fix(api): add whoami to allowed endpoints whitelist

msujaws · msujaws · commit 9feb76a28019 · 2026-01-15T23:01:26.000-05:00
The /whoami endpoint was missing from the proxy whitelist, causing
403 errors when validating API keys on the Vercel-hosted instance.
diff --git a/api/bugzilla.test.ts b/api/bugzilla.test.ts
@@ -185,6 +185,20 @@ describe('Bugzilla API Proxy Security', () => {
       expect(fetch).toHaveBeenCalled()
     })
 
+    it('should allow /whoami endpoint', async () => {
+      const req = createMockRequest({
+        url: '/api/bugzilla/whoami',
+        query: { path: ['whoami'] },
+        headers: { origin: 'http://localhost:5173' },
+      })
+      const res = createMockResponse()
+
+      await handler(req, res)
+
+      expect(res._status).not.toBe(403)
+      expect(fetch).toHaveBeenCalled()
+    })
+
     it('should reject unauthorized endpoints', async () => {
       const req = createMockRequest({
         url: '/api/bugzilla/admin/settings',
diff --git a/api/bugzilla.ts b/api/bugzilla.ts
@@ -12,7 +12,7 @@ const ALLOWED_ORIGINS = [
 ]
 
 // Allowed endpoint prefixes - whitelist only safe endpoints
-const ALLOWED_ENDPOINTS = new Set(['bug', 'user'])
+const ALLOWED_ENDPOINTS = new Set(['bug', 'user', 'whoami'])
 
 function isOriginAllowed(origin: string | undefined): boolean {
   // Same-origin requests (no origin header) are allowed

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ const ALLOWED_ORIGINS = [`
`12`	`12`	`]`
`13`	`13`
`14`	`14`	`// Allowed endpoint prefixes - whitelist only safe endpoints`
`15`		`-const ALLOWED_ENDPOINTS = new Set(['bug', 'user'])`
	`15`	`+const ALLOWED_ENDPOINTS = new Set(['bug', 'user', 'whoami'])`
`16`	`16`
`17`	`17`	`function isOriginAllowed(origin: string \| undefined): boolean {`
`18`	`18`	`// Same-origin requests (no origin header) are allowed`