restrict /api/v1/accounts exposure #6438

New issue

Open

opened 2026-02-22 12:54:44 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-22 12:54:44 -05:00

Owner

Originally created by @jrespeto on GitHub (Jan 31, 2026).

Describe the problem to be solved

First off, I’ve been spending time building against PeerTube recently and have been genuinely enjoying it and promoting it to my friends. It’s refreshing to work with a project that prioritizes decentralization and transparency. Thank you for all the effort you put into it.

While working on a plugin and reviewing the APIs, I noticed that /api/v1/accounts is accessible without authentication.

From a security perspective, this allows broad account enumeration, including accounts without any public-facing content. This increases the risk of scraping, profiling, and abuse with limited practical benefit for unauthenticated clients.

It would be preferable to restrict this endpoint to accounts that have public videos (or otherwise publicly visible content), aligning API exposure with intended public visibility and reducing unnecessary data exposure.

Describe the solution you would like

silently force a search filter when unauthenticated

async function listAccounts (req: express.Request, res: express.Response) {
  
  const isAuth = !!res.locals.oauth
  // For unauth users, force a search term that yields only public.
  
  if (!isAuth) {
    const forcedSearch = 'some_search_limiting_search'

    const resultList = await AccountModel.listForApi(
      req.query.start,
      req.query.count,
      req.query.sort,
      forcedSearch
    )
    return res.json(getFormattedObjects(resultList.data, resultList.total))
  }

  // For auth users, keep original behavior (no extra arg).
  const resultList = await AccountModel.listForApi(req.query.start, req.query.count, req.query.sort)

  return res.json(getFormattedObjects(resultList.data, resultList.total))
  
}

Originally created by @jrespeto on GitHub (Jan 31, 2026). ### Describe the problem to be solved First off, I’ve been spending time building against PeerTube recently and have been genuinely enjoying it and promoting it to my friends. It’s refreshing to work with a project that prioritizes decentralization and transparency. Thank you for all the effort you put into it. --- While working on a plugin and reviewing the APIs, I noticed that /api/v1/accounts is accessible without authentication. From a security perspective, this allows broad account enumeration, including accounts without any public-facing content. This increases the risk of scraping, profiling, and abuse with limited practical benefit for unauthenticated clients. It would be preferable to restrict this endpoint to accounts that have public videos (or otherwise publicly visible content), aligning API exposure with intended public visibility and reducing unnecessary data exposure. ### Describe the solution you would like silently force a search filter when unauthenticated ```ts async function listAccounts (req: express.Request, res: express.Response) { const isAuth = !!res.locals.oauth // For unauth users, force a search term that yields only public. if (!isAuth) { const forcedSearch = 'some_search_limiting_search' const resultList = await AccountModel.listForApi( req.query.start, req.query.count, req.query.sort, forcedSearch ) return res.json(getFormattedObjects(resultList.data, resultList.total)) } // For auth users, keep original behavior (no extra arg). const resultList = await AccountModel.listForApi(req.query.start, req.query.count, req.query.sort) return res.json(getFormattedObjects(resultList.data, resultList.total)) } ```