From 5acc2529216fe00f0cf15f7592183a15d84a5bd3 Mon Sep 17 00:00:00 2001 From: josh Date: Tue, 21 Apr 2026 20:25:19 -0400 Subject: [PATCH] Add requireAgent guard to analytics and export routes Both endpoints were authenticated but had no role check, allowing any logged-in USER to view company-wide analytics and export all tickets. Co-Authored-By: Claude Opus 4.6 --- server/src/routes/analytics.ts | 3 ++- server/src/routes/export.ts | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/server/src/routes/analytics.ts b/server/src/routes/analytics.ts index 7362aeb..61a8bd9 100644 --- a/server/src/routes/analytics.ts +++ b/server/src/routes/analytics.ts @@ -1,9 +1,10 @@ import { Router } from 'express'; import * as analyticsService from '../services/analyticsService'; +import { requireAgent } from '../middleware/auth'; const router = Router(); -router.get('/summary', async (req, res) => { +router.get('/summary', requireAgent, async (req, res) => { const raw = Number(req.query.window); const window: analyticsService.AnalyticsWindow = raw === 14 || raw === 30 || raw === 90 ? raw : 30; diff --git a/server/src/routes/export.ts b/server/src/routes/export.ts index 81d571f..eb38ef0 100644 --- a/server/src/routes/export.ts +++ b/server/src/routes/export.ts @@ -1,5 +1,6 @@ import { Router } from 'express'; import * as ticketService from '../services/ticketService'; +import { requireAgent } from '../middleware/auth'; const router = Router(); @@ -10,7 +11,7 @@ function csvEscape(v: unknown): string { return s; } -router.get('/tickets.csv', async (req, res) => { +router.get('/tickets.csv', requireAgent, async (req, res) => { const { status, severity, assigneeId, categoryId, typeId, itemId, search } = req.query; const tickets = await ticketService.listTickets({