Skip to content

feat: wire and globalise admin security & validation middleware#619

Merged
hman38705 merged 2 commits intosolutions-plug:mainfrom
Macnelson9:feat/admin-security-middleware-446-447-448-449
Apr 27, 2026
Merged

feat: wire and globalise admin security & validation middleware#619
hman38705 merged 2 commits intosolutions-plug:mainfrom
Macnelson9:feat/admin-security-middleware-446-447-448-449

Conversation

@Macnelson9
Copy link
Copy Markdown
Contributor

@Macnelson9 Macnelson9 commented Apr 27, 2026
edited by hman38705
Loading

Summary

closes #446
closes #447
closes #448
closes #449

All four issues share the same root cause: middleware existed but was either missing tests, missing documentation, or not applied to all route groups. This PR resolves all four in a single commit.

#446 — Wire admin authentication middleware into admin routes

api_key_middleware was already wired into admin_routes. What was missing were tests.

  • Added 3 tests: valid key → 200, missing key → 401, wrong key → 401.

#447 — Wire IP whitelist middleware for admin endpoints

ip_whitelist_middleware was already wired into admin_routes. What was missing were documentation and tests.

  • Added doc comment explaining ADMIN_WHITELIST_IPS env var and open-by-default (empty list = allow all) behaviour.
  • Added 4 tests: empty list allows all, matching IP via header → 200, non-matching IP → 403, no ConnectInfo + non-empty list → 403.

#448 — Attach security headers middleware globally

security_headers_middleware was applied to public_routes and webhook_routes but missing from newsletter_routes and admin_routes.

  • Removed per-group layers from public_routes and webhook_routes.
  • Applied once on the top-level app — covers all four route groups with no duplicate headers.
  • Added security_headers_middleware_no_duplicates test.

#449 — Attach request validation middleware globally

request_validation_middleware and request_size_validation_middleware were applied to public_routes only; webhook_routes and admin_routes were unprotected.

  • Removed per-group layers from public_routes.
  • Applied both globally on the top-level app.
  • content_type_validation_middleware intentionally stays on newsletter_routes only (rejects missing Content-Type, which would break GET routes elsewhere).
  • Added doc comment to request_validation_middleware documenting all rejection rules.
  • Added 7 tests: clean request, SQL injection in query, SQL injection in path, path traversal, oversized query string, within-limit body, over-limit body.

Files changed

Macnelson9 and others added 2 commits April 27, 2026 14:26
@Macnelson9
feat: wire and globalise admin security & validation middleware (solu…
38ad7b3 
…tions-plug#446 solutions-plug#447 solutions-plug#448 solutions-plug#449)

solutions-plug#446 - api_key_middleware already wired into admin_routes; add tests for
       authorized, missing-key, and wrong-key cases.

solutions-plug#447 - ip_whitelist_middleware already wired into admin_routes; add doc
       comment documenting ADMIN_WHITELIST_IPS env var and open-by-default
       behaviour; add tests for empty list, matching IP, blocked IP.

solutions-plug#448 - Remove per-group security_headers_middleware from public_routes and
       webhook_routes; apply once globally on the top-level app so all four
       route groups (public, newsletter, webhook, admin) receive CSP, HSTS,
       X-Frame-Options, and Referrer-Policy with no duplicates.
       Add no-duplicates test.

solutions-plug#449 - Remove per-group request_validation_middleware and
       request_size_validation_middleware from public_routes; apply both
       globally on the top-level app so webhook and admin routes are also
       covered. content_type_validation_middleware stays on newsletter_routes
       only (mutation-specific). Add doc comment and 7 tests covering SQL
       injection in query/path, path traversal, oversized query string,
       within-limit and over-limit body size.
@hman38705
Merge branch 'main' into feat/admin-security-middleware-446-447-448-449
68f50fd
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Apr 27, 2026

@Macnelson9 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@hman38705 hman38705 merged commit a1de5af into solutions-plug:main Apr 27, 2026
11 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@Macnelson9 @hman38705