API Security

Description

The GET /api/v2/customers/{customerId}/data endpoint does not validate the relationship between the authenticated user's organisation and the requested customer ID. An authenticated user from Organisation A can request data for customers belonging to Organisation B by supplying their customer IDs.

Recommendation

Implement server-side ownership validation on every object-level API request. Use scoped, non-predictable resource identifiers. Add centralised authorisation middleware rather than inline checks.

Description

The PUT /api/v2/users/profile endpoint accepts and processes the 'role' parameter which should be server-controlled. Supplying role: 'admin' in the request body successfully escalates the authenticated user to administrator privileges.

Recommendation

Implement an allowlist of accepted request body parameters. Exclude all security-sensitive fields (role, permissions, plan) from client-editable API parameters. Apply schema validation on all API inputs.

Description

GraphQL introspection is enabled on the production endpoint, exposing the complete API schema including internal mutations, type definitions, and deprecated fields. This significantly reduces the reconnaissance barrier for targeted attacks.

Recommendation

Disable GraphQL introspection in production environments. Implement query depth limiting, complexity analysis, and field-level authorisation. Consider persisted queries for public-facing GraphQL APIs.

Description

The /api/v2/users/search endpoint returns complete user objects including hashed passwords, internal user IDs, account creation timestamps, and administrative notes — far exceeding the data required by the calling client.

Recommendation

Apply response filtering at the API layer to return only fields required by the requesting client. Implement API response schemas and validate all outgoing payloads against them.