mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#5,#36): Fix critical security issues and add comprehensive tests

Browse Source 
SECURITY FIXES:
- Replace generic Error with UnauthorizedException in all controllers
- Fix workspace isolation bypass in findAll methods (CRITICAL)
- Controllers now always use req.user.workspaceId, never allow query override

CODE FIXES:
- Fix redundant priority logic in tasks.service.ts
- Use TaskPriority.MEDIUM as default instead of undefined

TEST ADDITIONS:
- Add multi-tenant isolation tests for all services (tasks, events, projects)
- Add database constraint violation handling tests (P2002, P2003, P2025)
- Add missing controller error tests for events and projects controllers
- All new tests verify authentication and workspace isolation

RESULTS:
- All 247 tests passing
- Test coverage: 94.35% (exceeds 85% requirement)
- Critical security vulnerabilities fixed

Fixes #5
Refs #36

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-01-28 18:55:07 -06:00
parent 132fe6ba98
commit a220c2dc0a
10 changed files with 417 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
apps/api/src/events/events.controller.spec.ts
View File

@@ -98,6 +98,16 @@ describe("EventsController", () => {
createDto
);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.create({ title: "Test", startTime: new Date() }, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
describe("findAll", () => {
@@ -122,6 +132,16 @@ describe("EventsController", () => {
expect(result).toEqual(paginatedResult);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.findAll({}, requestWithoutWorkspace as any)
).rejects.toThrow("Authentication required");
});
});
describe("findOne", () => {
@@ -132,6 +152,16 @@ describe("EventsController", () => {
expect(result).toEqual(mockEvent);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.findOne(mockEventId, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
describe("update", () => {
@@ -147,6 +177,16 @@ describe("EventsController", () => {
expect(result).toEqual(updatedEvent);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.update(mockEventId, { title: "Test" }, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
describe("remove", () => {
@@ -161,5 +201,15 @@ describe("EventsController", () => {
mockUserId
);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.remove(mockEventId, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
});

14
apps/api/src/events/events.controller.ts
View File

@@ -9,6 +9,7 @@ import {
Query,
UseGuards,
Request,
UnauthorizedException,
} from "@nestjs/common";
import { EventsService } from "./events.service";
import { CreateEventDto, UpdateEventDto, QueryEventsDto } from "./dto";
@@ -33,7 +34,7 @@ export class EventsController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId or userId not found");
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.create(workspaceId, userId, createEventDto);
@@ -45,7 +46,10 @@ export class EventsController {
*/
@Get()
async findAll(@Query() query: QueryEventsDto, @Request() req: any) {
const workspaceId = req.user?.workspaceId || query.workspaceId;
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.findAll({ ...query, workspaceId });
}
@@ -57,7 +61,7 @@ export class EventsController {
async findOne(@Param("id") id: string, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.findOne(id, workspaceId);
}
@@ -76,7 +80,7 @@ export class EventsController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.update(id, workspaceId, userId, updateEventDto);
@@ -92,7 +96,7 @@ export class EventsController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.eventsService.remove(id, workspaceId, userId);

90
apps/api/src/events/events.service.spec.ts
View File

@@ -4,6 +4,7 @@ import { EventsService } from "./events.service";
import { PrismaService } from "../prisma/prisma.service";
import { ActivityService } from "../activity/activity.service";
import { NotFoundException } from "@nestjs/common";
import { Prisma } from "@prisma/client";
describe("EventsService", () => {
let service: EventsService;
@@ -177,6 +178,23 @@ describe("EventsService", () => {
NotFoundException
);
});
it("should enforce workspace isolation when finding event", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.event.findUnique.mockResolvedValue(null);
await expect(service.findOne(mockEventId, otherWorkspaceId)).rejects.toThrow(
NotFoundException
);
expect(prisma.event.findUnique).toHaveBeenCalledWith({
where: {
id: mockEventId,
workspaceId: otherWorkspaceId,
},
include: expect.any(Object),
});
});
});
describe("update", () => {
@@ -211,6 +229,19 @@ describe("EventsService", () => {
service.update(mockEventId, mockWorkspaceId, mockUserId, { title: "Test" })
).rejects.toThrow(NotFoundException);
});
it("should enforce workspace isolation when updating event", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.event.findUnique.mockResolvedValue(null);
await expect(
service.update(mockEventId, otherWorkspaceId, mockUserId, { title: "Hacked" })
).rejects.toThrow(NotFoundException);
expect(prisma.event.findUnique).toHaveBeenCalledWith({
where: { id: mockEventId, workspaceId: otherWorkspaceId },
});
});
});
describe("remove", () => {
@@ -232,5 +263,64 @@ describe("EventsService", () => {
service.remove(mockEventId, mockWorkspaceId, mockUserId)
).rejects.toThrow(NotFoundException);
});
it("should enforce workspace isolation when deleting event", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.event.findUnique.mockResolvedValue(null);
await expect(
service.remove(mockEventId, otherWorkspaceId, mockUserId)
).rejects.toThrow(NotFoundException);
expect(prisma.event.findUnique).toHaveBeenCalledWith({
where: { id: mockEventId, workspaceId: otherWorkspaceId },
});
});
});
describe("database constraint violations", () => {
it("should handle foreign key constraint violations on create", async () => {
const createDto = {
title: "Event with invalid project",
startTime: new Date("2026-02-01T10:00:00Z"),
projectId: "non-existent-project-id",
};
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Foreign key constraint failed",
{
code: "P2003",
clientVersion: "5.0.0",
}
);
mockPrismaService.event.create.mockRejectedValue(prismaError);
await expect(
service.create(mockWorkspaceId, mockUserId, createDto)
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
it("should handle foreign key constraint violations on update", async () => {
const updateDto = {
projectId: "non-existent-project-id",
};
mockPrismaService.event.findUnique.mockResolvedValue(mockEvent);
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Foreign key constraint failed",
{
code: "P2003",
clientVersion: "5.0.0",
}
);
mockPrismaService.event.update.mockRejectedValue(prismaError);
await expect(
service.update(mockEventId, mockWorkspaceId, mockUserId, updateDto)
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
});
});

