Add GitHub Copilot IDE support

FeatureOpenSwamp CLIstack7216h ago

Phase 1: /feed — judge-gated content stream

FeatureOpenSwamp Clubstack7217h ago

Add reactions and Giphy integration to comments

FeatureOpenSwamp Clubstack7217h ago

Architecture violation: search route imports directly from lib/infrastructure

BugOpenSwamp Clubstack7217h ago

Introduce domain events to formalize the telemetry-to-consumer pipeline

FeatureOpenSwamp Clubstack7217h ago

Refactor: move telemetry track() calls from route handlers to application services

FeatureOpenSwamp Clubstack7217h ago

Reindex path feeds error events to consumer, bypassing filtering

FeatureOpenSwamp Clubstack7217h ago

Custom swamp-themed avatar generator with daily rerolls

FeatureOpenSwamp Clubstack7217h ago

Profile content links with scoring for community contributions

FeatureOpenSwamp Clubstack7217h ago

Score extension pull events for extension authors

FeatureIn ProgressSwamp Clubstack72s16h ago

Score daily sign-in events with streak multiplier

FeatureOpenSwamp Clubstack7217h ago

Score sign_up events in the telemetry pipeline

FeatureOpenSwamp Clubstack7217h ago

Score extension publish events in the telemetry pipeline

FeatureOpenSwamp Clubstack7217h ago

Add 'award' telemetry event type for arbitrary score grants

FeatureOpenSwamp Clubstack7217h ago

Bug: authenticated pulls always shows 0 on profile page

FeatureOpenSwamp Clubstack7217h ago

Decouple identity_map from main app: username renames via event, not shared DB

BugOpenSwamp Clubstack7217h ago

Optimise MongoDB Search Queries

FeatureOpenSwamp Clubstack7217h ago

Transactional emails on login with google/similar

FeatureOpenSwamp Clubstack7217h ago

Add rate limiting to send-verification-email endpoint

FeatureOpenSwamp Clubstack7217h ago

Add authentication or rate limiting to check-verified endpoint

FeatureOpenSwamp Clubstack7217h ago

swamp data query for morning-message in hello-world tutorial returns nothing.

BugOpenSwamp CLIben20h ago

Document vault migrate command in reference docs

FeatureShippedSwamp CLIstack72s19h ago

Locks on long running actions

FeatureShippedSwamp Clubmagistr19h ago

issue-lifecycle skill: improve resumption and close-out guidance

FeatureShippedSwamp CLIstack72s21h ago

deprovision: firewall deletion fails with resource_in_use immediately after server delete

BugOpenExtensions4chems23h ago

swamp workflow validate should check step inputs against method's required arguments

FeatureShippedSwamp CLI4chemss22h ago

data.latest() returns null when new data written while _catalog.db is already marked populated

BugShippedSwamp CLI4chemsa19h ago

Bundle cache fallback silently skipped when source and bundle have equal mtimes

BugShippedSwamp CLI4chemss19h ago

Add vault migrate command to move secrets between vaults

FeatureShippedSwamp CLIstack72s20h ago

First-class methodRunId / invocationId on DataRecord

FeatureOpenSwamp CLIkeebk16h ago

Consolidate method execution paths — workflow steps and manual runs build MethodContext divergently

FeatureOpenSwamp CLIkeebk17h ago

CatalogStore constructor runs createSchema before migrateIfNeeded; v1→v2 upgrade fails on existing repos

BugShippedSwamp CLIkeeba20h ago

discord-bot poller double-processes events with >1 replica

BugShippedSwamp Clubstack721d ago

datastore sync: clean up zombie _catalog.db* entries from remote index and S3 bucket

BugClosedSwamp CLIstack721d ago

datastore sync --push runs pushChanged() twice per invocation (coordinator dedup)

BugClosedSwamp CLIstack721d ago

datastore sync --push fails on _catalog.db-wal: catalog SQLite DB lives inside the S3 sync cache

