fix(#5,#36): Fix critical security issues and add comprehensive tests

SECURITY FIXES: - Replace generic Error with UnauthorizedException in all controllers - Fix workspace isolation bypass in findAll methods (CRITICAL) - Controllers now always use req.user.workspaceId, never allow query override CODE FIXES: - Fix redundant priority logic in tasks.service.ts - Use TaskPriority.MEDIUM as default instead of undefined TEST ADDITIONS: - Add multi-tenant isolation tests for all services (tasks, events, projects) - Add database constraint violation handling tests (P2002, P2003, P2025) - Add missing controller error tests for events and projects controllers - All new tests verify authentication and workspace isolation RESULTS: - All 247 tests passing - Test coverage: 94.35% (exceeds 85% requirement) - Critical security vulnerabilities fixed Fixes #5 Refs #36 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-28 18:55:07 -06:00
parent 132fe6ba98
commit a220c2dc0a
10 changed files with 417 additions and 21 deletions
--- a/apps/api/src/projects/projects.controller.spec.ts
+++ b/apps/api/src/projects/projects.controller.spec.ts
@@ -97,6 +97,16 @@ describe("ProjectsController", () => {
        createDto
      );
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.create({ name: "Test" }, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("findAll", () => {
@@ -121,6 +131,16 @@ describe("ProjectsController", () => {

      expect(result).toEqual(paginatedResult);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.findAll({}, requestWithoutWorkspace as any)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("findOne", () => {
@@ -131,6 +151,16 @@ describe("ProjectsController", () => {

      expect(result).toEqual(mockProject);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.findOne(mockProjectId, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("update", () => {
@@ -146,6 +176,16 @@ describe("ProjectsController", () => {

      expect(result).toEqual(updatedProject);
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.update(mockProjectId, { name: "Test" }, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });

  describe("remove", () => {
@@ -160,5 +200,15 @@ describe("ProjectsController", () => {
        mockUserId
      );
    });
+
+    it("should throw UnauthorizedException if workspaceId not found", async () => {
+      const requestWithoutWorkspace = {
+        user: { id: mockUserId },
+      };
+
+      await expect(
+        controller.remove(mockProjectId, requestWithoutWorkspace)
+      ).rejects.toThrow("Authentication required");
+    });
  });
 });
--- a/apps/api/src/projects/projects.controller.ts
+++ b/apps/api/src/projects/projects.controller.ts
@@ -9,6 +9,7 @@ import {
  Query,
  UseGuards,
  Request,
+  UnauthorizedException,
 } from "@nestjs/common";
 import { ProjectsService } from "./projects.service";
 import { CreateProjectDto, UpdateProjectDto, QueryProjectsDto } from "./dto";
@@ -33,7 +34,7 @@ export class ProjectsController {
    const userId = req.user?.id;

    if (!workspaceId || !userId) {
-      throw new Error("User workspaceId or userId not found");
+      throw new UnauthorizedException("Authentication required");
    }

    return this.projectsService.create(workspaceId, userId, createProjectDto);
@@ -45,7 +46,10 @@ export class ProjectsController {
   */
  @Get()
  async findAll(@Query() query: QueryProjectsDto, @Request() req: any) {
-    const workspaceId = req.user?.workspaceId || query.workspaceId;
+    const workspaceId = req.user?.workspaceId;
+    if (!workspaceId) {
+      throw new UnauthorizedException("Authentication required");
+    }
    return this.projectsService.findAll({ ...query, workspaceId });
  }

@@ -57,7 +61,7 @@ export class ProjectsController {
  async findOne(@Param("id") id: string, @Request() req: any) {
    const workspaceId = req.user?.workspaceId;
    if (!workspaceId) {
-      throw new Error("User workspaceId not found");
+      throw new UnauthorizedException("Authentication required");
    }
    return this.projectsService.findOne(id, workspaceId);
  }
@@ -76,7 +80,7 @@ export class ProjectsController {
    const userId = req.user?.id;

    if (!workspaceId || !userId) {
-      throw new Error("User workspaceId not found");
+      throw new UnauthorizedException("Authentication required");
    }

    return this.projectsService.update(id, workspaceId, userId, updateProjectDto);
@@ -92,7 +96,7 @@ export class ProjectsController {
    const userId = req.user?.id;