50
apps/api/src/projects/projects.controller.spec.ts
View File

@@ -97,6 +97,16 @@ describe("ProjectsController", () => {
createDto
);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.create({ name: "Test" }, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
describe("findAll", () => {
@@ -121,6 +131,16 @@ describe("ProjectsController", () => {
expect(result).toEqual(paginatedResult);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.findAll({}, requestWithoutWorkspace as any)
).rejects.toThrow("Authentication required");
});
});
describe("findOne", () => {
@@ -131,6 +151,16 @@ describe("ProjectsController", () => {
expect(result).toEqual(mockProject);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.findOne(mockProjectId, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
describe("update", () => {
@@ -146,6 +176,16 @@ describe("ProjectsController", () => {
expect(result).toEqual(updatedProject);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.update(mockProjectId, { name: "Test" }, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
describe("remove", () => {
@@ -160,5 +200,15 @@ describe("ProjectsController", () => {
mockUserId
);
});
it("should throw UnauthorizedException if workspaceId not found", async () => {
const requestWithoutWorkspace = {
user: { id: mockUserId },
};
await expect(
controller.remove(mockProjectId, requestWithoutWorkspace)
).rejects.toThrow("Authentication required");
});
});
});

14
apps/api/src/projects/projects.controller.ts
View File

@@ -9,6 +9,7 @@ import {
Query,
UseGuards,
Request,
UnauthorizedException,
} from "@nestjs/common";
import { ProjectsService } from "./projects.service";
import { CreateProjectDto, UpdateProjectDto, QueryProjectsDto } from "./dto";
@@ -33,7 +34,7 @@ export class ProjectsController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId or userId not found");
throw new UnauthorizedException("Authentication required");
}
return this.projectsService.create(workspaceId, userId, createProjectDto);
@@ -45,7 +46,10 @@ export class ProjectsController {
*/
@Get()
async findAll(@Query() query: QueryProjectsDto, @Request() req: any) {
const workspaceId = req.user?.workspaceId || query.workspaceId;
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new UnauthorizedException("Authentication required");
}
return this.projectsService.findAll({ ...query, workspaceId });
}
@@ -57,7 +61,7 @@ export class ProjectsController {
async findOne(@Param("id") id: string, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.projectsService.findOne(id, workspaceId);
}
@@ -76,7 +80,7 @@ export class ProjectsController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.projectsService.update(id, workspaceId, userId, updateProjectDto);
@@ -92,7 +96,7 @@ export class ProjectsController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.projectsService.remove(id, workspaceId, userId);

