GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in RedwoodJS

RedwoodJS abstracts the API layer so well that developers often forget every service is a potential public endpoint. Shadow APIs manifest here when internal-only CRUD logic is exposed via GraphQL resolvers without explicit directive guards or when serverless functions in 'api/src/functions' are deployed without middleware verification. If you didn't explicitly lock it down, consider it leaked.

The Vulnerable Pattern

// api/src/services/posts/posts.js
export const posts = () => {
  return db.post.findMany() // CRITICAL: No authentication or ownership check
}

// api/src/functions/internalStats.js
export const handler = async (event, context) => {
const data = await db.user.count()
return { statusCode: 200, body: JSON.stringify({ data }) } // SHADOW: Publicly accessible serverless function bypassing GraphQL guards
}

The Secure Implementation

To kill shadow exposure, you must enforce a 'Deny by Default' posture. First, audit the 'api/src/functions' directory; any file here becomes a public HTTP route. If it's not a webhook with signature validation, wrap it in a custom auth check. Second, for the GraphQL layer, utilize Redwood's '@requireAuth' directive in your SDLs. Never rely on the frontend to filter data. Always invoke 'requireAuth()' inside your service resolvers to ensure the execution context is validated against the user's session and roles before hitting the database.

// api/src/lib/auth.js
import { AuthenticationError } from '@redwoodjs/graphql-server'

// api/src/services/posts/posts.js
import { requireAuth } from ‘src/lib/auth’


export const posts = () => {
requireAuth({ roles: [‘ADMIN’, ‘MODERATOR’] })
return db.post.findMany()
}


// api/src/functions/internalStats.js
import { verifyAuth } from ‘@redwoodjs/api/dist/auth/verifyAuth’


export const handler = async (event, context) => {
// Enforce auth at the function level
if (!context.clientContext?.user) {
return { statusCode: 401 }
}
const data = await db.user.count()
return { statusCode: 200, body: JSON.stringify({ data }) }
}

System Alert • ID: 2899
Target: RedwoodJS API
Potential Vulnerability

Your RedwoodJS API might be exposed to Shadow API Exposure

74% of RedwoodJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X