Skip to content

fix: require auth for subscriber APIs to prevent unauthenticated access#211

Open
carlhus wants to merge 2 commits into
free5gc:mainfrom
carlhus:fix/unauthenticated-api
Open

fix: require auth for subscriber APIs to prevent unauthenticated access#211
carlhus wants to merge 2 commits into
free5gc:mainfrom
carlhus:fix/unauthenticated-api

Conversation

@carlhus

@carlhus carlhus commented Jul 1, 2026

Copy link
Copy Markdown

fix(webconsole): require auth for subscriber APIs to prevent unauthenticated access (#1069)

  • This PR fixes issue #1069 in WebConsole subscriber management.
    It prevents unauthenticated users from reading, modifying, or deleting subscriber records via subscriber APIs.

  • Root cause: the /api route group did not have a global authentication middleware, and several subscriber handlers relied on per-handler checks that were missing or incomplete.

  • Changes: Add JWT authentication middleware to the /api route group.
    Allow unauthenticated POST /api/login and OPTIONS preflight requests.
    Store parsed JWT claims, tenant ID, and admin status in Gin context.
    Enforce tenant ownership before subscriber GET/PUT/PATCH/DELETE operations.
    Stop using nil JWT claims when updating or deleting subscriber records.

  • This is reported in GitHub Issue #1069.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants