From 81df0ea00c26b654c81bdcbd922f60c69488cf39 Mon Sep 17 00:00:00 2001 From: FuturMix Date: Sun, 14 Jun 2026 09:44:16 +0800 Subject: [PATCH] fix: add authentication to SMS send-notification endpoint The POST /api/sms/send-notification endpoint had no authentication, allowing any unauthenticated request to send SMS messages via the Twilio API. This could be exploited to send arbitrary SMS at the application's expense. Wraps the handler with the existing withAuth middleware, consistent with other protected endpoints in the codebase. --- src/app/api/sms/send-notification/route.js | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/src/app/api/sms/send-notification/route.js b/src/app/api/sms/send-notification/route.js index 2d4b123..446589e 100644 --- a/src/app/api/sms/send-notification/route.js +++ b/src/app/api/sms/send-notification/route.js @@ -4,14 +4,13 @@ */ import { NextResponse } from 'next/server'; +import { withAuth } from '@/lib/api/middleware/auth.js'; import { TwilioSMSProvider } from '@/lib/services/twilio-sms-provider.js'; /** - * Send SMS notification - * @param {Object} params - SvelteKit request parameters - * @param {Request} params.request - The request object + * Send SMS notification (requires authentication) */ -export async function POST(request) { +export const POST = withAuth(async ({ request }) => { try { const { phoneNumber, message } = await request.json(); @@ -30,18 +29,18 @@ export async function POST(request) { // Initialize Twilio SMS provider const twilioProvider = new TwilioSMSProvider(); - + // Send SMS via Twilio const result = await twilioProvider.sendSMS(phoneNumber, message); - + const messageId = (result && typeof result === 'object' && 'messageId' in result) ? result.messageId : 'unknown'; const status = (result && typeof result === 'object' && 'status' in result) ? result.status : 'sent'; - + console.log('📱 [SMS-API] SMS sent successfully:', { messageId, status }); - + return NextResponse.json({ success: true, messageId, @@ -56,4 +55,4 @@ export async function POST(request) { { status: 500 } ); } -} \ No newline at end of file +});