fix(api): Fix RLS context, DTO validation, and error handling #110

Closed

jason.woltje wants to merge 0 commits from fix/rls-dto-errors into develop

pull from: fix/rls-dto-errors

merge into: mosaic:develop

mosaic:main

mosaic:fix/ci-glibc-image

mosaic:fix/dockerfile-npmrc

mosaic:fix/matrix-native-binary

mosaic:fix/kaniko-cache

mosaic:fix/base-image-kaniko-v2

mosaic:fix/base-image-kaniko

mosaic:feat/custom-base-image

mosaic:ci/pnpm-cache

mosaic:fix/interceptor-tests

mosaic:fix/kanban-tests

mosaic:feat/wire-chat

mosaic:feat/usage-widget

mosaic:fix/security-hardening

mosaic:fix/project-domain-v2

mosaic:feat/kanban-add-task

mosaic:fix/project-domain-attach

mosaic:fix/logs-page-clean

mosaic:fix/workspace-members

mosaic:fix/ci-lint-632

mosaic:fix/file-manager-tags

mosaic:fix/csrf-debug-log

mosaic:fix/controller-type-imports

mosaic:fix/system-admin-env

mosaic:fix/gateway-cors-trusted-origins

mosaic:feat/project-detail-page

mosaic:fix/fleet-provider-form-dto-v2

mosaic:fix/ms22-audit

mosaic:fix/orchestrator-widgets

mosaic:fix/fleet-provider-form-dto

mosaic:fix/csrf-bearer-bypass

mosaic:fix/ms22-missing-authmodule-imports

mosaic:fix/container-lifecycle-config-module

mosaic:fix/swarm-compose-ms22-vars

mosaic:chore/ms22-p1-complete

mosaic:feat/ms22-p1h-settings-ui

mosaic:feat/ms22-p1f-onboarding-ui

mosaic:feat/ms22-p1i-chat-proxy

mosaic:feat/ms22-p1k-idle-reaper

mosaic:feat/ms22-p1j-docker

mosaic:feat/ms22-p1e-onboarding-api

mosaic:feat/ms22-p1g-settings-api

mosaic:feat/ms22-p1d-container-mgr

mosaic:feat/ms22-p1c-config-api

mosaic:chore/ms22-prd-tracking

mosaic:feat/ms22-p1a-schema

mosaic:feat/ms22-p1b-crypto

mosaic:chore/ms22-p1-tasks

mosaic:docs/ms22-architecture

mosaic:feat/ms22-openclaw-docker

mosaic:feat/ms22-openclaw-gateway-module

mosaic:chore/ms21-complete

mosaic:chore/ms21-final-tasks-done

mosaic:fix/ms21-ui-001-qa

mosaic:test/ms21-ui-tests

mosaic:chore/ms21-tasks-sync

mosaic:chore/ms22-phase0-complete

mosaic:feat/ms22-ingest-clean

mosaic:feat/ms21-ui-users-members

mosaic:feat/ms22-task-agent

mosaic:chore/tasks-final

mosaic:chore/tasks-update

mosaic:feat/ms21-session-invalidation

mosaic:feat/ms21-rbac-settings

mosaic:feat/ms21-teams-page

mosaic:feat/ms21-users-page

mosaic:feat/ms19-terminal-persistence

Conversation 0 Commits - Files Changed -

jason.woltje commented 2026-01-30 02:15:30 +00:00

Owner

Copy Link

Summary

Fixes High priority issues from code review.

Changes

1. RLS Context Transaction Safety

• db-context.ts: Wrapped SET LOCAL in $transaction for connection pooling safety
• workspace.guard.ts: Removed context setting (now done at service layer)

2. Optional workspaceId in Query DTOs

Made workspaceId optional since guards provide it:

• query-tasks.dto.ts
• query-events.dto.ts
• query-projects.dto.ts
• query-domains.dto.ts
• query-ideas.dto.ts
• query-activity-log.dto.ts

3. Activity Controller Error Handling

• Replaced throw new Error() with throw new UnauthorizedException()
• Returns proper 401 instead of 500

Impact

• Prevents RLS context leakage with pooled connections
• DTOs pass validation when workspaceId comes from guards
• Proper HTTP status codes for auth errors

## Summary Fixes **High** priority issues from code review. ## Changes ### 1. RLS Context Transaction Safety - `db-context.ts`: Wrapped SET LOCAL in `$transaction` for connection pooling safety - `workspace.guard.ts`: Removed context setting (now done at service layer) ### 2. Optional workspaceId in Query DTOs Made workspaceId optional since guards provide it: - query-tasks.dto.ts - query-events.dto.ts - query-projects.dto.ts - query-domains.dto.ts - query-ideas.dto.ts - query-activity-log.dto.ts ### 3. Activity Controller Error Handling - Replaced `throw new Error()` with `throw new UnauthorizedException()` - Returns proper 401 instead of 500 ## Impact - Prevents RLS context leakage with pooled connections - DTOs pass validation when workspaceId comes from guards - Proper HTTP status codes for auth errors

jason.woltje added 1 commit 2026-01-30 02:15:31 +00:00

fix(api): fix RLS context, DTO validation, and error handling ... 26a0df835f

- Wrap SET LOCAL in transactions for proper connection pooling
- Make workspaceId optional in query DTOs (derived from guards)
- Replace Error throws with UnauthorizedException in activity controller
- Update workspace guard to remove RLS context setting
- Document that services should use withUserContext/withUserTransaction

jason.woltje closed this pull request 2026-01-30 03:04:03 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#110