fix: IDOR patch (#982)

hughcrt · web-flow · commit e977d06f18a6 · 2025-05-19T19:57:30.000+02:00
diff --git a/packages/backend/src/api/v1/auth/utils.ts b/packages/backend/src/api/v1/auth/utils.ts
@@ -140,8 +140,6 @@ async function checkApiKey(ctx: Context, key: string) {
 }
 
 export async function authMiddleware(ctx: Context, next: Next) {
-  ctx.state.projectId = ctx.request?.query?.projectId as string;
-
   const isPublicRoute = publicRoutes.some((route) =>
     typeof route === "string" ? route === ctx.path : route.test(ctx.path),
   );
@@ -172,12 +170,12 @@ export async function authMiddleware(ctx: Context, next: Next) {
       ctx.state.privateKey = true;
     }
   } else {
-    // Check if JWT is valid
     try {
       if (!bearer) {
         throw new Error("No bearer token provided.");
       }
       const { payload } = await verifyJWT<SessionData>(key);
+      ctx.state.projectId = ctx.request?.query?.projectId as string;
       ctx.state.userId = payload.userId;
       ctx.state.orgId = payload.orgId;
 
@@ -194,9 +192,10 @@ export async function authMiddleware(ctx: Context, next: Next) {
         const [project] = await sql`
           select * from account_project where account_id = ${ctx.state.userId} and project_id = ${ctx.state.projectId}
         `;
+        console.log("Project", project);
 
         if (!project) {
-          throw new Error("Project not found");
+          throw new Error("Unauthorized access to project");
         }
       }
     } catch (error) {
@@ -210,6 +209,13 @@ export async function authMiddleware(ctx: Context, next: Next) {
         ctx.body = { message: "Invalid access token" };
         return;
       }
+
+      if (error?.message === "Unauthorized access to project") {
+        ctx.status = 401;
+        ctx.body = { message: "Unauthorized access to project" };
+        return;
+      }
+      return;
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -140,8 +140,6 @@ async function checkApiKey(ctx: Context, key: string) {`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`export async function authMiddleware(ctx: Context, next: Next) {`
`143`		`- ctx.state.projectId = ctx.request?.query?.projectId as string;`
`144`		`-`
`145`	`143`	`const isPublicRoute = publicRoutes.some((route) =>`
`146`	`144`	`typeof route === "string" ? route === ctx.path : route.test(ctx.path),`
`147`	`145`	`);`
`@@ -172,12 +170,12 @@ export async function authMiddleware(ctx: Context, next: Next) {`
`172`	`170`	`ctx.state.privateKey = true;`
`173`	`171`	`}`
`174`	`172`	`} else {`
`175`		`- // Check if JWT is valid`
`176`	`173`	`try {`
`177`	`174`	`if (!bearer) {`
`178`	`175`	`throw new Error("No bearer token provided.");`
`179`	`176`	`}`
`180`	`177`	`const { payload } = await verifyJWT<SessionData>(key);`
	`178`	`+ ctx.state.projectId = ctx.request?.query?.projectId as string;`
`181`	`179`	`ctx.state.userId = payload.userId;`
`182`	`180`	`ctx.state.orgId = payload.orgId;`
`183`	`181`
`@@ -194,9 +192,10 @@ export async function authMiddleware(ctx: Context, next: Next) {`
`194`	`192`	const [project] = await sql`
`195`	`193`	`select * from account_project where account_id = ${ctx.state.userId} and project_id = ${ctx.state.projectId}`
`196`	`194`	`;
	`195`	`+ console.log("Project", project);`
`197`	`196`
`198`	`197`	`if (!project) {`
`199`		`- throw new Error("Project not found");`
	`198`	`+ throw new Error("Unauthorized access to project");`
`200`	`199`	`}`
`201`	`200`	`}`
`202`	`201`	`} catch (error) {`
`@@ -210,6 +209,13 @@ export async function authMiddleware(ctx: Context, next: Next) {`
`210`	`209`	`ctx.body = { message: "Invalid access token" };`
`211`	`210`	`return;`
`212`	`211`	`}`
	`212`	`+`
	`213`	`+ if (error?.message === "Unauthorized access to project") {`
	`214`	`+ ctx.status = 401;`
	`215`	`+ ctx.body = { message: "Unauthorized access to project" };`
	`216`	`+ return;`
	`217`	`+ }`
	`218`	`+ return;`
`213`	`219`	`}`
`214`	`220`	`}`
`215`	`221`