# Security Issues — WhatsHooked --- ## CRITICAL ### 1. Broken Row-Level Security — All JWT Users Get Admin Access **File:** `pkg/api/security.go:236-241` `GetRowSecurity()` checks `if userID == 0` → returns empty filter (admin access). But `Authenticate()` always sets `UserID: 0` for JWT auth (line 146). Every JWT-authenticated regular user has unrestricted access to all rows. RBAC is non-functional for JWT sessions. --- ### 2. IDOR — No Ownership Checks in `/api/v1/query` **File:** `pkg/api/server.go:506-548` `handleQueryGet`, `handleQueryUpdate`, and `handleQueryDelete` operate on records using only the user-supplied `id` with no `user_id` ownership check. Any authenticated user can read, update, or delete any other user's hooks, accounts, API keys, or sessions. ```go db.NewUpdate().Model(model).Where("id = ?", req.ID).Exec(...) db.NewDelete().Model(model).Where("id = ?", req.ID).Exec(...) ``` --- ### 3. user_id Spoofing in Create **File:** `pkg/api/server.go:440` ```go if _, exists := req.Data["user_id"]; !exists { req.Data["user_id"] = userID } ``` Auto-inject only runs when `user_id` is absent. A user can supply any `user_id` in the request body and create resources owned by another user. --- ### 4. Hardcoded Default JWT Secret **File:** `pkg/config/config.go:161` ```go cfg.Server.JWTSecret = "change-me-in-production" ``` If `jwt_secret` is omitted from config, this well-known default is used. Attackers can forge valid JWT tokens for any user ID and role including `admin`. --- ### 5. Unauthenticated Media File Serving **File:** `pkg/api/server.go:200` ```go router.PathPrefix("/api/media/").HandlerFunc(h.ServeMedia) ``` `ServeMedia` is not wrapped with `h.Auth()`. All WhatsApp media (images, documents, audio, video) is publicly accessible without credentials. --- ## HIGH ### 6. No Token Invalidation on Logout **File:** `pkg/api/security.go:129-133` `Logout()` is a no-op. Tokens remain valid for 24 hours after logout. The `sessions` table exists but is never used to validate or invalidate tokens. --- ### 7. Unauthenticated QR Code Access **File:** `pkg/api/server.go:202` ```go router.PathPrefix("/api/qr/").HandlerFunc(h.ServeQRCode) ``` Any unauthenticated party who can reach the server can retrieve QR codes for any `account_id` and link their own device to a WhatsApp account. --- ### 8. No Rate Limiting on Login Endpoint **File:** `pkg/api/server.go:259` `/api/v1/auth/login` has no rate limiting or account lockout. Brute-force attacks are unrestricted. --- ### 9. CORS Misconfiguration **File:** `pkg/api/server.go:663-667` ```go w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Credentials", "true") ``` `Allow-Origin: *` with `Allow-Credentials: true` is an invalid combination (browsers reject it). The wildcard allows any origin to read API responses. If origin is later restricted, the credentials flag enables CSRF via CORS. --- ### 10. No Request Body Size Limit **File:** All handlers All handlers use `json.NewDecoder(r.Body).Decode()` without `http.MaxBytesReader`. Arbitrarily large request bodies can cause memory exhaustion. --- ## MEDIUM ### 11. Internal Database Errors Leaked to Client **File:** `pkg/api/server.go:382, 499, 529, 543` ```go http.Error(w, fmt.Sprintf("Query failed: %v", err), ...) http.Error(w, fmt.Sprintf("Create failed: %v", err), ...) ``` Raw database errors including table names, column names, and constraint violations are returned to clients. --- ### 12. Config File Saved World-Readable **File:** `pkg/config/config.go:229` ```go os.WriteFile(path, data, 0644) ``` Config contains secrets (JWT secret, DB password, API tokens, MQTT credentials). Permissions should be `0600`. --- ### 13. Session Path Traversal Potential **File:** `pkg/api/server.go:461` ```go req.Data["session_path"] = fmt.Sprintf("./sessions/%s", sessionID) ``` `sessionID` is derived from user-supplied `account_id`. A value containing `../` could point the session path outside the sessions directory. `account_id` is not sanitized. --- ### 14. Phase 1 Config Password Stored Plaintext **File:** `pkg/config/config.go:26-28` `username` and `password` in `ServerConfig` are stored as plaintext strings and compared directly. Config file leakage equals credential leakage. --- ## LOW ### 15. JWT Stored in localStorage **File:** `web/src/lib/api.ts:61` ```ts localStorage.setItem("auth_token", token); ``` Accessible to any JavaScript on the page. Any XSS vulnerability results in full token theft. Prefer `httpOnly` cookies. --- ### 16. User Object Deserialized from localStorage Without Validation **File:** `web/src/lib/api.ts:92-93` ```ts return userStr ? JSON.parse(userStr) : null; ``` Parsed and trusted without server-side revalidation. A tampered value causes the UI to display incorrect role/permissions. --- ## Summary | # | Severity | Issue | Location | |---|----------|-------|----------| | 1 | Critical | JWT users get admin row access | `security.go:236` | | 2 | Critical | IDOR in query update/delete/get | `server.go:506-548` | | 3 | Critical | user_id spoofing in create | `server.go:440` | | 4 | Critical | Default JWT secret in code | `config.go:161` | | 5 | Critical | Media served without auth | `server.go:200` | | 6 | High | No token revocation on logout | `security.go:129` | | 7 | High | Unauthenticated QR code access | `server.go:202` | | 8 | High | No login rate limiting | `server.go:259` | | 9 | High | CORS misconfiguration | `server.go:663` | | 10 | High | No request body size limit | all handlers | | 11 | Medium | DB errors leaked to client | `server.go:382,499,529` | | 12 | Medium | Config file world-readable (0644) | `config.go:229` | | 13 | Medium | Session path traversal potential | `server.go:461` | | 14 | Medium | Plaintext Phase 1 password in config | `config.go:26` | | 15 | Low | JWT in localStorage | `api.ts:61` | | 16 | Low | Unvalidated localStorage user object | `api.ts:92` |