From ab9418cedc6dbad855c0dbd81e887a37a7384fbf Mon Sep 17 00:00:00 2001 From: Ehsan <1883051+ehsanking@users.noreply.github.com> Date: Wed, 1 Apr 2026 22:31:25 +0330 Subject: [PATCH] Harden legacy secure upload API route --- src/routes/api/upload-secure.ts | 22 ++++++++++------ tests/legacy-upload-secure-route.test.ts | 32 ++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 tests/legacy-upload-secure-route.test.ts diff --git a/src/routes/api/upload-secure.ts b/src/routes/api/upload-secure.ts index b86c464..064c35a 100644 --- a/src/routes/api/upload-secure.ts +++ b/src/routes/api/upload-secure.ts @@ -1,10 +1,16 @@ - import { NextApiRequest, NextApiResponse } from 'next'; -export default async function handler(req: NextApiRequest, res: NextApiResponse) { - if (req.method === 'POST') { - // TODO: secure upload implementation - res.status(200).json({ message: 'Secure upload route ready' }); - } else { - res.status(405).json({ error: 'Method not allowed' }); - } + +/** + * Legacy Pages Router endpoint intentionally disabled. + * + * Security note: + * secure attachment uploads are only supported through the App Router + * endpoint at `app/api/upload-secure/route.ts`, which enforces fresh session, + * origin checks, authorization, and encrypted metadata handling. + */ +export default async function handler(_req: NextApiRequest, res: NextApiResponse) { + return res.status(410).json({ + error: 'This legacy endpoint is disabled. Use /api/upload-secure.', + code: 'LEGACY_ENDPOINT_DISABLED', + }); } diff --git a/tests/legacy-upload-secure-route.test.ts b/tests/legacy-upload-secure-route.test.ts new file mode 100644 index 0000000..23637c4 --- /dev/null +++ b/tests/legacy-upload-secure-route.test.ts @@ -0,0 +1,32 @@ +import { describe, expect, it } from 'vitest'; +import handler from '@/src/routes/api/upload-secure'; + +function createMockResponse() { + const result: { statusCode?: number; body?: unknown } = {}; + const res = { + status(code: number) { + result.statusCode = code; + return this; + }, + json(body: unknown) { + result.body = body; + return this; + }, + }; + + return { res, result }; +} + +describe('legacy upload-secure pages route', () => { + it('is permanently disabled to avoid bypassing secure app route controls', async () => { + const { res, result } = createMockResponse(); + + await handler({ method: 'POST' } as never, res as never); + + expect(result.statusCode).toBe(410); + expect(result.body).toEqual({ + error: 'This legacy endpoint is disabled. Use /api/upload-secure.', + code: 'LEGACY_ENDPOINT_DISABLED', + }); + }); +});