Shadow APIs are undocumented, unmonitored endpoints that bypass security controls. In the Camping micro-framework, these often manifest as 'quick-and-dirty' debug controllers or legacy routes that lack the global authentication filters applied to the main application. If you aren't auditing your Controller module, you're likely leaking PII or internal state to anyone with a fuzzer.

The Vulnerable Pattern

require 'camping'
Camping.goes :ShadowApp
module ShadowApp::Controllers
  class Index < R '/'
    def get; "Public Index"; end
  end
  # SHADOW ENDPOINT: Undocumented, no auth, exposes internal DB state
  class InternalDebug < R '/_debug/vars'
    def get
      @vars = MyModel.all
      @vars.to_json
    end
  end
end

The Secure Implementation

To kill shadow APIs in Camping, you must eliminate 'implicit' routes. First, implement a Base controller that defaults to a 'deny-all' posture for all paths. Second, move experimental or internal endpoints into a strictly versioned namespace (e.g., /api/v1/internal). Third, use a middleware or a custom route-lister to programmatically compare defined Controllers against your public API documentation. If a class in the Controllers module doesn't have a corresponding entry in your OpenAPI spec, it should be flagged as a security debt.

require 'camping'
Camping.goes :SecureApp
module SecureApp::Controllers
  # Enforce global authentication via a Base controller
  class Base < R '/.*'
    def service(*a)
      halt 403, "Unauthorized" unless @state.admin
      super
    end
  end
class Index < R ’/’
# Override to allow public access
def service(*a); super; end
def get; “Public Index”; end
end
SECURE ENDPOINT: Prefixed, RBAC-checked, and visible in audit
class InternalDebug < R ‘/api/v1/internal/vars’
def get
@vars = MyModel.all
@vars.to_json
end
end
end