From 08c10f51687e6aa6925976e6d1358c501c4767ff Mon Sep 17 00:00:00 2001 From: FuturMix Date: Sun, 14 Jun 2026 09:58:54 +0800 Subject: [PATCH] fix: add authentication to candles endpoint Fixes #13 GET /api/candles had no authentication check, unlike every other API endpoint which calls authenticate(req). This allowed unauthenticated access to market data and potential abuse of upstream exchange APIs. Added the standard authenticate(req) + unauthorized() pattern. --- apps/web/src/app/api/candles/route.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/web/src/app/api/candles/route.ts b/apps/web/src/app/api/candles/route.ts index ebb8c65..c087234 100644 --- a/apps/web/src/app/api/candles/route.ts +++ b/apps/web/src/app/api/candles/route.ts @@ -1,4 +1,5 @@ import type { NextRequest } from 'next/server'; +import { authenticate, unauthorized } from '@/lib/api-auth'; interface Bar { time: number; @@ -136,6 +137,9 @@ async function fromGemini(pair: string, timeframe: string, limit: number): Promi } export async function GET(req: NextRequest) { + const auth = await authenticate(req); + if (!auth) return unauthorized(); + const { searchParams } = new URL(req.url); const pair = (searchParams.get('pair') ?? '').toUpperCase(); const exchange = (searchParams.get('exchange') ?? '').toLowerCase();