Skip to content

fix: add authentication to SMS send-notification endpoint#94

Closed
FuturMix wants to merge 1 commit into
profullstack:masterfrom
FuturMix:fix/sms-send-notification-auth
Closed

fix: add authentication to SMS send-notification endpoint#94
FuturMix wants to merge 1 commit into
profullstack:masterfrom
FuturMix:fix/sms-send-notification-auth

Conversation

@FuturMix

@FuturMix FuturMix commented Jun 14, 2026

Copy link
Copy Markdown

Bug

POST /api/sms/send-notification has no authentication. Any unauthenticated HTTP request can send SMS messages via the Twilio API, potentially running up costs and enabling SMS spam/phishing from the application's phone number.

Fix

Wrapped the handler with the existing withAuth middleware from @/lib/api/middleware/auth.js, consistent with other protected endpoints in the codebase (e.g., /api/messages/send, /api/conversations/create).

Unauthenticated requests now receive a 401 Unauthorized response.

@FuturMix
fix: add authentication to SMS send-notification endpoint
81df0ea 
The POST /api/sms/send-notification endpoint had no authentication,
allowing any unauthenticated request to send SMS messages via the
Twilio API. This could be exploited to send arbitrary SMS at the
application's expense.

Wraps the handler with the existing withAuth middleware, consistent
with other protected endpoints in the codebase.
@FuturMix FuturMix mentioned this pull request Jun 14, 2026
Closed
@ralyodio ralyodio closed this Jun 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FuturMix @ralyodio