[http] Default route access to internal

packages/core/http/core-http-router-server-internal/src/request.ts

@@ -223,11 +223,10 @@ export class CoreKibanaRequest<
       options,
     };
   }
-  /** infer route access from path if not declared */
+  /** set route access to internal if not declared */
   private getAccess(request: RawRequest): 'internal' | 'public' {
     return (
-      ((request.route?.settings as RouteOptions)?.app as KibanaRouteOptions)?.access ??
-      (request.path.startsWith('/internal') ? 'internal' : 'public')
+      ((request.route?.settings as RouteOptions)?.app as KibanaRouteOptions)?.access ?? 'internal'
     );
   }
 

packages/core/http/core-http-router-server-mocks/src/router.mock.ts

@@ -73,7 +73,7 @@ function createKibanaRequestMock<P = any, Q = any, B = any>({
   routeTags,
   routeAuthRequired,
   validation = {},
-  kibanaRouteOptions = { xsrfRequired: true, access: 'public' },
+  kibanaRouteOptions = { xsrfRequired: true, access: 'internal' },
   kibanaRequestState = {
     requestId: '123',
     requestUuid: '123e4567-e89b-12d3-a456-426614174000',

packages/core/http/core-http-server-internal/src/http_server.test.ts

@@ -836,12 +836,12 @@ test('allows declaring route access to flag a route as public or internal', asyn
   registerRouter(router);
 
   await server.start();
-  await supertest(innerServer.listener).get('/with-access').expect(200, { access });
+  await supertest(innerServer.listener).get('/with-access').expect(200, { access: 'internal' });
 
-  await supertest(innerServer.listener).get('/without-access').expect(200, { access: 'public' });
+  await supertest(innerServer.listener).get('/without-access').expect(200, { access: 'internal' });
 });
 
-test('infers access flag from path if not defined', async () => {
+test(`sets access flag to 'internal' if not defined`, async () => {
   const { registerRouter, server: innerServer } = await server.setup(config);
 
   const router = new Router('', logger, enhanceWithContext, routerOptions);
@@ -863,13 +863,13 @@ test('infers access flag from path if not defined', async () => {
   await server.start();
   await supertest(innerServer.listener).get('/internal/foo').expect(200, { access: 'internal' });
 
-  await supertest(innerServer.listener).get('/random/foo').expect(200, { access: 'public' });
+  await supertest(innerServer.listener).get('/random/foo').expect(200, { access: 'internal' });
   await supertest(innerServer.listener)
     .get('/random/internal/foo')
-    .expect(200, { access: 'public' });
+    .expect(200, { access: 'internal' });
   await supertest(innerServer.listener)
     .get('/api/foo/internal/my-foo')
-    .expect(200, { access: 'public' });
+    .expect(200, { access: 'internal' });
 });
 
 test('exposes route details of incoming request to a route handler', async () => {
@@ -888,7 +888,7 @@ test('exposes route details of incoming request to a route handler', async () =>
       options: {
         authRequired: true,
         xsrfRequired: false,
-        access: 'public',
+        access: 'internal',
         tags: [],
         timeout: {},
       },
@@ -1066,7 +1066,7 @@ test('exposes route details of incoming request to a route handler (POST + paylo
       options: {
         authRequired: true,
         xsrfRequired: true,
-        access: 'public',
+        access: 'internal',
         tags: [],
         timeout: {
           payload: 10000,

packages/core/http/core-http-server-internal/src/http_server.ts

@@ -606,7 +606,7 @@ export class HttpServer {
 
     const kibanaRouteOptions: KibanaRouteOptions = {
       xsrfRequired: route.options.xsrfRequired ?? !isSafeMethod(route.method),
-      access: route.options.access ?? (route.path.startsWith('/internal') ? 'internal' : 'public'),
+      access: route.options.access ?? 'internal',
     };
     // Log HTTP API target consumer.
     optionsLogger.debug(

packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts

@@ -174,7 +174,7 @@ describe('xsrf post-auth handler', () => {
         path: '/some-path',
         kibanaRouteOptions: {
           xsrfRequired: false,
-          access: 'public',
+          access: 'internal',
         },
       });
 

packages/core/http/core-http-server/src/router/route.ts

@@ -126,9 +126,7 @@ export interface RouteConfigOptions<Method extends RouteMethod> {
    *           In the future, may require an incomming request to contain a specified header.
    * - internal. The route is internal and intended for internal access only.
    *
-   * If not declared, infers access from route path:
-   * - access =`internal` for '/internal' route path prefix
-   * - access = `public` for everything else
+   * Defaults to 'internal' If not declared,
    */
   access?: 'public' | 'internal';