    if (!workspaceId || !userId) {
-      throw new Error("User workspaceId not found");
+      throw new UnauthorizedException("Authentication required");
    }

    return this.projectsService.remove(id, workspaceId, userId);
--- a/apps/api/src/projects/projects.service.spec.ts
+++ b/apps/api/src/projects/projects.service.spec.ts
@@ -3,7 +3,7 @@ import { Test, TestingModule } from "@nestjs/testing";
 import { ProjectsService } from "./projects.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { ActivityService } from "../activity/activity.service";
-import { ProjectStatus } from "@prisma/client";
+import { ProjectStatus, Prisma } from "@prisma/client";
 import { NotFoundException } from "@nestjs/common";

 describe("ProjectsService", () => {
@@ -168,6 +168,23 @@ describe("ProjectsService", () => {
        service.findOne(mockProjectId, mockWorkspaceId)
      ).rejects.toThrow(NotFoundException);
    });
+
+    it("should enforce workspace isolation when finding project", async () => {
+      const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
+      mockPrismaService.project.findUnique.mockResolvedValue(null);
+
+      await expect(service.findOne(mockProjectId, otherWorkspaceId)).rejects.toThrow(
+        NotFoundException
+      );
+
+      expect(prisma.project.findUnique).toHaveBeenCalledWith({
+        where: {
+          id: mockProjectId,
+          workspaceId: otherWorkspaceId,
+        },
+        include: expect.any(Object),
+      });
+    });
  });

  describe("update", () => {
@@ -202,6 +219,19 @@ describe("ProjectsService", () => {
        service.update(mockProjectId, mockWorkspaceId, mockUserId, { name: "Test" })
      ).rejects.toThrow(NotFoundException);
    });
+
+    it("should enforce workspace isolation when updating project", async () => {
+      const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
+      mockPrismaService.project.findUnique.mockResolvedValue(null);
+
+      await expect(
+        service.update(mockProjectId, otherWorkspaceId, mockUserId, { name: "Hacked" })
+      ).rejects.toThrow(NotFoundException);
+
+      expect(prisma.project.findUnique).toHaveBeenCalledWith({
+        where: { id: mockProjectId, workspaceId: otherWorkspaceId },
+      });
+    });
  });

  describe("remove", () => {
@@ -223,5 +253,62 @@ describe("ProjectsService", () => {
        service.remove(mockProjectId, mockWorkspaceId, mockUserId)
      ).rejects.toThrow(NotFoundException);
    });
+
+    it("should enforce workspace isolation when deleting project", async () => {
+      const otherWorkspaceId = "550e8400-e29b-41d4-a716-446655440099";
+      mockPrismaService.project.findUnique.mockResolvedValue(null);
+
+      await expect(
+        service.remove(mockProjectId, otherWorkspaceId, mockUserId)
+      ).rejects.toThrow(NotFoundException);
+
+      expect(prisma.project.findUnique).toHaveBeenCalledWith({
+        where: { id: mockProjectId, workspaceId: otherWorkspaceId },
+      });
+    });
+  });
+
+  describe("database constraint violations", () => {
+    it("should handle unique constraint violations on create", async () => {
+      const createDto = {
+        name: "Duplicate Project",
+        description: "Project description",
+      };
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError(
+        "Unique constraint failed",
+        {
+          code: "P2002",
+          clientVersion: "5.0.0",
+          meta: {
+            target: ["workspaceId", "name"],
+          },
+        }
+      );
+
+      mockPrismaService.project.create.mockRejectedValue(prismaError);
+
+      await expect(
+        service.create(mockWorkspaceId, mockUserId, createDto)
+      ).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
+    });
+
+    it("should handle record not found on update (P2025)", async () => {
+      mockPrismaService.project.findUnique.mockResolvedValue(mockProject);
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError(
+        "Record to update not found",
+        {
+          code: "P2025",
+          clientVersion: "5.0.0",
+        }
+      );
+
+      mockPrismaService.project.update.mockRejectedValue(prismaError);
+
+      await expect(
+        service.update(mockProjectId, mockWorkspaceId, mockUserId, { name: "Updated" })
+      ).rejects.toThrow(Prisma.PrismaClientKnownRequestError);
+    });
  });
 });