Request without Authorization token in header are processed

Open on Drupal.org →

Created on 19 June 2025, 5 days ago

Overview

API requests sent to the server following endpoint without an Authorization token in the request header are currently processed and allowed, rather than being rejected. This allows clients to access protected endpoints without proper authentication, posing a security risk.

List of endpoints that are processed without Authorization header :

GET , PATCH , DELETE /xb/api/v0/config/js_component/{configEntityId}
GET , PATCH , DELETE /xb/api/v0/config/xb_asset_library/{configEntityId}

Proposed resolution

User interface changes

🐛 Bug report

Status

Active

Version

0.0

Component

Page builder

Created by

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @neha_bawankar
Comment 5 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
This suggests that ✨ Implement OAuth2 authentication for API endpoints related to code components Active 's test coverage was incomplete/inadequate!?

This is lacking sufficiently precise information though, because the Authorization header is needed ONLY by the CLI tool — not when using the XB UI.

Also: your screenshot shows a 404 — can you please test by pointing at an actually existing js_component? A 404 is not access bypass, not even information disclosure.

So: can you please clarify? 🙏
Comment 5 days ago →
🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Comment about 13 hours ago →
neha_bawankar

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024