Missing Authorization

Summary

Four `GET` endpoints under `/api/templates*` in Arcane's Huma backend are registered without any `Security` requirement, allowing any unauthenticated network client to list and read the full Compose YAML and `.env` content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's *real* env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice -- not a theoretical info-disclosure. The frontend explicitly treats '/customize/templates/*' as an authenticated area (PROTECTED_PREFIXES in 'frontend/src/lib/utils/redirect.util.ts'), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue affects arcane versions prior to 1.18.0.