Files
deflock/api
Jeremy Knows 3eceedb9c6 fix GraphQL query injection in /sponsors/github
The username query param was interpolated directly into the GitHub GraphQL
query string (user(login: "${username}")) sent with the server token, and
the route only validated it as a string, so a value containing a quote could
break out of the string literal and alter the query document. Impact depends
on the token's scope; at minimum it allows tampering with the query structure.

Two changes:
- Pass the username as a $login GraphQL variable so it can never alter the
  query document (the actual fix).
- Validate username against GitHub's username format at the route as
  defense-in-depth, rejecting malformed input before it reaches the API.

Adds a regression test for the query builder (bun test). No change in
returned data for valid usernames.
2026-07-07 22:27:40 -04:00
..
2026-04-26 17:14:57 -06:00
2026-04-19 15:28:05 -06:00

DeFlock API

A Fastify-based API service for DeFlock handling non-OSM related backend logic.

Endpoints

  • /geocode?query=... — Geocode a location
  • /sponsors/github?username=... — Get GitHub sponsors
  • /healthcheck — Health check

Development

Prerequisites

  • Bun installed

Install dependencies

bun install

Run locally

bun dev

Deployment

Deployed via GitHub Actions on push to master.

Environment Variables

Create a .env file in this directory with:

  • GITHUB_TOKEN — Required for GitHub Sponsors endpoint