89
apps/api/src/projects/projects.service.spec.ts
View File

@@ -3,7 +3,7 @@ import { Test, TestingModule } from "@nestjs/testing";
import { ProjectsService } from "./projects.service";
import { PrismaService } from "../prisma/prisma.service";
import { ActivityService } from "../activity/activity.service";
import { ProjectStatus } from "@prisma/client";
import { ProjectStatus, Prisma } from "@prisma/client";
import { NotFoundException } from "@nestjs/common";
describe("ProjectsService", () => {
@@ -168,6 +168,23 @@ describe("ProjectsService", () => {
service.findOne(mockProjectId, mockWorkspaceId)
).rejects.toThrow(NotFoundException);
});
it("should enforce workspace isolation when finding project", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.project.findUnique.mockResolvedValue(null);
await expect(service.findOne(mockProjectId, otherWorkspaceId)).rejects.toThrow(
NotFoundException
);
expect(prisma.project.findUnique).toHaveBeenCalledWith({
where: {
id: mockProjectId,
workspaceId: otherWorkspaceId,
},
include: expect.any(Object),
});
});
});
describe("update", () => {
@@ -202,6 +219,19 @@ describe("ProjectsService", () => {
service.update(mockProjectId, mockWorkspaceId, mockUserId, { name: "Test" })
).rejects.toThrow(NotFoundException);
});
it("should enforce workspace isolation when updating project", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.project.findUnique.mockResolvedValue(null);
await expect(
service.update(mockProjectId, otherWorkspaceId, mockUserId, { name: "Hacked" })
).rejects.toThrow(NotFoundException);
expect(prisma.project.findUnique).toHaveBeenCalledWith({
where: { id: mockProjectId, workspaceId: otherWorkspaceId },
});
});
});
describe("remove", () => {
@@ -223,5 +253,62 @@ describe("ProjectsService", () => {
service.remove(mockProjectId, mockWorkspaceId, mockUserId)
).rejects.toThrow(NotFoundException);
});
it("should enforce workspace isolation when deleting project", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.project.findUnique.mockResolvedValue(null);
await expect(
service.remove(mockProjectId, otherWorkspaceId, mockUserId)
).rejects.toThrow(NotFoundException);
expect(prisma.project.findUnique).toHaveBeenCalledWith({
where: { id: mockProjectId, workspaceId: otherWorkspaceId },
});
});
});
describe("database constraint violations", () => {
it("should handle unique constraint violations on create", async () => {
const createDto = {
name: "Duplicate Project",
description: "Project description",
};
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Unique constraint failed",
{
code: "P2002",
clientVersion: "5.0.0",
meta: {
target: ["workspaceId", "name"],
},
}
);
mockPrismaService.project.create.mockRejectedValue(prismaError);
await expect(
service.create(mockWorkspaceId, mockUserId, createDto)
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
it("should handle record not found on update (P2025)", async () => {
mockPrismaService.project.findUnique.mockResolvedValue(mockProject);
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Record to update not found",
{
code: "P2025",
clientVersion: "5.0.0",
}
);
mockPrismaService.project.update.mockRejectedValue(prismaError);
await expect(
service.update(mockProjectId, mockWorkspaceId, mockUserId, { name: "Updated" })
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
});
});

6
apps/api/src/tasks/tasks.controller.spec.ts
View File

@@ -167,7 +167,7 @@ describe("TasksController", () => {
await expect(
controller.findOne(mockTaskId, requestWithoutWorkspace)
).rejects.toThrow("User workspaceId not found");
).rejects.toThrow("Authentication required");
});
});
@@ -199,7 +199,7 @@ describe("TasksController", () => {
await expect(
controller.update(mockTaskId, { title: "Test" }, requestWithoutWorkspace)
).rejects.toThrow("User workspaceId not found");
).rejects.toThrow("Authentication required");
});
});
@@ -223,7 +223,7 @@ describe("TasksController", () => {
await expect(
controller.remove(mockTaskId, requestWithoutWorkspace)
).rejects.toThrow("User workspaceId not found");
).rejects.toThrow("Authentication required");
});
});
});

14
apps/api/src/tasks/tasks.controller.ts
View File

@@ -9,6 +9,7 @@ import {
Query,
UseGuards,
Request,
UnauthorizedException,
} from "@nestjs/common";
import { TasksService } from "./tasks.service";
import { CreateTaskDto, UpdateTaskDto, QueryTasksDto } from "./dto";
@@ -33,7 +34,7 @@ export class TasksController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId or userId not found");
throw new UnauthorizedException("Authentication required");
}
return this.tasksService.create(workspaceId, userId, createTaskDto);
@@ -45,7 +46,10 @@ export class TasksController {
*/
@Get()
async findAll(@Query() query: QueryTasksDto, @Request() req: any) {
const workspaceId = req.user?.workspaceId || query.workspaceId;
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new UnauthorizedException("Authentication required");
}
return this.tasksService.findAll({ ...query, workspaceId });
}
@@ -57,7 +61,7 @@ export class TasksController {
async findOne(@Param("id") id: string, @Request() req: any) {
const workspaceId = req.user?.workspaceId;
if (!workspaceId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.tasksService.findOne(id, workspaceId);
}
@@ -76,7 +80,7 @@ export class TasksController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.tasksService.update(id, workspaceId, userId, updateTaskDto);
@@ -92,7 +96,7 @@ export class TasksController {
const userId = req.user?.id;
if (!workspaceId || !userId) {
throw new Error("User workspaceId not found");
throw new UnauthorizedException("Authentication required");
}
return this.tasksService.remove(id, workspaceId, userId);

