mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
bbcc8c13eb
**Related issue:** Resolves #42887. From Claude's audit: ``` [...] Concerns worth addressing A. Catalog drift is the real long-term risk. Today the yaml is curated. If a future engineer adds (say) POST /users/api_only, PATCH /users/api_only/:id, POST /users/roles/spec, POST /password_reset, or any session-issuing route, an allowlisted api_only user can clone themselves or broaden a peer's allowlist. Suggest a CI test that hard-fails if any of those route prefixes show up in api_endpoints.yml, plus a comment at the top of the yaml listing the categories that must never be added (user/role/invite/password/session/SSO). [...] ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added validation tests for API endpoint configuration to ensure security compliance and proper detection of restricted endpoint combinations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| api_endpoints.go | ||
| api_endpoints.yml | ||
| api_endpoints_test.go | ||