[Security] Static uploads served without authentication any file accessible without login

[Midoriya-w]

Summary

In apps/backend/src/app.ts, uploaded files are served as public static assets:

await app.register(fastifyStatic, {
  root: path.join(__dirname, '..', 'uploads'),
  prefix: '/uploads/',
  decorateReply: false,
});

There is no authentication middleware on the /uploads/ route. Any file uploaded by any user can be accessed directly via GET /uploads/<filename> without any login or ownership check.

Location

apps/backend/src/app.ts — fastifyStatic registration

Impact

• Private user uploads (profile pictures, avatars etc.) are publicly accessible to anyone
• An attacker can enumerate filenames and access other users' uploaded files
• No ownership validation exists between the requesting user and the file

Steps to Reproduce

1. Upload any file as an authenticated user
2. Note the returned file path
3. Log out completely
4. Access GET /uploads/<filename> directly in browser
5. File is returned without any auth check

Fix

Either add authentication middleware to the /uploads/ prefix, or serve files through a route handler that validates ownership before streaming the file.

[Midoriya-w]

Hey @Harxhit I discovered this while auditing the codebase and would love to fix it under GSSoC 2026. Can I get assigned?

[Harxhit]

@Midoriya-w I have assigned this issue to you.

[Midoriya-w]

hey @Harxhit Implemented in PR #350

This removes unauthenticated public static serving for /uploads/ and prevents direct access to uploaded files without authentication or ownership validation.