Bug 1: Unauthenticated endpoint
File: `server/index.js`, lines 1101-1103
`GET /api/v2/adapters` has no authentication middleware. It exposes the list of configured adapter channels and rule count to anyone.
Impact: Information disclosure — unauthenticated users can discover which adapter types are configured (GitHub, Slack, Telegram, etc.).
Fix: Add `v2Auth` middleware: `app.get('/api/v2/adapters', apiReadLimiter, v2Auth, ...)`
Bug 2: Endpoint credentials stored in plaintext
File: `server/db.js`, lines 838-857
The `user_auths` table correctly encrypts credentials via `encrypt()`, but the `endpoints` table stores sensitive data (GitHub tokens, webhook secrets, Telegram bot tokens) in plaintext. Inconsistent security posture.
Fix: Apply the same `encrypt()`/`decrypt()` treatment to `endpoints.config` as done for `user_auths.credentials`.
Bug 1: Unauthenticated endpoint
File: `server/index.js`, lines 1101-1103
`GET /api/v2/adapters` has no authentication middleware. It exposes the list of configured adapter channels and rule count to anyone.
Impact: Information disclosure — unauthenticated users can discover which adapter types are configured (GitHub, Slack, Telegram, etc.).
Fix: Add `v2Auth` middleware: `app.get('/api/v2/adapters', apiReadLimiter, v2Auth, ...)`
Bug 2: Endpoint credentials stored in plaintext
File: `server/db.js`, lines 838-857
The `user_auths` table correctly encrypts credentials via `encrypt()`, but the `endpoints` table stores sensitive data (GitHub tokens, webhook secrets, Telegram bot tokens) in plaintext. Inconsistent security posture.
Fix: Apply the same `encrypt()`/`decrypt()` treatment to `endpoints.config` as done for `user_auths.credentials`.