Security: Systematic Authorization Bypass in Customer-Facing API Endpoints #876
Description
Summary
Multiple customer-facing API endpoints and the storefront GraphQL endpoint lack authorization verification, allowing any authenticated customer to read and modify other customers' data.
Root Cause
The access: "public" setting in route.json causes the admin auth middleware to skip authentication. The JWT customer auth middleware only POPULATES request.locals.customer but never REQUIRES it. No endpoint handler verifies ownership.
Key Vulnerable Endpoints
1. PATCH /customers/:id - Profile/Password Modification
In customer/api/updateCustomer/updateCustomer.js:
const customer = await select()
.from('customer')
.where('uuid', '=', request.params.id) // Any UUID
.load(connection, false);
// NO ownership check
await update('customer')
.given({ ...request.body, group_id: 1 }) // Including password
.where('uuid', '=', request.params.id)
.execute(connection, false);Allows changing any customer's email and password. Account takeover.
2. GraphQL order(uuid) - Order Data Leak
In oms/graphql/types/Order/Order.resolvers.js:
order: async (_, { uuid }, { pool }) => {
const query = getOrdersBaseQuery();
query.where('uuid', '=', uuid); // No customer_id filter
return camelCase(await query.load(pool));
}The customer context is available but ignored. Exposes email, name, addresses, phone numbers, order details.
3. Address Management Endpoints
All /customers/:customer_id/addresses/* endpoints take arbitrary customer_id without ownership check.
Impact
An attacker can:
- Account takeover: Change any customer's password and email
- PII disclosure: Read any customer's orders and addresses
- Data manipulation: Add/modify/delete addresses on any account
Suggested Fix
- Add customer auth enforcement middleware for routes requiring authentication
- Verify
request.locals.customer.uuid === request.params.idin handlers - Filter GraphQL resolvers by
customer_idfrom context
Reported by lighthouse security research