Summary
The Catalog API registers CreateItem, UpdateItem (v1 and v2), and DeleteItemById endpoints with no authentication or authorization requirement. Any unauthenticated network client can create, overwrite, or delete catalog items. Unlike every other microservice in the application (Ordering, Basket, Webhooks), the Catalog API does not call builder.AddDefaultAuthentication() in its Extensions.cs and does not apply .RequireAuthorization() to its mutation routes.
Details
In src/Catalog.API/Apis/CatalogApi.cs (lines 92-110), the mutation routes are registered as:
v1.MapPut("/items", UpdateItemV1)
v2.MapPut("/items/{id:int}", UpdateItem)
api.MapPost("/items", CreateItem)
api.MapDelete("/items/{id:int}", DeleteItemById)None of these route registrations call .RequireAuthorization().
In src/Catalog.API/Program.cs, neither app.UseAuthentication() nor app.UseAuthorization() is called, and there is no global authorization middleware.
In src/Catalog.API/Extensions/Extensions.cs, the AddApplicationServices method does not call builder.AddDefaultAuthentication(), unlike the Basket API (src/Basket.API/Extensions/Extensions.cs line 10: builder.AddDefaultAuthentication()), the Ordering API (src/Ordering.API/Extensions/Extensions.cs line 10: builder.AddDefaultAuthentication()), and the Webhooks API.
This is confirmed in the AppHost configuration (src/eShop.AppHost/Program.cs): the catalogApi resource is the only service not passed Identity__Url as an environment variable. The basket, ordering, and webhooks services all receive .WithEnvironment("Identity__Url", identityEndpoint), which is what triggers the JWT bearer middleware registration. Catalog receives no such configuration.
Additionally, src/eShop.AppHost/Extensions.cs registers a YARP catch-all route /api/catalog/{*any} in ConfigureMobileBffRoutes that forwards all catalog API requests (including mutations) from the mobile BFF without adding any authentication layer.
PoC
(available upon request)
Impact
Any unauthenticated attacker with network access to the Catalog API (directly or via the YARP mobile BFF) can add fraudulent products at arbitrary prices, modify existing product prices to cause financial loss, or delete all catalog items to cause a denial of service for the storefront. In a production deployment this would allow price manipulation attacks (creating $0.01 items), catalog defacement, and complete inventory destruction.
Summary
The Catalog API registers CreateItem, UpdateItem (v1 and v2), and DeleteItemById endpoints with no authentication or authorization requirement. Any unauthenticated network client can create, overwrite, or delete catalog items. Unlike every other microservice in the application (Ordering, Basket, Webhooks), the Catalog API does not call
builder.AddDefaultAuthentication()in its Extensions.cs and does not apply.RequireAuthorization()to its mutation routes.Details
In
src/Catalog.API/Apis/CatalogApi.cs(lines 92-110), the mutation routes are registered as:None of these route registrations call
.RequireAuthorization().In
src/Catalog.API/Program.cs, neitherapp.UseAuthentication()norapp.UseAuthorization()is called, and there is no global authorization middleware.In
src/Catalog.API/Extensions/Extensions.cs, theAddApplicationServicesmethod does not callbuilder.AddDefaultAuthentication(), unlike the Basket API (src/Basket.API/Extensions/Extensions.csline 10:builder.AddDefaultAuthentication()), the Ordering API (src/Ordering.API/Extensions/Extensions.csline 10:builder.AddDefaultAuthentication()), and the Webhooks API.This is confirmed in the AppHost configuration (
src/eShop.AppHost/Program.cs): thecatalogApiresource is the only service not passedIdentity__Urlas an environment variable. The basket, ordering, and webhooks services all receive.WithEnvironment("Identity__Url", identityEndpoint), which is what triggers the JWT bearer middleware registration. Catalog receives no such configuration.Additionally,
src/eShop.AppHost/Extensions.csregisters a YARP catch-all route/api/catalog/{*any}inConfigureMobileBffRoutesthat forwards all catalog API requests (including mutations) from the mobile BFF without adding any authentication layer.PoC
(available upon request)
Impact
Any unauthenticated attacker with network access to the Catalog API (directly or via the YARP mobile BFF) can add fraudulent products at arbitrary prices, modify existing product prices to cause financial loss, or delete all catalog items to cause a denial of service for the storefront. In a production deployment this would allow price manipulation attacks (creating $0.01 items), catalog defacement, and complete inventory destruction.