Description
The /api/auth/set-role endpoint allows any authenticated user (including newly registered users with no role) to set their own role to admin without any invite code or approval.
The invite code validation (lines 30-46) only covers teacher and institute roles — the admin role has no invite code requirement.
Impact
- Any user who can authenticate (register/login) can grant themselves full admin privileges
- Gains access to all admin-only endpoints (data retention, user management, session termination, audit logs)
- Complete bypass of the RBAC system
Reproduction Steps
- Register a new user account
- Call
POST /api/auth/set-role with { "role": "admin" }
- User is now an admin with full system access
Location
app/api/auth/set-role/route.js, Lines 15-74
Suggested Fix
- Add an invite code check for the
admin role (e.g., process.env.ADMIN_INVITE_CODE)
- Or require that admin role can only be assigned by an existing admin via a separate admin-only endpoint
- Change
requireAuth(request) to requireAdmin(request) for the admin case
Description
The
/api/auth/set-roleendpoint allows any authenticated user (including newly registered users with no role) to set their own role toadminwithout any invite code or approval.The invite code validation (lines 30-46) only covers
teacherandinstituteroles — theadminrole has no invite code requirement.Impact
Reproduction Steps
POST /api/auth/set-rolewith{ "role": "admin" }Location
app/api/auth/set-role/route.js, Lines 15-74Suggested Fix
adminrole (e.g.,process.env.ADMIN_INVITE_CODE)requireAuth(request)torequireAdmin(request)for the admin case