[fix] Resolve IDOR vulnerability: add workspace/project membership check in auth middleware and fix cache-before-auth #3680
+116
−29
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dosubot
bot
added
the
size:M
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens authorization in the API by preventing cross-project access (IDOR) through explicit project_id query parameters and by ensuring RBAC checks run before cache lookups, so cached responses can’t bypass permissions.
Changes:
- Add an EE-only project membership check in
verify_bearer_tokenwhenproject_idis explicitly provided. - Reorder authorization vs caching in
list_secretsandlist_app_variantsso permission checks occur before cache reads.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
api/oss/src/services/auth_service.py |
Adds EE project membership validation for explicit project_id in bearer-token auth. |
api/oss/src/routers/app_router.py |
Moves RBAC enforcement ahead of cache reads in list_app_variants. |
api/oss/src/apis/fastapi/vault/router.py |
Moves RBAC enforcement ahead of cache reads in list_secrets. |
Comments suppressed due to low confidence (1)
api/oss/src/routers/app_router.py:103
- Test coverage: add a test that ensures RBAC is enforced on cache hits for
list_app_variants(i.e., a cached response must not be returned whencheck_action_accessdenies). This change fixes an auth bypass and should be guarded by a regression test.
if is_ee():
has_permission = await check_action_access(
user_uid=request.state.user_id,
project_id=request.state.project_id,
permission=Permission.VIEW_APPLICATIONS,
)
if not has_permission:
error_msg = "You do not have access to perform this action. Please contact your organization admin."
return JSONResponse(
{"detail": error_msg},
status_code=403,
)
cache_key = {
"app_id": app_id,
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dosubot
bot
added
size:L
junaway
changed the title
mmabrouk
approved these changes
Feb 9, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
verify_bearer_token). When a user supplies an explicitproject_idquery parameter, the middleware now verifies the user is a member of that project before proceeding. Previously it only checked the project existed.vault/router.py(list_secrets) andapp_router.py(list_app_variants) — the RBAC permission check now runs before the cache lookup, preventing cached responses from bypassing authorization.Test plan
project_idgets 401project_id(default project) still worklist_secretsandlist_app_variantsenforce permissions on cache hits