F-2026-0014·information-exposure
Health Test Endpoints Leak Authentication Details in Development
TL;DR
Health test endpoints echo back API key IDs, partner IDs, and wallet addresses in dev. Accepted as test fixtures, prod-disabled via `assertNotProduction()`.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
At health.controller.ts#L89-L91 and L113-L115:
typescript
public testAdminAuth(@CurrentApiKey() apiKey: LoggedInApiKey): Record<string, unknown> {this.assertNotProduction();return { authType: "admin", apiKeyId: apiKey.apiKeyId, partnerId: apiKey.partnerId };// L91, echoes back credentials}public testCustomerAuth(@CurrentCustomer() customer: LoggedInCustomer): Record<string, unknown> {this.assertNotProduction();return { authType: "customer", walletAddress: customer.walletAddress, partnerId: customer.partnerId };// L115}
These endpoints return API key IDs, partner IDs, and wallet addresses, useful for enumeration attacks in the dev environment.
03Section · Impact
Impact
In dev environments, callers can enumerate credentials and bind them to wallets/partners.
04Section · Recommendation
Recommendation
Return only a boolean success indicator, not authentication details.
05Section · Resolution
Resolution
Accepted by team. Endpoints are prod-disabled via assertNotProduction() and only echo the caller's own credential identity; the returned fields are load-bearing test observables in health-auth.e2e.ts and throttling.e2e.ts.
