🔐 security: Only make dev endpoints available during tests.

Also, make sure that authentication by-pass only works during tests.
infoderm · Sep 20, 2023 · 8038c6a · 8038c6a
1 parent 3ee174b
commit 8038c6a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/imports/api/authorized.ts b/imports/api/authorized.ts
@@ -1,3 +1,5 @@
+import isTest from '../app/isTest';
+
 import {
 	type Authentication,
 	AuthenticationDangerousNone,
@@ -14,10 +16,15 @@ const authorized = (
 			return typeof invocation.userId === 'string' && invocation.userId !== '';
 		}
 
+		// @ts-expect-error We allow a fallthrough here so that this gets pruned in
+		// production build.
 		case AuthenticationDangerousNone: {
-			return true;
+			if (isTest()) {
+				return true;
+			}
 		}
 
+		// eslint-disable-next-line no-fallthrough
 		default: {
 			return false;
 		}

diff --git a/imports/api/endpoint/_register/available.ts b/imports/api/endpoint/_register/available.ts
@@ -1,6 +1,3 @@
-// eslint-disable-next-line import/no-unassigned-import
-import '../_dev/reset';
-
 // eslint-disable-next-line import/no-unassigned-import
 import '../allergies/changeColor';