API Endpoints Authentication Audit
Date: 2025-11-13 Status: Phase 1 - Initial Audit Purpose: Classify all API endpoints by authentication requirements
API Endpoints Authentication Audit
Date: 2025-11-13 Status: Phase 1 - Initial Audit Purpose: Classify all API endpoints by authentication requirements
Payment Service
Base URL: /api
Public Endpoints (No Auth Required)
| Endpoint | Method | Purpose | Status |
|---|---|---|---|
/health | GET | Health check | ✅ Public |
/ready | GET | Readiness check | ✅ Public |
/webhooks/clerk | POST | Clerk webhook receiver | ✅ Public (Svix verification) |
/webhooks/stripe | POST | Stripe webhook receiver | ✅ Public (Stripe verification) |
Customer Endpoints (Auth Required, Any Role)
| Endpoint | Method | Purpose | Auth Status |
|---|---|---|---|
/api/checkout | POST | Create checkout session | 🔄 TODO: Add clerkMiddleware() |
/api/customers | GET | List customers | 🔄 TODO: Add auth + ownership check |
/api/customers/:id | GET | Get customer details | 🔄 TODO: Add auth + ownership check |
/api/customers/:id | PATCH | Update customer | 🔄 TODO: Add auth + ownership check |
Admin Endpoints (Admin Role Required)
| Endpoint | Method | Purpose | Auth Status |
|---|---|---|---|
| None currently defined | - | - | - |
Recommendation:
- Add admin endpoints for: refunds, list all customers, delete payments
- Protect customer routes with ownership checks
Search Service
Base URL: /api
Public Endpoints (No Auth Required)
| Endpoint | Method | Purpose | Status |
|---|---|---|---|
/health, /ready, /live | GET | Health checks | ✅ Public |
/metrics | GET | Prometheus metrics | ✅ Public (consider restricting) |
/api/search | GET | Search parts | ✅ Public |
/api/autocomplete | GET | Autocomplete suggestions | ✅ Public |
/api/filters | GET | Filter aggregations | ✅ Public |
/api/parts/:id | GET | Get single part | ✅ Public |
/api/equipment | GET | Browse equipment models | ✅ Public |
/api/equipment/categories | GET | Equipment categories | ✅ Public |
Admin Endpoints (Admin Role Required)
| Endpoint | Method | Purpose | Auth Status |
|---|---|---|---|
/api/admin/* | POST/GET/DELETE | Admin operations | ✅ Has ADMIN_API_TOKEN + IP whitelist |
/api/admin/reindex | POST | Trigger reindex | ✅ Token protected |
/api/admin/debug-query | GET | Debug query builder | ✅ Token protected |
Note: Admin endpoints use custom token auth (ADMIN_API_TOKEN), not Clerk. Consider migrating to Clerk for consistency.
Recommendation:
- Keep search endpoints public (catalog browsing)
- Consider Clerk auth for admin endpoints for consistency
Catalog Service
Base URL: /api
Public Endpoints (No Auth Required)
| Endpoint | Method | Purpose | Status |
|---|---|---|---|
/health | GET | Health check | ✅ Public |
/ready | GET | Readiness check | ✅ Public |
/api/example | GET | Example routes | ✅ Public |
/api/search-integration | GET/POST | Search integration | ✅ Public |
Customer Endpoints (Auth Required)
| Endpoint | Method | Purpose | Auth Status |
|---|---|---|---|
| None currently defined | - | - | - |
Admin Endpoints (Admin Role Required)
| Endpoint | Method | Purpose | Auth Status |
|---|---|---|---|
| None currently defined | - | - | - |
Recommendation:
- Add CRUD endpoints for parts, brands, categories
- Protect with admin role
User Service
Base URL: /api
Status
⚠️ Not analyzed yet - Need to review routes
Media Service
Base URL: /api
Status
⚠️ Not analyzed yet - Need to review routes
Health Analytics Service
Base URL: /api
Status
⚠️ Not analyzed yet - Need to review routes
Summary Statistics
| Service | Total Endpoints | Public | Customer | Admin | Todo |
|---|---|---|---|---|---|
| Payment | 8 | 4 | 4 | 0 | 4 |
| Search | 11 | 8 | 0 | 3 | 0 |
| Catalog | 4 | 4 | 0 | 0 | 0 |
| Identity | ? | ? | ? | ? | ? |
| Media | ? | ? | ? | ? | ? |
| Health Analytics | ? | ? | ? | ? | ? |
Total TODO Items: 4+ endpoints need auth implementation
Implementation Priority
🔴 P0 (Critical - Do Immediately)
- Payment Service - Customer Routes
- Add
clerkMiddleware()to/api/checkout,/api/customers/* - Add ownership checks (customer can only access own data)
- Add admin endpoints for refunds
- Add
🟡 P1 (High - Do This Week)
-
Search Service - Admin Migration
- Migrate admin endpoints from token auth to Clerk
- Add
requireRole('admin')middleware - Keep backward compatibility with
ADMIN_API_TOKENtemporarily
-
Catalog Service - CRUD Endpoints
- Add admin CRUD for parts, brands, categories
- Protect with
requireRole('admin')
🟢 P2 (Medium - Do Next Week)
- Identity/Media/Health Services
- Audit and classify endpoints
- Add auth where needed
Next Steps
- ✅ Complete audit (this document)
- 🔄 Create Clerk env vars template
- 🔄 Add shared-auth to all services
- 🔄 Implement auth in Payment service (P0)
- 🔄 Write integration tests
- 🔄 Deploy with monitoring
Last Updated: 2025-11-13 Reviewed By: Backend Team
Clerk Frontend Integration Guide
Prerequisites: - Backend Phases 1 & 2 must be deployed - Phase 0 (Clerk Dashboard setup) must be completed - Environment variables from backend team
CI Testing Architecture
This document describes the monorepo CI testing architecture, designed to handle multiple services independently with full rollback safety.