fix(gateway): security hardening — auth guards, ownership checks, validation, rate limiting

2026-03-13 08:25:57 -05:00
parent 01e9891243
commit 55b5a31c3c
22 changed files with 696 additions and 74 deletions
--- a/apps/gateway/src/tests/resource-ownership.test.ts
+++ b/apps/gateway/src/tests/resource-ownership.test.ts
@@ -0,0 +1,89 @@
+import { ForbiddenException } from '@nestjs/common';
+import { describe, expect, it, vi } from 'vitest';
+import { ConversationsController } from '../conversations/conversations.controller.js';
+import { MissionsController } from '../missions/missions.controller.js';
+import { ProjectsController } from '../projects/projects.controller.js';
+import { TasksController } from '../tasks/tasks.controller.js';
+
+function createBrain() {
+  return {
+    conversations: {
+      findAll: vi.fn(),
+      findById: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+      remove: vi.fn(),
+      findMessages: vi.fn(),
+      addMessage: vi.fn(),
+    },
+    projects: {
+      findAll: vi.fn(),
+      findById: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+      remove: vi.fn(),
+    },
+    missions: {
+      findAll: vi.fn(),
+      findById: vi.fn(),
+      findByProject: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+      remove: vi.fn(),
+    },
+    tasks: {
+      findAll: vi.fn(),
+      findById: vi.fn(),
+      findByProject: vi.fn(),
+      findByMission: vi.fn(),
+      findByStatus: vi.fn(),
+      create: vi.fn(),
+      update: vi.fn(),
+      remove: vi.fn(),
+    },
+  };
+}
+
+describe('Resource ownership checks', () => {
+  it('forbids access to another user conversation', async () => {
+    const brain = createBrain();
+    brain.conversations.findById.mockResolvedValue({ id: 'conv-1', userId: 'user-2' });
+    const controller = new ConversationsController(brain as never);
+
+    await expect(controller.findOne('conv-1', { id: 'user-1' })).rejects.toBeInstanceOf(
+      ForbiddenException,
+    );
+  });
+
+  it('forbids access to another user project', async () => {
+    const brain = createBrain();
+    brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
+    const controller = new ProjectsController(brain as never);
+
+    await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
+      ForbiddenException,
+    );
+  });
+
+  it('forbids access to a mission owned by another project owner', async () => {
+    const brain = createBrain();
+    brain.missions.findById.mockResolvedValue({ id: 'mission-1', projectId: 'project-1' });
+    brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
+    const controller = new MissionsController(brain as never);
+
+    await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf(
+      ForbiddenException,
+    );
+  });
+
+  it('forbids access to a task owned by another project owner', async () => {
+    const brain = createBrain();
+    brain.tasks.findById.mockResolvedValue({ id: 'task-1', projectId: 'project-1' });
+    brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
+    const controller = new TasksController(brain as never);
+
+    await expect(controller.findOne('task-1', { id: 'user-1' })).rejects.toBeInstanceOf(
+      ForbiddenException,
+    );
+  });
+});