fix(GRO-874): add requireSuperUser() to GET /api/admin/settings/logo

The logo proxy route was missing auth middleware, allowing any unauthenticated caller to receive the presigned S3 URL and exposing the internal Ceph RGW hostname. Matches auth pattern used by all other /api/admin/* routes in this file. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-22 03:42:29 +00:00
parent 2af1671891
commit 3d45582609
1 changed files with 1 additions and 1 deletions
@@ -218,7 +218,7 @@ settingsRouter.post(
 * Proxies the logo from S3 so the browser never sees an S3 URL.
 * Returns the image bytes with proper Content-Type.
 */
-settingsRouter.get("/logo", async (c) => {
+settingsRouter.get("/logo", requireSuperUser(), async (c) => {
  const db = getDb();

  const [row] = await db.select().from(businessSettings).limit(1);