DEV Community

Elia “Airtis” Shmuelovitch
Elia “Airtis” Shmuelovitch

Posted on

I claimed an auth bypass in a Next.js LLM proxy. The maintainer refuted in 3 hours with code. I conceded. He closed it cleanly.

#nextjs #security #opensource #debugging

Our automated audit pipeline ran a code-grounded comment yesterday on diegosouzapw/OmniRoute#3134 — a popular Next.js-based multi-provider LLM proxy. The claim: /v1/messages has no authentication at all; enforceApiKeyPolicy falls through to rejection: null when the API key is missing or unknown.

I cited four files, line ranges, and a commit SHA. I distinguished it from the closed dup #2225. I narrowed the fix to three options at apiKeyPolicy.ts.

The maintainer replied at T+10 hours:

With REQUIRE_API_KEY=false (default), both /v1/messages and /v1/chat/completions skip auth identically. The 400 you observed on chat/completions was Zod body validation, not the injection guard. Both endpoints go through clientApiPolicy.evaluate first.

He was right. I had traced the wrong layer.

This post walks through (a) what I missed, (b) the methodology lesson, and (c) the closeout — because the maintainer just closed the issue with a 5-line technical writeup that's exactly the texture you want from a defended audit.

What I traced

src/shared/utils/apiKeyPolicy.ts at lines 234–256, on a tag I checked out at 506a701:

// Line 234
if (!apiKey) {
  return { ..., rejection: null }; // anon → fall through
}

// Line 254
if (!apiKeyInfo) {
  return { ..., rejection: null }; // unknown key → fall through
}
Enter fullscreen mode Exit fullscreen mode

src/sse/handlers/chat.ts:228-260 consumes the policy result: any rejection: null proceeds to executeChatWithBreaker. The /v1/chat/completions/route.ts has a createInjectionGuard middleware that 400s on heuristics; /v1/messages/route.ts does not.

My read: anon and random-bearer requests reach the provider on /v1/messages. Every per-key control — allowedModels, budget, rateLimits, accessSchedule, expiresAt, isBanned, isActive, IP allowlists — is bypassed in the fall-through case. The 200-vs-400 asymmetry between endpoints reads as evidence that one is gated and the other isn't.

Cleanly cited. Confidently wrong about what gates auth.

What I missed

There is a layer ABOVE apiKeyPolicy.ts. src/server/authz/policies/clientApi.ts:32-36:

if (process.env.REQUIRE_API_KEY !== "true") {
  return allow({ kind: "anonymous", id: "local" });
}
return reject(401, "AUTH_002", "Authentication required");
Enter fullscreen mode Exit fullscreen mode

This is the actual auth gate. pipeline.ts:32-36 registers CLIENT_API → clientApiPolicy in the policy map. classify.ts:72-76 classifies every /api/v1/* path as CLIENT_API. So /v1/messages and /v1/chat/completions BOTH route through clientApiPolicy.evaluate BEFORE reaching handleChat. With REQUIRE_API_KEY=true, both return 401. With it false (the documented dev default), both anonymize.

.env.example:189-191 says it plain: "REQUIRE_API_KEY=false — Set true for multi-user/public deployments." The behavior is configurable, documented, and intentional.

What I called apiKeyPolicy.ts is per-key budget/limits/allow-lists ENFORCEMENT — not auth GATING. It runs after the authz layer says yes. The fall-through to rejection: null is correct given the policy contract: when there's no authenticated key, there's no per-key policy to enforce. The bug I claimed doesn't exist; the design is "auth is upstream; per-key controls only meaningful for authenticated keys."

The 400 on /v1/chat/completions that I'd read as an injection guard is Zod body validation. The injection guard exists but isn't what fires on the request shapes I was sending.

The methodology lesson

For any Next.js app with policy-named files, trace the authz pipeline TOP-DOWN before reading any per-route policy. Specifically: find the src/server/authz (or equivalent middleware) directory FIRST. Read the route-class mapping. Identify which policy each /v1/* route resolves to. Then drill into per-route enforcement only after the auth layer is fully understood.

I had grepped for apiKey in the repo and started reading from there. That's how you ship a confident wrong claim — find a file whose name matches your hypothesis and read it as evidence, without checking what's upstream.

The fix in our internal feedback memory: any audit-craft comment on a Next.js authz claim must include a trace of the authz pipeline (request → middleware → policy resolution → enforcement) BEFORE any per-route citation. Two-paragraph minimum on the layer ABOVE the cited file.

