fix(#337): Propagate database errors from guards instead of masking as access denied

SEC-API-2: WorkspaceGuard now propagates database errors as 500s instead of returning "access denied". Only Prisma P2025 (record not found) is treated as "user not a member". SEC-API-3: PermissionGuard now propagates database errors as 500s instead of returning null role (which caused permission denied). Only Prisma P2025 is treated as "not a member". This prevents connection timeouts, pool exhaustion, and other infrastructure errors from being misreported to users as authorization failures. Refs #337 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 15:35:11 -06:00
parent 6bb9846cde
commit e237c40482
4 changed files with 152 additions and 10 deletions
--- a/apps/api/src/common/guards/permission.guard.spec.ts
+++ b/apps/api/src/common/guards/permission.guard.spec.ts
@@ -1,11 +1,11 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
-import { ExecutionContext, ForbiddenException } from "@nestjs/common";
+import { ExecutionContext, ForbiddenException, InternalServerErrorException } from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
+import { Prisma, WorkspaceMemberRole } from "@prisma/client";
 import { PermissionGuard } from "./permission.guard";
 import { PrismaService } from "../../prisma/prisma.service";
 import { Permission } from "../decorators/permissions.decorator";
-import { WorkspaceMemberRole } from "@prisma/client";

 describe("PermissionGuard", () => {
  let guard: PermissionGuard;
@@ -208,13 +208,67 @@ describe("PermissionGuard", () => {
      );
    });

-    it("should handle database errors gracefully", async () => {
+    it("should throw InternalServerErrorException on database connection errors", async () => {
      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });

      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
-      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(new Error("Database error"));
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(
+        new Error("Database connection failed")
+      );

+      await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+      await expect(guard.canActivate(context)).rejects.toThrow("Failed to verify permissions");
+    });
+
+    it("should throw InternalServerErrorException on Prisma connection timeout", async () => {
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
+
+      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError("Connection timed out", {
+        code: "P1001", // Authentication failed (connection error)
+        clientVersion: "5.0.0",
+      });
+
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(prismaError);
+
+      await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+    });
+
+    it("should return null role for Prisma not found error (P2025)", async () => {
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
+
+      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError("Record not found", {
+        code: "P2025", // Record not found
+        clientVersion: "5.0.0",
+      });
+
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(prismaError);
+
+      // P2025 should be treated as "not a member" -> ForbiddenException
      await expect(guard.canActivate(context)).rejects.toThrow(ForbiddenException);
+      await expect(guard.canActivate(context)).rejects.toThrow(
+        "You are not a member of this workspace"
+      );
+    });
+
+    it("should NOT mask database pool exhaustion as permission denied", async () => {
+      const context = createMockExecutionContext({ id: userId }, { id: workspaceId });
+
+      mockReflector.getAllAndOverride.mockReturnValue(Permission.WORKSPACE_MEMBER);
+
+      const prismaError = new Prisma.PrismaClientKnownRequestError("Connection pool exhausted", {
+        code: "P2024", // Connection pool timeout
+        clientVersion: "5.0.0",
+      });
+
+      mockPrismaService.workspaceMember.findUnique.mockRejectedValue(prismaError);
+
+      // Should NOT throw ForbiddenException for DB errors
+      await expect(guard.canActivate(context)).rejects.toThrow(InternalServerErrorException);
+      await expect(guard.canActivate(context)).rejects.not.toThrow(ForbiddenException);
    });
  });
 });