Fix workspace ID transmission mismatch between API and client #194

New Issue

jason.woltje · 2026-02-02T17:26:15Z

jason.woltje commented

2026-02-02 17:26:15 +00:00

Problem

WorkspaceGuard checks header/URL param/body, but web client sends workspaceId in query string. GETs will be rejected with "Workspace ID is required."

Locations

apps/api/src/workspace/workspace.guard.ts:96 - Checks header/param/body only
apps/web/lib/api/tasks.ts:28 - Sends in query string

// Guard checks (in order)
1. X-Workspace-Id header
2. :workspaceId URL param
3. body.workspaceId

// Client sends
GET /api/tasks?workspaceId=xxx  // ❌ Not checked by guard

Impact

All GET requests with workspace filtering fail
Cannot list workspace-scoped resources
Multi-tenant isolation may be bypassed if guard is skipped

Acceptance Criteria

DECISION: Choose workspace ID transmission method
Update guard to accept chosen method
Update all client API calls
Document workspace ID requirement
Add tests for workspace isolation
Verify workspace access validation

Option A: Header (Recommended)

// Client
fetch(url, {
  headers: { 'X-Workspace-Id': workspaceId }
});

// Guard (add to check list)
const workspaceId = req.headers['x-workspace-id'];

Option B: Query String

// Guard (add to check list)
const workspaceId = req.query.workspaceId || 
                    req.headers['x-workspace-id'] ||
                    req.params.workspaceId ||
                    req.body.workspaceId;

Testing

Test GET requests with workspace ID
Test POST/PATCH/DELETE with workspace ID
Test missing workspace ID rejected
Test cross-workspace access blocked

References

External security review findings (2026-02-02)

## Problem WorkspaceGuard checks header/URL param/body, but web client sends workspaceId in query string. GETs will be rejected with "Workspace ID is required." ## Locations - apps/api/src/workspace/workspace.guard.ts:96 - Checks header/param/body only - apps/web/lib/api/tasks.ts:28 - Sends in query string ```typescript // Guard checks (in order) 1. X-Workspace-Id header 2. :workspaceId URL param 3. body.workspaceId // Client sends GET /api/tasks?workspaceId=xxx // ❌ Not checked by guard ``` ## Impact - All GET requests with workspace filtering fail - Cannot list workspace-scoped resources - Multi-tenant isolation may be bypassed if guard is skipped ## Acceptance Criteria - [ ] **DECISION**: Choose workspace ID transmission method - [ ] Update guard to accept chosen method - [ ] Update all client API calls - [ ] Document workspace ID requirement - [ ] Add tests for workspace isolation - [ ] Verify workspace access validation ## Option A: Header (Recommended) ```typescript // Client fetch(url, { headers: { 'X-Workspace-Id': workspaceId } }); // Guard (add to check list) const workspaceId = req.headers['x-workspace-id']; ``` ## Option B: Query String ```typescript // Guard (add to check list) const workspaceId = req.query.workspaceId || req.headers['x-workspace-id'] || req.params.workspaceId || req.body.workspaceId; ``` ## Testing - [ ] Test GET requests with workspace ID - [ ] Test POST/PATCH/DELETE with workspace ID - [ ] Test missing workspace ID rejected - [ ] Test cross-workspace access blocked ## References External security review findings (2026-02-02)

jason.woltje added the web api api p1 labels 2026-02-02 17:26:15 +00:00

jason.woltje added this to the M7.1-Remediation (0.0.8) milestone 2026-02-03 22:31:44 +00:00

jason.woltje referenced this issue from a commit

2026-02-04 04:38:41 +00:00

feat(#194): Fix workspace ID transmission mismatch between API and client

jason.woltje closed this issue

2026-02-04 04:38:52 +00:00

Sign in to join this conversation.

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#194