Restrict upgrade-status endpoint to authenticated root team members

- Add auth:sanctum middleware to /api/upgrade-status route - Check user belongs to root team (id 0) before returning status - Return 403 if user is not authorized - Update frontend to send credentials with fetch request - Update OpenAPI docs with 401/403 responses 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-04-17 23:20:43 +00:00 · 2025-12-12 21:16:36 +01:00
parent dc9f612df4
commit 3cc416a806
3 changed files with 41 additions and 3 deletions
--- a/app/Http/Controllers/Api/OtherController.php
+++ b/app/Http/Controllers/Api/OtherController.php
@@ -189,9 +189,12 @@ class OtherController extends Controller

    #[OA\Get(
        summary: 'Upgrade Status',
-        description: 'Get the current upgrade status. Returns the step and message from the upgrade process.',
+        description: 'Get the current upgrade status. Returns the step and message from the upgrade process. Only available to root team members.',
        path: '/upgrade-status',
        operationId: 'upgrade-status',
+        security: [
+            ['bearerAuth' => []],
+        ],
        responses: [
            new OA\Response(
                response: 200,
@@ -204,6 +207,19 @@ class OtherController extends Controller
                        new OA\Property(property: 'message', type: 'string', example: 'Pulling Docker images'),
                    ]
                )),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 403,
+                description: 'You are not allowed to view upgrade status.',
+                content: new OA\JsonContent(
+                    type: 'object',
+                    properties: [
+                        new OA\Property(property: 'message', type: 'string', example: 'You are not allowed to view upgrade status.'),
+                    ]
+                )),
            new OA\Response(
                response: 400,
                ref: '#/components/responses/400',
@@ -212,6 +228,12 @@ class OtherController extends Controller
    )]
    public function upgradeStatus(Request $request)
    {
+        // Only root team members can view upgrade status
+        $user = auth()->user();
+        if (! $user || $user->currentTeam()->id !== 0) {
+            return response()->json(['message' => 'You are not allowed to view upgrade status.'], 403);
+        }
+
        $statusFile = '/data/coolify/source/.upgrade-status';

        if (! file_exists($statusFile)) {