BugShippedExtensionsstack721d ago

.swamp/datastore-bundles/ leaks into deno lint and deno fmt scans

BugShippedSwamp CLIstack721d ago

deno run audit task missing --allow-env flag

BugShippedSwamp CLIstack721d ago

Error when submitting a new issue manually

BugShippedSwamp Clubadam1d ago

Green text on issue details is a lot

BugShippedSwamp Clubadam1d ago

evals/promptfoo: bump hono and @hono/node-server to clear 6 dependabot alerts

BugShippedSwamp CLIstack721d ago

issue-lifecycle: COMMENTED PR review can overwrite a prior decisive state in fetchPrReviews

FeatureOpenExtensionsstack722d ago

Add agent-constraints/ for issue-lifecycle skill

FeatureOpenExtensionsstack722d ago

@swamp/aws/ec2: auto-generated models lack list, tag, and factory-compatible update methods

FeatureOpenExtensionsstack722d ago

@swamp/digitalocean/space-key stores secret in plaintext - should mark as sensitive

FeatureOpenExtensionsstack722d ago

Add Azure provider pipeline to codegen

FeatureOpenExtensionsstack722d ago

feat: Namespace.so execution driver for remote workload execution

FeatureOpenExtensionsstack722d ago

Add macOS Keychain vault type

FeatureOpenExtensionsstack722d ago

Add uniform bucket-level IAM support to @swamp/gcp/storage

FeatureOpenExtensionsstack722d ago

Expand DataRecord with first-class provenance fields; remove all hidden scoping from data access

BugShippedSwamp CLIstack72a20h ago

feat: Private extensions

FeatureOpenSwamp CLIstack722d ago

Workflow execution repeats #1091: cross-model CEL expression validation fails for unresolved types

BugOpenSwamp CLIstack722d ago

context.readModelData returns different results depending on invocation context (manual vs workflow)

BugOpenSwamp CLIstack722d ago

Handle sensitive fields gracefully when no vault is configured

FeatureTriagedSwamp CLIstack72s22h ago

Vault reads for model global arguments are cached at workflow start, making in-workflow token refresh ineffective

FeatureOpenSwamp CLIstack722d ago

feat: approval gates for workflow steps and jobs

FeatureOpenSwamp CLIstack722d ago

Install script: curl fails TLS verification for swamp.club (certificate chain)

BugOpenSwamp CLIstack722d ago

Extension Patches: contribution workflow for community extensions

FeatureOpenSwamp CLIstack722d ago

Feature: swamp issue for extensions — bug reports, security disclosures, and author notifications

FeatureOpenSwamp CLIstack722d ago

Support 'swamp <app> run' as containerized entrypoint for easy onboarding

FeatureOpenSwamp CLIstack722d ago

Persistent runner / server mode to eliminate per-invocation CLI startup overhead

FeatureOpenSwamp CLIstack722d ago

feat: add support for Nix via a flake

FeatureOpenSwamp CLIstack722d ago

← Back to list

01Issue

FeatureOpenSwamp Club

AssigneesNone

Add authentication or rate limiting to check-verified endpoint

Opened by stack72 · 4/9/2026· GitHub #45

Issue

The /api/auth/check-verified?email=... endpoint is unauthenticated and has no rate limiting. Anyone can query it to determine whether a verified account exists for a given email address.

{ verified: true } — email is registered and verified
{ verified: false } — email is either unregistered or unverified (indistinguishable)

This enables automated email enumeration against known email lists.

Impact

Low severity. The endpoint is read-only and cannot modify any state. A true response confirms account existence, but false does not distinguish between non-existent and unverified accounts.

Options

Require authentication — check ctx.state.user and only allow users to query their own email
Rate limit — throttle requests per IP (e.g., 5 per minute) at the nginx or app layer
Remove the endpoint — have the client poll /api/auth/session instead (requires authentication by design), though this only works when a session exists

02Bog Flow

Open

4/9/2026, 4:42:05 PM

No activity in this phase yet.

03Sludge Pulse

Sign in to post a ripple.