refactor(API): disable /diagnostics in read-only mode instead of stripping fields

TheLastCicada · TheLastCicada · commit 257ab85a9ba7 · 2026-05-13T23:45:07.000-07:00
Return 403 when READ_ONLY is set rather than serving a reduced
response. Removes buildReadOnlyResponse and the readOnly parameter
from getDiagnosticsResponse since the middleware now gates access.
diff --git a/src/middleware.js b/src/middleware.js
@@ -525,16 +525,20 @@ app.get('/health', (req, res) => {
 // that single enforcement point rather than duplicating the constant-time
 // check here.
 //
-// Read-only: when V1 or V2 READ_ONLY is set we strip sensitive fields
-// (balances, transaction details, peer details, subscription IDs, home org
-// IDs) the same way wallet-health.js does for /v{1,2}/health/wallet.
+// Disabled in read-only mode: the diagnostics payload exposes system details
+// (paths, wallet balances, peer IPs, subscription IDs) that should not be
+// served on unauthenticated public-observer nodes.
 app.get('/diagnostics', async (req, res) => {
   try {
     const configV1 = getConfig();
     const configV2 = getConfigV2();
-    const readOnly = !!(configV2.READ_ONLY || configV1.READ_ONLY);
+    if (configV2.READ_ONLY || configV1.READ_ONLY) {
+      return res.status(403).json({
+        error: 'The /diagnostics endpoint is not available on read-only nodes',
+      });
+    }
     const { getDiagnosticsResponse } = await import('./routes/diagnostics.js');
-    const result = await getDiagnosticsResponse({ readOnly });
+    const result = await getDiagnosticsResponse();
     return res.status(200).json(result);
   } catch (error) {
     logger.error(`[diagnostics]: unexpected error building response: ${error.message}`);
diff --git a/src/routes/diagnostics.js b/src/routes/diagnostics.js
@@ -7,9 +7,8 @@
  * when something is broken, so every external call is fenced behind
  * `Promise.allSettled` with a per-call timeout. The route never throws.
  *
- * In read-only mode the same shape is returned but with sensitive fields
- * (balances, transaction details, peer host details, subscription IDs,
- * home org IDs) stripped, matching the convention from wallet-health.js.
+ * The endpoint is disabled entirely in read-only mode (handled by
+ * middleware returning 403), so there is no reduced-information path.
  */
 
 import _ from 'lodash';
@@ -215,32 +214,14 @@ const buildTrustedPeerView = (connectionsResult, chiaConfigResult) => {
  * Heavy module dependencies (database models, datalayer RPC clients) are
  * loaded dynamically so this file is safe to import from contexts where
  * those modules aren't ready yet (tests, early startup).
- *
- * In read-only mode we deliberately skip the expensive wallet/datalayer/
- * full-node RPC fan-out -- read-only ("public observer") deployments
- * should not be making per-request authenticated wallet RPC calls on
- * unauthenticated public hits. This matches the precedent in
- * src/routes/wallet-health.js, which also short-circuits before fetch.
  */
-export const getDiagnosticsResponse = async ({ readOnly = false } = {}) => {
+export const getDiagnosticsResponse = async () => {
   const timestamp = new Date().toISOString();
 
   const configV1 = getConfig();
   const configV2 = getConfigV2();
   const appConfig = configV1.APP || {};
 
-  // Short-circuit BEFORE pulling in the heavy wallet/datalayer/model
-  // dependencies. The read-only path only needs system-info / process-scan /
-  // chia-tools probes plus the synchronously-available config, so importing
-  // wallet.js or models/v2/index.js here would (a) defeat the "no
-  // authenticated RPC on unauthenticated public hits" property and (b)
-  // make /diagnostics itself fail whenever the DB/wallet modules can't
-  // initialize -- which is precisely the failure mode this endpoint exists
-  // to diagnose.
-  if (readOnly) {
-    return buildReadOnlyResponse({ timestamp, configV1, configV2, appConfig });
-  }
-
   const wallet = (await import('../datalayer/wallet.js')).default;
   const fullNodeRpc = (await import('../datalayer/fullNodeRpc.js')).default;
   const persistance = await import('../datalayer/persistance.js');
@@ -475,7 +456,6 @@ export const getDiagnosticsResponse = async ({ readOnly = false } = {}) => {
   // ---- Full response ------------------------------------------------------
   const fullResponse = {
     timestamp,
-    readOnly: false,
     cadt: cadtSection,
     network: {
       chia: actualNetwork,
@@ -497,68 +477,6 @@ export const getDiagnosticsResponse = async ({ readOnly = false } = {}) => {
   return fullResponse;
 };
 
