Implement RLS context helpers consistently across all services #195

New Issue

Closed

opened 2026-02-02 17:26:15 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-02 17:26:15 +00:00

Owner

Copy Link

Problem

RLS context helpers exist (db-context.ts) but are not used by services. Security relies on manual workspace filtering everywhere. If RLS policies are enabled, queries will fail. If they aren't, one missed filter becomes a cross-tenant data leak.

Locations

• apps/api/src/prisma/db-context.ts:75 - withUserContext helper exists
• apps/api/src/tasks/tasks.service.ts:56 - Manual filtering: where: { workspaceId }

// Helper exists but unused
export function withUserContext(userId: string, workspaceId: string) {
  return { userId, workspaceId };
}

// Services do manual filtering
const tasks = await this.prisma.task.findMany({
  where: { workspaceId },  // Manual - easy to forget
});

Questions (URGENT - Need Answers)

1. Are Postgres RLS policies enabled in production?
2. If yes, why aren't services using withUserContext?
3. If no, when will RLS be enabled?

Risk

If RLS policies are enabled without withUserContext:

• All queries will fail (no context set)

If RLS policies are NOT enabled:

• One missed workspaceId filter = data leak
• No defense-in-depth

Acceptance Criteria

• DECISION: Are RLS policies enabled?
• Audit all service queries for workspace filtering
• Implement Prisma middleware to set RLS context
• OR centralize withUserContext in request-scoped Prisma
• Add tests for cross-tenant isolation
• Document RLS usage patterns
• Add lint rule to require workspace filtering

Option A: Prisma Middleware (Recommended)

prisma.$use(async (params, next) => {
  const context = getRequestContext();
  await prisma.$executeRaw`
    SET LOCAL app.user_id = ${context.userId};
    SET LOCAL app.workspace_id = ${context.workspaceId};
  `;
  return next(params);
});

Option B: Request-scoped Prisma

// Inject Prisma with context pre-set
@Injectable({ scope: Scope.REQUEST })
export class PrismaService {
  async onModuleInit() {
    await this.setContext(this.userId, this.workspaceId);
  }
}

Testing

• Test RLS policies enforce isolation
• Test queries fail without context (if RLS enabled)
• Test cross-workspace queries blocked
• Verify performance impact acceptable

References

External security review findings (2026-02-02)

## Problem RLS context helpers exist (db-context.ts) but are not used by services. Security relies on manual workspace filtering everywhere. If RLS policies are enabled, queries will fail. If they aren't, one missed filter becomes a cross-tenant data leak. ## Locations - apps/api/src/prisma/db-context.ts:75 - withUserContext helper exists - apps/api/src/tasks/tasks.service.ts:56 - Manual filtering: where: { workspaceId } ```typescript // Helper exists but unused export function withUserContext(userId: string, workspaceId: string) { return { userId, workspaceId }; } // Services do manual filtering const tasks = await this.prisma.task.findMany({ where: { workspaceId }, // Manual - easy to forget }); ``` ## Questions (URGENT - Need Answers) 1. Are Postgres RLS policies enabled in production? 2. If yes, why aren't services using withUserContext? 3. If no, when will RLS be enabled? ## Risk If RLS policies are enabled without withUserContext: - All queries will fail (no context set) If RLS policies are NOT enabled: - One missed workspaceId filter = data leak - No defense-in-depth ## Acceptance Criteria - [ ] **DECISION**: Are RLS policies enabled? - [ ] Audit all service queries for workspace filtering - [ ] Implement Prisma middleware to set RLS context - [ ] OR centralize withUserContext in request-scoped Prisma - [ ] Add tests for cross-tenant isolation - [ ] Document RLS usage patterns - [ ] Add lint rule to require workspace filtering ## Option A: Prisma Middleware (Recommended) ```typescript prisma.$use(async (params, next) => { const context = getRequestContext(); await prisma.$executeRaw` SET LOCAL app.user_id = ${context.userId}; SET LOCAL app.workspace_id = ${context.workspaceId}; `; return next(params); }); ``` ## Option B: Request-scoped Prisma ```typescript // Inject Prisma with context pre-set @Injectable({ scope: Scope.REQUEST }) export class PrismaService { async onModuleInit() { await this.setContext(this.userId, this.workspaceId); } } ``` ## Testing - [ ] Test RLS policies enforce isolation - [ ] Test queries fail without context (if RLS enabled) - [ ] Test cross-workspace queries blocked - [ ] Verify performance impact acceptable ## References External security review findings (2026-02-02)

jason.woltje added the databasesecuritydatabaseapiapip1 labels 2026-02-02 17:26:15 +00:00

jason.woltje added this to the M7.1-Remediation (0.0.8) milestone 2026-02-03 22:31:44 +00:00

jason.woltje referenced this issue from a commit 2026-02-04 04:45:14 +00:00

fix(#195): Implement RLS context helpers consistently across all services

jason.woltje closed this issue 2026-02-04 04:45:23 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api database database p1 security

Milestone

No items

No Milestone M7.1-Remediation (0.0.8)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#195