Security: Risk recalculation endpoint accessible to all authenticated users — DoS surface

[Calebux]

Description

POST /api/risk-score/recalculate triggers a full batch recalculation of risk scores for all subscriptions across all users. It is protected only by the standard authenticate middleware (any logged-in user), not the adminAuth middleware.

The route file contains the comment // TODO: Add admin check but it has never been implemented.

Risk

Any authenticated user (including free-tier users) can repeatedly POST to this endpoint, causing the backend to:

1. Fetch all subscriptions from the database in pages of 100
2. Run sequential risk calculations on each one
3. Write updated risk scores back to the database

This is a denial-of-service attack surface that can degrade database performance and backend responsiveness for all users.

Fix

// Add adminAuth middleware to the route
router.post('/recalculate', authenticate, adminAuth, async (req, res) => {
  // ...existing implementation
});

Or alternatively, move the recalculation endpoint to the /api/admin router which already uses adminAuth.

Additional Steps

• Add rate limiting specific to admin operations
• Consider making recalculation job-based (triggered by cron) rather than HTTP-triggered
• Add audit log entry when recalculation is triggered (who triggered it, when)

[drips-wave]

This issue has been added to the Stellar Wave Program and is worth 150 Points.

🧑‍💻 Interested in contributing? Apply to work on this issue on Drips Wave, earn points, and receive rewards.

Warning

Only applications submitted via the apply link above will be considered. Please do not apply by commenting on the issue or opening a PR directly.

🤠 Repo maintainers: You can manage this issue's Points and Complexity on your Maintainer Dashboard here. Please keep an eye on applications and respond quickly 💙

ℹ️ Learn more about Drips Wave

[Cofez]

@Cofez has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

I would like to protect the risk recalculation endpoint so only admins can trigger it, preventing any logged-in user from repeatedly forcing a heavy batch job that could slow or disrupt the whole system.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Cofez to this issue.

[drips-wave]

Congratulations, @Cofez! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on March 30, 2026.

🧑‍💻 @Cofez: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been marked as completed by a Drips Wave moderator for @Cofez as part of the Stellar Wave Program's 3rd Wave 🥳

Moderator's reason: [Auto-assessed] The PR #273 has been open for over 24 hours (7 days) without any maintainer objections. It directly addresses the security vulnerability described in issue #119 by correctly implementing the adminAuth middleware as requested.

😎 @Cofez: You earned 150 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.

ℹ️ Note: This issue was marked complete via moderation. Points were issued even though the GitHub issue remains open.