighten GET auth ordering ### 📊 Changes **3 files changed** (+134 additions, -31 deletions) <details> <summary>View changed files</summary> 📝 `packages/sync-server/src/app-secrets.js` (+37 -27) 📝 `packages/sync-server/src/secrets.test.js` (+91 -4) ➕ `upcoming-release-notes/7862.md` (+6 -0) </details> ### 📄 Description <!-- Thank you for submitting a pull request! Make sure to follow the instructions to write release notes for your PR — it should only take a minute or two: https://actualbudget.org/docs/contributing/#writing-good-release-notes. Try running yarn generate:release-notes *before* pushing your PR for an interactive experience. --> ## Description Restrict secret enumeration when using non-admin users. A super low priority security issue, but.. simple enough to fix ## Related issue(s) <!-- e.g. Fixes #123, Relates to #456 --> https://github.com/actualbudget/actual/security/advisories/GHSA-3f62-qv96-4p78 ## Testing <!-- What did you test? How can we reproduce the issue you are fixing or how can we test the feature you built? --> n/a - unit tests cover this ## Checklist - [x] Release notes added (see link above) - [x] No obvious regressions in affected areas - [x] Self-review has been performed - I understand what each change in the code does and why it is needed <!--- actual-bot-sections ---> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-30 07:26:58 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#105144