fix: critical security hardening — tenant isolation, CORS, error leaking, input validation
1. Tenant isolation bypass (CRITICAL): TenantResolver now verifies user has access to X-Tenant-ID via user_tenants lookup before setting context. Added VerifyAccess method to TenantLookup interface and TenantService. 2. Consolidated tenant resolution: Removed duplicate resolveTenant() from helpers.go and tenant resolution from auth middleware. TenantResolver is now the single source of truth. Deadlines and AI handlers use auth.TenantFromContext() instead of direct DB queries. 3. CalDAV credential masking: tenant settings responses now mask CalDAV passwords with "********" via maskSettingsPassword helper. Applied to GetTenant, ListTenants, and UpdateSettings responses. 4. CORS + security headers: New middleware/security.go with CORS (restricted to FRONTEND_ORIGIN) and security headers (X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, X-XSS-Protection). 5. Internal error leaking: All writeError(w, 500, err.Error()) replaced with internalError() that logs via slog and returns generic "internal error" to client. Same for jsonError in tenant handler. 6. Input validation: Max length on title (500), description (10000), case_number (100), search (200). Pagination clamped to max 100. Content-Disposition filename sanitized against header injection. Regression test added for tenant access denial (403 on unauthorized X-Tenant-ID). All existing tests pass, go vet clean.
This commit is contained in:
m
@@ -24,28 +24,19 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
token := extractBearerToken(r)
|
||||
if token == "" {
|
||||
http.Error(w, "missing authorization token", http.StatusUnauthorized)
|
||||
http.Error(w, `{"error":"missing authorization token"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
userID, err := m.verifyJWT(token)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
|
||||
http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
ctx := ContextWithUserID(r.Context(), userID)
|
||||
|
||||
// Resolve tenant from user_tenants
|
||||
var tenantID uuid.UUID
|
||||
err = m.db.GetContext(r.Context(), &tenantID,
|
||||
"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
|
||||
if err != nil {
|
||||
http.Error(w, "no tenant found for user", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
ctx = ContextWithTenantID(ctx, tenantID)
|
||||
|
||||
// Tenant resolution is handled by TenantResolver middleware for scoped routes.
|
||||
// Tenant management routes handle their own access control.
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
|
||||
@@ -2,20 +2,21 @@ package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// TenantLookup resolves the default tenant for a user.
|
||||
// TenantLookup resolves and verifies tenant access for a user.
|
||||
// Defined as an interface to avoid circular dependency with services.
|
||||
type TenantLookup interface {
|
||||
FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
|
||||
VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
|
||||
}
|
||||
|
||||
// TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
|
||||
// or defaults to the user's first tenant.
|
||||
// or defaults to the user's first tenant. Always verifies user has access.
|
||||
type TenantResolver struct {
|
||||
lookup TenantLookup
|
||||
}
|
||||
@@ -28,7 +29,7 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
userID, ok := UserFromContext(r.Context())
|
||||
if !ok {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -37,19 +38,33 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
|
||||
if header := r.Header.Get("X-Tenant-ID"); header != "" {
|
||||
parsed, err := uuid.Parse(header)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("invalid X-Tenant-ID: %v", err), http.StatusBadRequest)
|
||||
http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Verify user has access to this tenant
|
||||
hasAccess, err := tr.lookup.VerifyAccess(r.Context(), userID, parsed)
|
||||
if err != nil {
|
||||
slog.Error("tenant access check failed", "error", err, "user_id", userID, "tenant_id", parsed)
|
||||
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if !hasAccess {
|
||||
http.Error(w, `{"error":"no access to tenant"}`, http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
tenantID = parsed
|
||||
} else {
|
||||
// Default to user's first tenant
|
||||
first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("resolving tenant: %v", err), http.StatusInternalServerError)
|
||||
slog.Error("failed to resolve default tenant", "error", err, "user_id", userID)
|
||||
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if first == nil {
|
||||
http.Error(w, "no tenant found for user", http.StatusBadRequest)
|
||||
http.Error(w, `{"error":"no tenant found for user"}`, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
tenantID = *first
|
||||
|
||||
@@ -10,17 +10,23 @@ import (
|
||||
)
|
||||
|
||||
type mockTenantLookup struct {
|
||||
tenantID *uuid.UUID
|
||||
err error
|
||||
tenantID *uuid.UUID
|
||||
err error
|
||||
hasAccess bool
|
||||
accessErr error
|
||||
}
|
||||
|
||||
func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
|
||||
return m.tenantID, m.err
|
||||
}
|
||||
|
||||
func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
|
||||
return m.hasAccess, m.accessErr
|
||||
}
|
||||
|
||||
func TestTenantResolver_FromHeader(t *testing.T) {
|
||||
tenantID := uuid.New()
|
||||
tr := NewTenantResolver(&mockTenantLookup{})
|
||||
tr := NewTenantResolver(&mockTenantLookup{hasAccess: true})
|
||||
|
||||
var gotTenantID uuid.UUID
|
||||
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -47,6 +53,26 @@ func TestTenantResolver_FromHeader(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
|
||||
tenantID := uuid.New()
|
||||
tr := NewTenantResolver(&mockTenantLookup{hasAccess: false})
|
||||
|
||||
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
t.Fatal("next should not be called")
|
||||
})
|
||||
|
||||
r := httptest.NewRequest("GET", "/api/cases", nil)
|
||||
r.Header.Set("X-Tenant-ID", tenantID.String())
|
||||
r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
tr.Resolve(next).ServeHTTP(w, r)
|
||||
|
||||
if w.Code != http.StatusForbidden {
|
||||
t.Errorf("expected 403, got %d", w.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTenantResolver_DefaultsToFirst(t *testing.T) {
|
||||
tenantID := uuid.New()
|
||||
tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
|
||||
|
||||
Reference in New Issue
Block a user