-/**
- * Read-only diagnostics: only cheap, public-safe data. We short-circuit
- * BEFORE the wallet/datalayer/full-node RPC fan-out so a read-only
- * deployment doesn't make per-request authenticated wallet RPC calls on
- * unauthenticated public hits.
- */
-const buildReadOnlyResponse = async ({ timestamp, configV1, configV2, appConfig }) => {
-  const enableV1 = configV1?.ENABLE !== false;
-  const enableV2 = configV2?.ENABLE !== false;
-  const chiaRoot = getChiaRoot();
-
-  const [systemInfoRes, chiaProcessesRes, chiaToolsRes] = await Promise.all([
-    settle('getSystemInfo', () => getSystemInfo(), DEFAULT_TIMEOUT_MS),
-    settle('scanChiaProcesses', () => scanChiaProcesses(), DEFAULT_TIMEOUT_MS),
-    settle('probeChiaTools', () => probeChiaTools(), DEFAULT_TIMEOUT_MS),
-  ]);
-
-  const processesValue = chiaProcessesRes.ok
-    ? chiaProcessesRes.value
-    : { matches: [], installPaths: [], multipleVersionsDetected: false, error: chiaProcessesRes.error };
-  const chiaToolsSection = chiaToolsRes.ok
-    ? chiaToolsRes.value
-    : { installed: false, version: null, error: chiaToolsRes.error };
-  const systemSection = systemInfoRes.ok ? systemInfoRes.value : { error: systemInfoRes.error };
-
-  return {
-    timestamp,
-    readOnly: true,
-    message: 'Operational details are not available on read-only nodes',
-    cadt: {
-      version: packageJson.version,
-      configDir: `${chiaRoot}/cadt`,
-      configFile: `${chiaRoot}/cadt/config.yaml`,
-      datalayerUrl: appConfig.DATALAYER_URL || null,
-      datalayerFileServerUrl: appConfig.DATALAYER_FILE_SERVER_URL || null,
-      useSimulator: appConfig.USE_SIMULATOR === true,
-      v1: {
-        enabled: enableV1,
-        readOnly: configV1.READ_ONLY === true,
-        isGovernanceBody: configV1.IS_GOVERNANCE_BODY === true,
-        apiKeyConfigured: !!(configV1.CADT_API_KEY && configV1.CADT_API_KEY !== ''),
-        governanceBodyId: configV1.GOVERNANCE?.GOVERNANCE_BODY_ID || null,
-      },
-      v2: {
-        enabled: enableV2,
-        readOnly: configV2.READ_ONLY === true,
-        isGovernanceBody: configV2.IS_GOVERNANCE_BODY === true,
-        apiKeyConfigured: !!(configV2.CADT_API_KEY && configV2.CADT_API_KEY !== ''),
-        governanceBodyId: configV2.GOVERNANCE?.GOVERNANCE_BODY_ID || null,
-      },
-    },
-    network: { cadt: appConfig.CHIA_NETWORK || null },
-    chia: {
-      chiaTools: { installed: chiaToolsSection.installed, version: chiaToolsSection.version },
-      runningProcesses: {
-        multipleVersionsDetected: processesValue.multipleVersionsDetected,
-      },
-    },
-    system: systemSection,
-  };
-};
-
 export const __test = {
   settle,
   collectSubscriptions,
diff --git a/tests/v2/integration/diagnostics.spec.js b/tests/v2/integration/diagnostics.spec.js
@@ -18,7 +18,6 @@ describe('/diagnostics endpoint', function () {
     it('responds 200 with the documented top-level shape', async function () {
       const response = await supertest(app).get('/diagnostics').expect(200);
       expect(response.body).to.have.property('timestamp').that.is.a('string');
-      expect(response.body).to.have.property('readOnly');
       expect(response.body).to.have.property('cadt').that.is.an('object');
       expect(response.body).to.have.property('network').that.is.an('object');
       expect(response.body).to.have.property('chia').that.is.an('object');
@@ -164,89 +163,30 @@ describe('/diagnostics endpoint', function () {
     });
   });
 
