api-keys endpoint rate-limit + cap + wildcard scope yoktu — ALLOWED_SCOPES set (PR #560 SS F3)

Ankara Cankaya 36-yas bagimsiz API guvenligi uzmani Mert 8-yil ex-Trendyol platform security solo Turk + EU SaaS API security audit. Q1 2026 thMenu public API documentation /api/keys Pro+ admin API key olusturma. Mert dev sandbox test hesabi web-admin Create API Key buton uc sey (1) rate-limit yok; (2) account active key cap yok; (3) scope free-text wildcard kabul. Attack flow (1) saldirgan admin hijack phishing leaked password session zor degil; (2) POST surekli rate-limit yok 100 key/saniye; (3) scope * wildcard validation yok tum endpoint erisim; (4) active cap yok 10000+ key dagit cat-and-mouse paralel mint; (5) admin logout 10000 wildcard key aktif customer profile admin operasyon saldirgan kontrolde. Writeup CVSS 7.2 HIGH privilege escalation + persistence vector. Engineering 3 yanlis teori (1) revocation endpoint var hepsi silinebilir reactive proactive cap zorunlu; (2) tek scope wildcard fine-grained henuz future-proofing default deny; (3) Cloudflare worker rate-limit generic 300/5min hijacked admin yuksek endpoint-specific tight bound gerek. PR #560 batch SS F3 3-katmanli fix Layer 1 ALLOWED_SCOPES set apps/web-admin/src/lib/api-keys.ts canonical scope menu:read/write + orders:read/write + customers:read + analytics:read + webhooks:write + pos:sync. scopes.every(s => ALLOWED_SCOPES.has(s)) yoksa 422 invalid_scope wildcard reject explicit deny by exclusion. Layer 2 per-user rate-limit 10/min checkRateLimit endpointId api-keys-create limit 10 windowMs 60000 daily-salted IP hash + user_id legitimate dev test+prod+5 backup yeterli bot bound. Layer 3 active key cap 20 per user SELECT COUNT(*) FROM api_keys WHERE user_id AND is_active=1 count > 20 429 active_key_cap_reached generous enterprise hijacker 10000 engellemez. Bonus audit-log her create event operator dashboard API key creation history widget suspicious 5+ in 1 hour loud-log + Sentry beacon. Production audit 847 aktif key 92 user (a) 819 %97 wildcard 60-day deprecation update required by 2026-08; (b) 28 user 5+ key 5 user 50+ enterprise integration enterprise_key_cap flag cap 100; (c) 0 user hijacked-pattern. Mert €1500 Wise CVSS 7.2 + Hall of Fame + advisory board blog 2.8k Turkish API security. Iona Edinburgh New Town 39-yo 10-yil ex-Skyscanner platform security paralel disclosure €1700 LinkedIn 4.1k Nordic API security. Pattern API key creation endpoint uc kontrol birlikte ALLOWED_SCOPES default deny + per-user rate-limit + active key cap. Sibling sweep /api/keys SS F3 + /api/oauth/applications + /api/webhooks (PR #563 SS-B dual-secret + 10 per-user cap) + /api/affiliate/postback-secret (PR #609 CCC-B + 1 cap) + /api/staff (PIN cap 50 + per-IP rate-limit). Implementation credential-creation endpoint identify + ALLOWED_SCOPES set + endpoint-specific rate-limit + per-user active cap + audit-log + suspicious-pattern detection + UI credential history + PR template checkbox + quarterly grep audit. PR #560 referans.

İlgili makaleler