From 8577a4b524d29c8205c650a1875bba0b6f01189f Mon Sep 17 00:00:00 2001
From: orbisai0security <orbisai0security@users.noreply.github.com>
Date: Sun, 29 Mar 2026 11:16:17 +0000
Subject: [PATCH] fix: multiple api endpoints across flight-esm and fl... in
 region.js

Multiple API endpoints across flight-esm and flight fixtures expose functionality without any authentication mechanisms
---
 fixtures/flight-esm/server/region.js | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/fixtures/flight-esm/server/region.js b/fixtures/flight-esm/server/region.js
index fe992b6daf53..eec33bd27e84 100644
--- a/fixtures/flight-esm/server/region.js
+++ b/fixtures/flight-esm/server/region.js
@@ -21,6 +21,33 @@ const nodeModule = require('node:module');
 
 app.use(compress());
 
+// Authentication middleware
+function authenticate(req, res, next) {
+  const authToken = process.env.AUTH_TOKEN;
+  if (authToken) {
+    // Validate bearer token when AUTH_TOKEN is configured
+    const authHeader = req.get('Authorization');
+    if (authHeader !== 'Bearer ' + authToken) {
+      res.status(401).json({error: 'Unauthorized'});
+      return;
+    }
+  } else {
+    // Default: restrict to localhost only
+    const remoteAddress = req.socket.remoteAddress;
+    const isLocalhost =
+      remoteAddress === '127.0.0.1' ||
+      remoteAddress === '::1' ||
+      remoteAddress === '::ffff:127.0.0.1';
+    if (!isLocalhost) {
+      res.status(401).json({error: 'Unauthorized'});
+      return;
+    }
+  }
+  next();
+}
+
+app.use(authenticate);
+
 // Application
 
 const {readFile} = require('fs').promises;