Skip to content

Security: Zero Authentication on 31/34 API Endpoints + Hardcoded Credentials in Public Repo (18 Findings) #259

Open
Open
Security: Zero Authentication on 31/34 API Endpoints + Hardcoded Credentials in Public Repo (18 Findings)#259
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Mar 4, 2026

Summary

This pharmacy management system has zero authentication on 31 of 34 backend API endpoints. Only 3 supplier endpoints (POST/PUT/DELETE) use checkAuth middleware. All other endpoints — inventory, sales, doctor orders, user management — are fully accessible without login. Additionally, MongoDB Atlas credentials, Gmail SMTP credentials, and JWT signing keys are hardcoded in the source code of this public repository.

Critical: Hardcoded Credentials (3 findings)

  1. MongoDB Atlas (app.js:18): mongodb+srv://lalana:OJx2X4IllVNl9up4@... — anyone can connect directly to the database
  2. SMTP (inventory.js:224): pharmacare.contactus@gmail.com / lalana1011294
  3. JWT Secret (user.js:63): 'this_is_the_webToken_secret_key' — anyone can forge valid tokens

Immediate action needed: Rotate all credentials. These are exposed in a public GitHub repository.

Critical: Zero Authentication (7 finding groups)

  1. All 10 inventory endpoints (inventory.js) — full CRUD on drug inventory without auth
  2. All 3 sales endpoints (sales.js) — financial data readable/writable
  3. All 3 doctor order endpoints (doctorOders.js) — create/view/delete orders
  4. All 3 verified order endpoints (verifiedDoctorOder.js) — verify/delete orders
  5. All 2 picked-up order endpoints (pickedUpOders.js) — complete order flow
  6. All 5 user management endpoints (user.js:80-126) — list/update/delete users (returns password hashes!)
  7. All 5 doctor management endpoints (doctorUser.js:78-122) — same as above for doctors

Critical: Self-Registration with Arbitrary Role

  1. POST /api/user/signup (user.js:7-34): Accepts role from request body — anyone self-registers as admin.

High Findings

  1. Supplier GET endpoints unauthenticated (supplier.js:41,51) — 1-of-N: POST/PUT/DELETE have auth, GET does not
  2. NoSQL injection in login (user.js:40) — findOne({email: req.body.email}) without type validation
  3. Unauthenticated email relay (4 /sendmail endpoints) — SMTP abuse
  4. HTML injection in email templates — user input interpolated into HTML emails
  5. JWT secret mismatch (check-docAuth.js:6) — doctor auth middleware permanently broken (verifies with '..._keys' vs signed with '..._key')
  6. Password hashes in API responses — no .select('-password') on queries

Medium

  1. Frontend-only AuthGuard — Angular guard on 2 of ~20 routes

Impact

This is a pharmacy system handling controlled substances. An attacker can:

  • Access all drug inventory and modify quantities/prices
  • Create fraudulent doctor orders for controlled substances
  • Self-verify and mark orders as picked up
  • Read all user/doctor PII including password hashes
  • Register as admin
  • Send emails via the pharmacy's SMTP account

Recommended Fixes

  1. Rotate all hardcoded credentials immediately — MongoDB password, Gmail password, JWT secret
  2. Move secrets to environment variables — use .env file with dotenv, add .env to .gitignore
  3. Apply checkAuth middleware globally — add to all route files, not just supplier
  4. Validate role on signup — reject or ignore role from request body, default to lowest privilege
  5. Add .select('-password') to all user/doctor queries
  6. Fix JWT secret mismatch in check-docAuth.js
  7. Add input validation — use a library like express-validator or joi to validate request bodies before passing to MongoDB

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions