mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#337): Propagate database errors from guards instead of masking as access denied

Browse Source 
SEC-API-2: WorkspaceGuard now propagates database errors as 500s instead of
returning "access denied". Only Prisma P2025 (record not found) is treated
as "user not a member".

SEC-API-3: PermissionGuard now propagates database errors as 500s instead of
returning null role (which caused permission denied). Only Prisma P2025 is
treated as "not a member".

This prevents connection timeouts, pool exhaustion, and other infrastructure
errors from being misreported to users as authorization failures.

Refs #337

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-05 15:35:11 -06:00
parent 6bb9846cde
commit e237c40482
4 changed files with 152 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
apps/api/src/common/guards/workspace.guard.ts
View File

@@ -4,8 +4,10 @@ import {
ExecutionContext,
ForbiddenException,
BadRequestException,
InternalServerErrorException,
Logger,
} from "@nestjs/common";
import { Prisma } from "@prisma/client";
import { PrismaService } from "../../prisma/prisma.service";
import type { AuthenticatedRequest } from "../types/user.types";
@@ -127,6 +129,10 @@ export class WorkspaceGuard implements CanActivate {
/**
* Verifies that a user is a member of the specified workspace
*
* SEC-API-2 FIX: Database errors are no longer swallowed as "access denied".
* Connection timeouts, pool exhaustion, and other infrastructure errors
* are propagated as 500 errors to avoid masking operational issues.
*/
private async verifyWorkspaceMembership(userId: string, workspaceId: string): Promise<boolean> {
try {
@@ -141,11 +147,23 @@ export class WorkspaceGuard implements CanActivate {
return member !== null;
} catch (error) {
// Only handle Prisma "not found" errors (P2025) as expected cases
// All other database errors (connection, timeout, pool) should propagate
if (
error instanceof Prisma.PrismaClientKnownRequestError &&
error.code === "P2025" // Record not found
) {
return false;
}
// Log the error before propagating
this.logger.error(
`Failed to verify workspace membership: ${error instanceof Error ? error.message : "Unknown error"}`,
`Database error during workspace membership check: ${error instanceof Error ? error.message : "Unknown error"}`,
error instanceof Error ? error.stack : undefined
);
return false;
// Propagate infrastructure errors as 500s, not access denied
throw new InternalServerErrorException("Failed to verify workspace access");
}
}
}