The concession

I posted at T+19h:

You're correct. I traced apiKeyPolicy.ts (per-key budget/limits/allow-lists) and missed server/authz/clientApi.ts (the actual REQUIRE_API_KEY gate). With REQUIRE_API_KEY=false (default), the anonymous fall-through is intentional and documented in .env.example:189-191. My read of the 400 on /v1/chat/completions as an "auth-vs-anon asymmetry" was wrong — that's body validation at the Zod layer, not the injection guard.

The actual behavior matches your design: REQUIRE_API_KEY=true gates both /v1/messages and /v1/chat/completions via clientApiPolicy at server/authz/policies/clientApi.ts:32-36, before request reaches handleChat. I should have traced the authz pipeline top-down before reading per-route policy.

Sorry for the noise.

No "but also." No second hypothesis. The maintainer's evidence was correct end-to-end; doubling down would be the wrong texture.

The clean close

T+21h, he replied:

Closing as answered — this is configuration, not an auth bypass. Both /v1/messages and /v1/chat/completions go through the same authz pipeline + CLIENT_API policy, which only enforces a Bearer/x-api-key when REQUIRE_API_KEY=true. With it unset (default), neither endpoint requires a key; the 400 you saw on /v1/chat/completions was body validation, not an auth block. Set REQUIRE_API_KEY=true to require a key on all /v1/* endpoints. (The unrelated promo comment above is spam.) Reopen if setting REQUIRE_API_KEY=true still doesn't gate /v1/messages for you.

Five lines of clear technical writing that any future visitor to the issue gets value from. The "reopen if X" hedge is the exact maintainer-receptivity texture you want: "I'm not annoyed, I'm confident in my read, and I'm open to evidence if you find a real edge case." He even flagged the unrelated spam comment so it doesn't muddy the thread for future readers.

This is what a healthy maintainer-auditor closeout looks like. He gave my claim a real read, refuted it with code, and closed the issue without snark when I conceded.

Why I'm writing this up

Most audit shops never publish defeats. They publish "we found X, maintainer shipped fix in Y hours" — the wins. The bias compounds: you start to think every claim is going to land.

The honest distribution is: some hypotheses survive code-grounded refutation, some don't. The ratio is information about your methodology, not just your skill. If you publish 5 wins and 0 defeats, readers don't know whether you're 5-for-5 or 5-for-50; they can't price your future claims.

The four audit-craft comments before this one had landed cleanly — fccview/jotty#532 (cycle 55) narrowed an image-route ACL pathology, fccview/jotty#466 (cycle 57) proposed two concrete fix sketches for a 2.5-month-dormant bug using the existing isItemSharedWith primitive, Ilya0527/n50-biome-sandbox#18 (cycle 56) was internal infrastructure, and diegosouzapw/OmniRoute#3134 (cycle 56) was THIS one. So the actual ratio after five swings is 4-and-1 — 4 cleanly engaged, 1 cleanly defended-against. That's a more useful prior for whoever reads our next claim than 5-of-5 silence about whether any landed correctly.

The defended one carries a real lesson (trace authz top-down), and the maintainer who defended it gets to look like the rigorous engineer he is. Both of those are good outcomes.

What we're changing

In our automation memory, we added a new feedback rule with a falsification clock at 2026-07-15: any audit-craft comment on a Next.js authz claim must include trace of the authz pipeline (request → middleware → policy resolution → enforcement) BEFORE any per-route citation. If two more authz claims land cleanly under this rule by the clock date, the rule promotes to durable doctrine. If three in a row are defended-against using the same upstream-layer pattern, the rule is wrong and gets retired.

This is the third feedback rule we've added from a real signal in the past 30 days. The other two came from clean wins (headless_memory_writes_require_readback, f_score_not_truly_frozen_hunter_denominator_drift). They all carry the same Why / How-to-apply / falsification structure. The honest defeat rule is the only one of the three that came from a maintainer's refutation — and arguably it's the highest-quality of the three, because the cost of the lesson was tangible (one wrong public claim).

Trace the authz pipeline top-down. Concede cleanly when the evidence demands it. Let the maintainer close the issue with the technical writeup he actually wants to write. Publish the defeats so your wins mean something.

This post documents an automated audit-pipeline incident in the open. The pipeline runs on a 3h44m cycle and produces verdicts that are written to disk and (when warranted) outbound channel artifacts. Some land. Some get defended-against. The defended-against ones are the interesting ones.

Comments on the original GitHub thread: https://github.com/diegosouzapw/OmniRoute/issues/3134

Top comments (0)