* fix(api): harden API surface before Swagger — 9 findings from issue #336
ADV-001: POST /api/sync/table-subscriptions now checks can_access() per
table entry, matching the gate already on POST /api/sync/settings.
ADV-002: GET /webhooks/jira/health gated behind require_admin; jira_domain
removed from response to prevent anonymous info disclosure.
ADV-003: GET /api/version no longer exposes commit_sha or schema_version.
ADV-005: /docs, /redoc, /openapi.json now require a valid session via custom
FastAPI routes (docs_url=None, redoc_url=None, openapi_url=None).
ADV-006: /cli/ and /webhooks/ added to _API_PATH_PREFIXES so future
auth-gated routes there return JSON 401 not an HTML redirect.
ADV-007: GET /api/catalog/tables wired to CatalogTablesResponse model.
ADV-008: TableSubscriptionUpdate.tables capped at max_length=500.
ADV-009: GET /api/users and GET /auth/admin/tokens accept limit/offset
(default 1000, max 10000); repositories updated accordingly.
Tests: 11 new regression tests in TestApiHardening336; test_jira_webhooks
fixture updated with seeded admin user; OpenAPI snapshot regenerated.
* fix(test): update test_journey_jira health check to use admin auth after ADV-002 gate
* fix(security): close /auth/bootstrap auth-bypass + BREAKING markers on ADV-002/003/005
Reviewer-flagged regression introduced by ADV-009's pagination on
UserRepository.list_all(): the silent default LIMIT 1000 broke the
bootstrap check at app/auth/router.py and the startup no-password
warning at app/main.py — both call list_all() with no args and depend
on exhaustive enumeration.
On an instance with >1000 users where no password-holder lands in
the email-sorted first page, [u for u in list_all() if
u.get('password_hash')] becomes empty → bootstrap re-opens → an
unauthenticated caller can claim admin via /auth/bootstrap. Real
auth-bypass on a security-sensitive boot path.
Fix:
- src/repositories/users.py: list_all() restored to no-arg, returns
EVERY row (no LIMIT). Comment explicitly warns against re-adding
pagination here. API-surface pagination moved to a new
list_paginated(limit, offset) method with its own docstring.
- app/api/users.py: GET /api/users now calls list_paginated().
Existing query-param validation (limit <= 10000) preserved.
Regression guards in tests/test_security.py::TestApiHardening336:
- test_users_list_all_returns_every_row_no_silent_limit asserts
list_all() takes no params other than self (via inspect.signature)
so a future cleanup can't accidentally re-add limit/offset.
- test_users_list_paginated_is_separate_method asserts the
paginated variant is a distinct method, not an overload.
CHANGELOG: added **BREAKING** markers per CLAUDE.md release
discipline to three pre-existing ADV bullets that are observable
breaking changes for external consumers:
- ADV-002 (webhook health going from anonymous to admin-only)
- ADV-003 (/api/version dropping commit_sha + schema_version)
- ADV-005 (/docs, /redoc, /openapi.json going from anonymous to
session-required)
* release: 0.54.25 — API hardening before Swagger (ADV-001..009) + bootstrap-bypass regression fix
---------
Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>
c5948f26fc