-  describe('read-only stripping', function () {
-    // The exact contract is documented in src/routes/diagnostics.js and
-    // mirrors the wallet-health.js convention: when READ_ONLY is true the
-    // response retains only non-sensitive metadata. Balances, transaction
-    // details, peer details, subscription IDs, and home-org IDs MUST be
-    // absent. We also intentionally short-circuit BEFORE the wallet/datalayer
-    // RPC fan-out, so the entire `chia.wallet` and `chia.datalayer` sections
-    // are omitted in read-only mode.
-    it('omits operational details when READ_ONLY is enabled', async function () {
-      await withConfigOverride(async () => {
-        const response = await supertest(app).get('/diagnostics').expect(200);
-        expect(response.body).to.have.property('readOnly', true);
-        expect(response.body).to.have.property('message').that.is.a('string');
-
-        expect(response.body.chia).to.not.have.property('wallet');
-        expect(response.body.chia).to.not.have.property('datalayer');
-        expect(response.body.chia).to.not.have.property('fullNode');
-        expect(response.body.chia).to.not.have.property('services');
-
-        expect(response.body.cadt.v1).to.not.have.property('homeOrgId');
-        expect(response.body.cadt.v2).to.not.have.property('homeOrgId');
-
-        expect(response.body.cadt).to.have.property('version');
-        expect(response.body.network).to.have.property('cadt');
-        expect(response.body.chia).to.have.property('chiaTools');
-        expect(response.body).to.have.property('system');
-      }, { APP: { READ_ONLY: true } });
-    });
-
-    it('keeps full detail by default (READ_ONLY off)', async function () {
-      const response = await supertest(app).get('/diagnostics').expect(200);
-      expect(response.body.readOnly).to.equal(false);
-      expect(response.body.chia.wallet).to.have.property('pendingTransactions');
-      expect(response.body.chia.wallet).to.have.property('trustedFullNodePeers');
-      expect(response.body.chia.datalayer).to.have.property('subscriptions');
-    });
-
-    // The four scenarios below exhaustively cover the (READ_ONLY × API key
-    // configured × key provided) matrix for READ_ONLY=true. They confirm both
-    // (a) a public observer node with no API key gets the reduced response
-    // without authentication, and (b) when an API key IS configured the
-    // endpoint still enforces it, returning the reduced response only to
-    // authenticated callers.
-    it('public observer node (READ_ONLY=true, no API key): returns 200 with reduced fields without auth', async function () {
-      await withConfigOverride(async () => {
-        const response = await supertest(app).get('/diagnostics');
-        expect(response.status).to.equal(200);
-        expect(response.body.readOnly).to.equal(true);
-        expect(response.body.chia).to.not.have.property('wallet');
-        expect(response.body.chia).to.not.have.property('datalayer');
-        expect(response.body.chia).to.not.have.property('fullNode');
-        expect(response.body.cadt).to.have.property('version');
-        expect(response.body.network).to.have.property('cadt');
-        expect(response.body).to.have.property('system');
-      }, { APP: { READ_ONLY: true, CADT_API_KEY: '' } });
-    });
-
-    it('READ_ONLY=true + API key configured + no key provided: rejects with 403', async function () {
+  describe('read-only mode', function () {
+    it('returns 403 when READ_ONLY is enabled', async function () {
       await withConfigOverride(async () => {
         const response = await supertest(app).get('/diagnostics');
         expect(response.status).to.equal(403);
-      }, { APP: { READ_ONLY: true, CADT_API_KEY: 'protected-observer-key' } });
+        expect(response.body).to.have.property('error').that.is.a('string');
+      }, { APP: { READ_ONLY: true } });
     });
 
-    it('READ_ONLY=true + API key configured + correct key: returns 200 with reduced fields', async function () {
+    it('returns 403 regardless of API key when READ_ONLY is enabled', async function () {
       await withConfigOverride(async () => {
         const response = await supertest(app)
           .get('/diagnostics')
           .set('x-api-key', 'protected-observer-key');
-        expect(response.status).to.equal(200);
-        expect(response.body.readOnly).to.equal(true);
-        expect(response.body.chia).to.not.have.property('wallet');
-        expect(response.body.chia).to.not.have.property('datalayer');
+        expect(response.status).to.equal(403);
+        expect(response.body).to.have.property('error').that.is.a('string');
       }, { APP: { READ_ONLY: true, CADT_API_KEY: 'protected-observer-key' } });
     });
 
-    it('READ_ONLY=true + API key configured + wrong key: rejects with 403', async function () {
-      await withConfigOverride(async () => {
-        const response = await supertest(app)
-          .get('/diagnostics')
-          .set('x-api-key', 'X'.repeat('protected-observer-key'.length));
-        expect(response.status).to.equal(403);
-      }, { APP: { READ_ONLY: true, CADT_API_KEY: 'protected-observer-key' } });
+    it('returns full detail by default (READ_ONLY off)', async function () {
+      const response = await supertest(app).get('/diagnostics').expect(200);
+      expect(response.body.chia.wallet).to.have.property('pendingTransactions');
+      expect(response.body.chia.wallet).to.have.property('trustedFullNodePeers');
+      expect(response.body.chia.datalayer).to.have.property('subscriptions');
     });
   });
 
@@ -262,7 +202,7 @@ describe('/diagnostics endpoint', function () {
     it('always returns 200 with the documented top-level keys', async function () {
       const response = await supertest(app).get('/diagnostics').expect(200);
       expect(response.body).to.have.all.keys(
-        'timestamp', 'readOnly', 'cadt', 'network', 'chia', 'system',
+        'timestamp', 'cadt', 'network', 'chia', 'system',
       );
       expect(response.body.system).to.have.property('cpu');
       expect(response.body.system).to.have.property('memory');
diff --git a/tests/v2/live-api/wallet-health.live.spec.js b/tests/v2/live-api/wallet-health.live.spec.js
@@ -96,7 +96,6 @@ describe('Wallet Health - Live', function () {
       expect(body.timestamp, 'timestamp must be ISO-8601').to.match(
         /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z$/,
       );
-      expect(body.readOnly).to.be.a('boolean');
       expect(body.cadt).to.be.an('object');
       expect(body.network).to.be.an('object');
       expect(body.chia).to.be.an('object');