107
apps/api/src/tasks/tasks.service.spec.ts
View File

@@ -5,6 +5,7 @@ import { PrismaService } from "../prisma/prisma.service";
import { ActivityService } from "../activity/activity.service";
import { TaskStatus, TaskPriority } from "@prisma/client";
import { NotFoundException } from "@nestjs/common";
import { Prisma } from "@prisma/client";
describe("TasksService", () => {
let service: TasksService;
@@ -305,6 +306,23 @@ describe("TasksService", () => {
NotFoundException
);
});
it("should enforce workspace isolation when finding task", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.task.findUnique.mockResolvedValue(null);
await expect(service.findOne(mockTaskId, otherWorkspaceId)).rejects.toThrow(
NotFoundException
);
expect(prisma.task.findUnique).toHaveBeenCalledWith({
where: {
id: mockTaskId,
workspaceId: otherWorkspaceId,
},
include: expect.any(Object),
});
});
});
describe("update", () => {
@@ -337,6 +355,19 @@ describe("TasksService", () => {
);
});
it("should enforce workspace isolation when updating task", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.task.findUnique.mockResolvedValue(null);
await expect(
service.update(mockTaskId, otherWorkspaceId, mockUserId, { title: "Hacked" })
).rejects.toThrow(NotFoundException);
expect(prisma.task.findUnique).toHaveBeenCalledWith({
where: { id: mockTaskId, workspaceId: otherWorkspaceId },
});
});
it("should set completedAt when status changes to COMPLETED", async () => {
const updateDto = { status: TaskStatus.COMPLETED };
@@ -442,5 +473,81 @@ describe("TasksService", () => {
service.remove(mockTaskId, mockWorkspaceId, mockUserId)
).rejects.toThrow(NotFoundException);
});
it("should enforce workspace isolation when deleting task", async () => {
const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
mockPrismaService.task.findUnique.mockResolvedValue(null);
await expect(
service.remove(mockTaskId, otherWorkspaceId, mockUserId)
).rejects.toThrow(NotFoundException);
expect(prisma.task.findUnique).toHaveBeenCalledWith({
where: { id: mockTaskId, workspaceId: otherWorkspaceId },
});
});
});
describe("database constraint violations", () => {
it("should handle foreign key constraint violations on create", async () => {
const createDto = {
title: "Task with invalid assignee",
assigneeId: "non-existent-user-id",
};
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Foreign key constraint failed",
{
code: "P2003",
clientVersion: "5.0.0",
}
);
mockPrismaService.task.create.mockRejectedValue(prismaError);
await expect(
service.create(mockWorkspaceId, mockUserId, createDto)
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
it("should handle foreign key constraint violations on update", async () => {
const updateDto = {
assigneeId: "non-existent-user-id",
};
mockPrismaService.task.findUnique.mockResolvedValue(mockTask);
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Foreign key constraint failed",
{
code: "P2003",
clientVersion: "5.0.0",
}
);
mockPrismaService.task.update.mockRejectedValue(prismaError);
await expect(
service.update(mockTaskId, mockWorkspaceId, mockUserId, updateDto)
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
it("should handle record not found on update (P2025)", async () => {
mockPrismaService.task.findUnique.mockResolvedValue(mockTask);
const prismaError = new Prisma.PrismaClientKnownRequestError(
"Record to update not found",
{
code: "P2025",
clientVersion: "5.0.0",
}
);
mockPrismaService.task.update.mockRejectedValue(prismaError);
await expect(
service.update(mockTaskId, mockWorkspaceId, mockUserId, { title: "Updated" })
).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
});
});
});

4
apps/api/src/tasks/tasks.service.ts
View File

@@ -1,7 +1,7 @@
import { Injectable, NotFoundException } from "@nestjs/common";
import { PrismaService } from "../prisma/prisma.service";
import { ActivityService } from "../activity/activity.service";
import { TaskStatus } from "@prisma/client";
import { TaskStatus, TaskPriority } from "@prisma/client";
import type { CreateTaskDto, UpdateTaskDto, QueryTasksDto } from "./dto";
/**
@@ -23,7 +23,7 @@ export class TasksService {
workspaceId,
creatorId: userId,
status: createTaskDto.status || TaskStatus.NOT_STARTED,
priority: createTaskDto.priority || createTaskDto.priority,
priority: createTaskDto.priority || TaskPriority.MEDIUM,
sortOrder: createTaskDto.sortOrder ?? 0,
metadata: createTaskDto.metadata || {},
};