Unauthorized route migration for routes owned by appex-sharedux (#214779)

elena-shostak · web-flow · commit a7cc00c4fe16 · 2025-03-18T18:00:53.000+01:00
### Authz API migration for unauthorized routes This PR migrates last unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ```
diff --git a/src/core/packages/ui-settings/server-internal/src/routes/get.ts b/src/core/packages/ui-settings/server-internal/src/routes/get.ts
@@ -38,14 +38,32 @@ export function registerGetRoute(router: InternalUiSettingsRouter) {
     }
   };
   router.get(
-    { path: '/api/kibana/settings', validate: false },
+    {
+      path: '/api/kibana/settings',
+      validate: false,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the UI Settings Client',
+        },
+      },
+    },
     async (context, request, response) => {
       const uiSettingsClient = (await context.core).uiSettings.client;
       return await getFromRequest(uiSettingsClient, context, request, response);
     }
   );
   router.get(
-    { path: '/api/kibana/global_settings', validate: false },
+    {
+      path: '/api/kibana/global_settings',
+      validate: false,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the UI Settings Client',
+        },
+      },
+    },
     async (context, request, response) => {
       const uiSettingsClient = (await context.core).uiSettings.globalClient;
       return await getFromRequest(uiSettingsClient, context, request, response);
diff --git a/src/platform/plugins/shared/files/server/routes/public_facing/download.ts b/src/platform/plugins/shared/files/server/routes/public_facing/download.ts
@@ -74,9 +74,18 @@ export function register(router: FilesRouter) {
       path: FILES_API_ROUTES.public.download,
       validate: { ...rt },
       options: {
-        authRequired: false,
         access: 'public',
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is public and does not require user authentication',
+        },
+        authc: {
+          enabled: false,
+          reason: 'This route is public and does not require user authentication',
+        },
+      },
     },
     handler
   );
diff --git a/src/platform/plugins/shared/share/server/url_service/http/short_urls/register_goto_route.ts b/src/platform/plugins/shared/share/server/url_service/http/short_urls/register_goto_route.ts
@@ -18,6 +18,12 @@ export const registerGotoRoute = (router: IRouter, core: CoreSetup) => {
   core.http.resources.register(
     {
       path: '/goto/{id}',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route handles redirection',
+        },
+      },
       validate: {
         params: schema.object({
           id: schema.string({
