Add RLS policies to auth tables with FORCE enforcement #350

New Issue

Closed

opened 2026-02-07 17:07:17 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-07 17:07:17 +00:00

Owner

Copy Link

Phase 1a - Security Foundations

Problem

The accounts, sessions, and verifications tables have NO Row-Level Security policies. Additionally, all 23 existing RLS-enabled tables only use ENABLE ROW LEVEL SECURITY without FORCE, meaning Prisma (connecting as table owner) silently bypasses all policies. Tenant isolation is application-level only.

Requirements

1. Add RLS policies to accounts and sessions tables scoped by user_id = current_user_id()
2. Add FORCE ROW LEVEL SECURITY to these tables so the table owner is also subject to policies
3. Add owner bypass policy (TO mosaic USING (true)) so Prisma migrations and BetterAuth internal operations still work
4. Verify verifications table doesn't need user-scoped RLS (tokens are ephemeral, no user_id column)

Implementation Notes

• New Prisma migration: add_auth_rls_policies
• Reuse existing helper functions: current_user_id(), is_workspace_member(), is_workspace_admin() from migration 20260129221004_add_rls_policies
• Must be deployed AFTER the RLS context interceptor is wired up, or existing queries will break
• Test: User A cannot query User B's Account/Session rows

Files

• apps/api/prisma/migrations/[timestamp]_add_auth_rls/migration.sql (new)

Acceptance Criteria

• RLS policies on accounts and sessions tables
• FORCE ROW LEVEL SECURITY on both tables
• Owner bypass policies for migration compatibility
• Integration tests verify cross-user isolation
• Existing auth flows (login, session refresh) still work

Dependencies

• Blocked by: RLS context interceptor issue
• Blocks: User credential model (needs RLS pattern established)

Refs #346

## Phase 1a - Security Foundations ### Problem The accounts, sessions, and verifications tables have NO Row-Level Security policies. Additionally, all 23 existing RLS-enabled tables only use ENABLE ROW LEVEL SECURITY without FORCE, meaning Prisma (connecting as table owner) silently bypasses all policies. Tenant isolation is application-level only. ### Requirements 1. Add RLS policies to accounts and sessions tables scoped by user_id = current_user_id() 2. Add FORCE ROW LEVEL SECURITY to these tables so the table owner is also subject to policies 3. Add owner bypass policy (TO mosaic USING (true)) so Prisma migrations and BetterAuth internal operations still work 4. Verify verifications table doesn't need user-scoped RLS (tokens are ephemeral, no user_id column) ### Implementation Notes - New Prisma migration: add_auth_rls_policies - Reuse existing helper functions: current_user_id(), is_workspace_member(), is_workspace_admin() from migration 20260129221004_add_rls_policies - Must be deployed AFTER the RLS context interceptor is wired up, or existing queries will break - Test: User A cannot query User B's Account/Session rows ### Files - apps/api/prisma/migrations/[timestamp]_add_auth_rls/migration.sql (new) ### Acceptance Criteria - [ ] RLS policies on accounts and sessions tables - [ ] FORCE ROW LEVEL SECURITY on both tables - [ ] Owner bypass policies for migration compatibility - [ ] Integration tests verify cross-user isolation - [ ] Existing auth flows (login, session refresh) still work ### Dependencies - Blocked by: RLS context interceptor issue - Blocks: User credential model (needs RLS pattern established) Refs #346

jason.woltje added this to the M9-CredentialSecurity (0.0.9) milestone 2026-02-07 17:07:17 +00:00

jason.woltje added the securitydatabasedatabasep0 labels 2026-02-07 17:07:17 +00:00

jason.woltje referenced this issue 2026-02-07 17:11:32 +00:00

Create RLS context interceptor (fix SEC-API-4) #351

jason.woltje referenced this issue 2026-02-07 17:13:29 +00:00

Security: Vault-based credential storage for agents and CI #346

jason.woltje referenced this issue from a commit 2026-02-07 18:49:39 +00:00

feat(#350): Add RLS policies to auth tables with FORCE enforcement

jason.woltje closed this issue 2026-02-07 18:49:41 +00:00

jason.woltje referenced this issue from a commit 2026-02-07 18:50:02 +00:00

chore: Update tasks.md - Issue #350 complete

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label database database p0 security

Milestone

No items

No Milestone M9-CredentialSecurity (0.0.9)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#350