F-2026-0014·information-exposure

Health Test Endpoints Leak Authentication Details in Development

Acknowledgedpentestbackendapigithub.com/bloom-art/api
TL;DR

Health test endpoints echo back API key IDs, partner IDs, and wallet addresses in dev. Accepted as test fixtures, prod-disabled via `assertNotProduction()`.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

At health.controller.ts#L89-L91 and L113-L115:

typescript
public testAdminAuth(@CurrentApiKey() apiKey: LoggedInApiKey): Record<string, unknown> {
  this.assertNotProduction();
  return { authType: "admin", apiKeyId: apiKey.apiKeyId, partnerId: apiKey.partnerId };
  // L91, echoes back credentials
}


public testCustomerAuth(@CurrentCustomer() customer: LoggedInCustomer): Record<string, unknown> {
  this.assertNotProduction();
  return { authType: "customer", walletAddress: customer.walletAddress, partnerId: customer.partnerId };
  // L115
}

These endpoints return API key IDs, partner IDs, and wallet addresses, useful for enumeration attacks in the dev environment.

03Section · Impact

Impact

In dev environments, callers can enumerate credentials and bind them to wallets/partners.

04Section · Recommendation

Recommendation

Return only a boolean success indicator, not authentication details.

05Section · Resolution

Resolution

Accepted by team. Endpoints are prod-disabled via assertNotProduction() and only echo the caller's own credential identity; the returned fields are load-bearing test observables in health-auth.e2e.ts and throttling.e2e.ts.

ZEALYNX SECURITY · published 2026-04-29
F-2026-0014