GET and POST on /api/guestbook are working without being logged in

[armandsalle]

Hello 👋

First, thank you for this repo!

I found a vulnerability for the /api/guestbook endpoint, we don't need to be logged in to add or read guestbooks.

How to reproduce?

Sign out from the dashboard, open the dev console and past this.

await fetch("https://astro-supabase-auth.vercel.app/api/guestbook", {
    method: "POST",
    body: '{"name":"it","message":"works"}'
})

How to fix?

I think if you had some logic to retrieve the current session and user here 👍 We have the cookies sent in the headers, we can use them I think

[kevinzunigacuellar]

Thanks for reporting! I would like to clarify that this example is mostly to show how to integrate Astro with Supabase.

The app was written in a way that it's easy to read and follow. This is not production ready.

However, I appreciate the enthusiasm. I have applied a small cookie validation to the guestbook endpoints.