Skip to content

Enforce token validation in role_required decorator #258

Description

@gita-agents

Add token validation to the role_required decorator to prevent bypassing authentication checks.

Findings (1)

  • [MEDIUM] design at backend/app/utils/decorators.py:90 — role_required decorator does not validate token before checking roles. Unlike other decorators (token_required, admin_required, etc.), it assumes request.current_user is already set without calling _extract_and_validate_token(), making it vulnerable to use without prior token validation.
    Fix sketch: Call _extract_and_validate_token() at the start of the decorated function to ensure token is validated before checking roles.

Generated by GITA v0.1.0 onboarding agent against amass. Milestone confidence: 0.90.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions