always infer orgID and userID from session (#2561)

Author: motatoes

ui/src/api/helpers.ts

@@ -1,15 +1,34 @@
+import { withAuth } from '@/authkit/ssr/session';
+
 function redirectWithFallback(redirectUri: string, headers?: Headers) {
     const newHeaders = headers ? new Headers(headers) : new Headers();
     newHeaders.set('Location', redirectUri);
-  
+
     return new Response(null, { status: 307, headers: newHeaders });
   }
-  
+
   function errorResponseWithFallback(errorBody: { error: { message: string; description: string } }) {
     return new Response(JSON.stringify(errorBody), {
       status: 500,
       headers: { 'Content-Type': 'application/json' },
     });
   }
 
+/**
+ * Requires authentication and returns session-derived user identity.
+ * Use this instead of accepting userId/organizationId from client input
+ * to prevent IDOR vulnerabilities.
+ */
+export async function requireAuth() {
+  const auth = await withAuth();
+  if (!auth.user) {
+    throw new Error('Unauthorized');
+  }
+  return {
+    userId: auth.user.id,
+    email: auth.user.email!,
+    organizationId: auth.organizationId!,
+  };
+}
+
 export { redirectWithFallback, errorResponseWithFallback };

ui/src/api/orchestrator_serverFunctions.ts

@@ -4,31 +4,28 @@ import { fetchRepos } from "./orchestrator_repos";
 import { getOrgSettings, updateOrgSettings } from "./orchestrator_orgs";
 import { testSlackWebhook } from "./drift_slack";
 import { fetchProjects, updateProject, fetchProject } from "./orchestrator_projects";
+import { requireAuth } from "./helpers";
 
 export const getOrgSettingsFn = createServerFn({method: 'GET'})
-  .inputValidator((data : {userId: string, organisationId: string}) => data)
-  .handler(async ({ data }) => {
-    const settings : any = await getOrgSettings(data.organisationId, data.userId)
+  .handler(async () => {
+    const auth = await requireAuth();
+    const settings : any = await getOrgSettings(auth.organizationId, auth.userId)
     return settings
 })
 
 export const updateOrgSettingsFn = createServerFn({method: 'POST'})
-  .inputValidator((data : {userId: string, organisationId: string, settings: OrgSettings}) => data)
+  .inputValidator((data : {settings: OrgSettings}) => data)
   .handler(async ({ data }) => {
-    const settings : any = await updateOrgSettings(data.organisationId, data.userId, data.settings)
+    const auth = await requireAuth();
+    const settings : any = await updateOrgSettings(auth.organizationId, auth.userId, data.settings)
     return settings.result
 })
 
 export const getProjectsFn = createServerFn({method: 'GET'})
-    .inputValidator((data : {userId: string, organisationId: string}) => {
-      if (!data.userId || !data.organisationId) {
-        throw new Error('Missing required fields: userId and organisationId are required')
-      }
-      return data
-    })
-    .handler(async ({ data }) => {
+    .handler(async () => {
+      const auth = await requireAuth();
       try {
-        const projects : any = await fetchProjects(data.organisationId, data.userId)
+        const projects : any = await fetchProjects(auth.organizationId, auth.userId)
         return projects.result || []
       } catch (error) {
         console.error('Error in getProjectsFn:', error)
@@ -38,66 +35,69 @@ export const getProjectsFn = createServerFn({method: 'GET'})
 
 
 export const updateProjectFn = createServerFn({method: 'POST'})
-    .inputValidator((data : {projectId: string, driftEnabled: boolean, organisationId: string, userId: string}) => data)
+    .inputValidator((data : {projectId: string, driftEnabled: boolean}) => data)
     .handler(async ({ data }) => {
-    const project : any = await updateProject(data.projectId, data.driftEnabled, data.organisationId, data.userId)
-    return project.result
+      const auth = await requireAuth();
+      const project : any = await updateProject(data.projectId, data.driftEnabled, auth.organizationId, auth.userId)
+      return project.result
   })
 
 export const getReposFn = createServerFn({method: 'GET'})
-    .inputValidator((data : {organisationId: string, userId: string}) => data)
-    .handler(async ({ data }) => {
-    let repos = []
-    try {
-        const reposData :any = await fetchRepos(data.organisationId, data.userId)
-        repos = reposData.result
-      } catch (error) {
-        console.error('Error fetching repos:', error)
-        throw error
-      }
-      return repos
+    .handler(async () => {
+      const auth = await requireAuth();
+      let repos = []
+      try {
+          const reposData :any = await fetchRepos(auth.organizationId, auth.userId)
+          repos = reposData.result
+        } catch (error) {
+          console.error('Error fetching repos:', error)
+          throw error
+        }
+        return repos
   })
 
 export const getProjectFn = createServerFn({method: 'GET'})
-    .inputValidator((data : {projectId: string, organisationId: string, userId: string}) => data)
+    .inputValidator((data : {projectId: string}) => data)
     .handler(async ({ data }) => {
-    const project : any = await fetchProject(data.projectId, data.organisationId, data.userId)
-    return project
+      const auth = await requireAuth();
+      const project : any = await fetchProject(data.projectId, auth.organizationId, auth.userId)
+      return project
   })
 
 
 export const getRepoDetailsFn = createServerFn({method: 'GET'})
-    .inputValidator((data : {repoId: string, organisationId: string, userId: string}) => data)
+    .inputValidator((data : {repoId: string}) => data)
     .handler(async ({ data }) => {
-      const { repoId, organisationId, userId } = data;
+      const auth = await requireAuth();
+      const { repoId } = data;
       let allJobs: Job[] = [];
-      let repo: Repo 
+      let repo: Repo
       try {
         const response = await fetch(`${process.env.ORCHESTRATOR_BACKEND_URL}/api/repos/${repoId}/jobs`, {
           method: 'GET',
           headers: {
             'Authorization': `Bearer ${process.env.ORCHESTRATOR_BACKEND_SECRET}`,
-            'DIGGER_ORG_ID': organisationId,
-            'DIGGER_USER_ID': userId,
+            'DIGGER_ORG_ID': auth.organizationId,
+            'DIGGER_USER_ID': auth.userId,
             'DIGGER_ORG_SOURCE': 'workos',
           },
         });
-      
+
         if (!response.ok) {
           throw new Error('Failed to fetch jobs');
         }
-      
+
         const result = await response.json();
-        
-        repo = result.repo    
+
+        repo = result.repo
         allJobs = result.jobs || []
-    
+
       } catch (error) {
         console.error('Error fetching jobs:', error);
         allJobs = [];
         throw error
       }
-  
+
       return { repo, allJobs }
     })
 
@@ -106,4 +106,3 @@ export const switchToOrganizationFn = createServerFn({method: 'POST'})
     .handler(async ({ data }) => {
       return null
     })
-

ui/src/api/statesman_serverFunctions.ts

@@ -1,75 +1,81 @@
 import { createServerFn } from "@tanstack/react-start"
 import { createUnit, getUnit, listUnits, getUnitVersions, unlockUnit, lockUnit, getUnitStatus, deleteUnit, downloadLatestState, forcePushState, restoreUnitStateVersion } from "./statesman_units"
+import { requireAuth } from "./helpers"
 
 export const listUnitsFn = createServerFn({method: 'GET'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string}) => data)
-  .handler(async ({ data }) => {
-    const units : any = await listUnits(data.organisationId, data.userId, data.email);
+  .handler(async () => {
+    const auth = await requireAuth();
+    const units : any = await listUnits(auth.organizationId, auth.userId, auth.email);
     return units;
 })
 
 export const getUnitFn = createServerFn({method: 'GET'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    const unit : any = await getUnit(data.organisationId, data.userId, data.email, data.unitId)
+    const auth = await requireAuth();
+    const unit : any = await getUnit(auth.organizationId, auth.userId, auth.email, data.unitId)
     return unit
 })
 
 export const getUnitVersionsFn = createServerFn({method: 'GET'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    const unitVersions : any = await getUnitVersions(data.organisationId, data.userId, data.email, data.unitId)
+    const auth = await requireAuth();
+    const unitVersions : any = await getUnitVersions(auth.organizationId, auth.userId, auth.email, data.unitId)
     return unitVersions
 })
 
 export const lockUnitFn = createServerFn({method: 'POST'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    const unit : any = await lockUnit(data.organisationId, data.userId, data.email, data.unitId)
+    const auth = await requireAuth();
+    const unit : any = await lockUnit(auth.organizationId, auth.userId, auth.email, data.unitId)
     return unit
 })
 
 export const unlockUnitFn = createServerFn({method: 'POST'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    const unit : any = await unlockUnit(data.organisationId, data.userId, data.email, data.unitId)
+    const auth = await requireAuth();
+    const unit : any = await unlockUnit(auth.organizationId, auth.userId, auth.email, data.unitId)
     return unit
 })
 
 export const downloadLatestStateFn = createServerFn({method: 'GET'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    const state : any = await downloadLatestState(data.organisationId, data.userId, data.email, data.unitId)
+    const auth = await requireAuth();
+    const state : any = await downloadLatestState(auth.organizationId, auth.userId, auth.email, data.unitId)
     return state
 })
 
 export const forcePushStateFn = createServerFn({method: 'POST'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string, state: string}) => data)
+  .inputValidator((data : {unitId: string, state: string}) => data)
   .handler(async ({ data }) => {
-    const state : any = await forcePushState(data.organisationId, data.userId, data.email, data.unitId, data.state)
+    const auth = await requireAuth();
+    const state : any = await forcePushState(auth.organizationId, auth.userId, auth.email, data.unitId, data.state)
     return state
 })
 
 export const restoreUnitStateVersionFn = createServerFn({method: 'POST'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string, timestamp: string, lockId: string}) => data)
+  .inputValidator((data : {unitId: string, timestamp: string, lockId: string}) => data)
   .handler(async ({ data }) => {
-    const state : any = await restoreUnitStateVersion(data.organisationId, data.userId, data.email, data.unitId, data.timestamp, data.lockId)
+    const auth = await requireAuth();
+    const state : any = await restoreUnitStateVersion(auth.organizationId, auth.userId, auth.email, data.unitId, data.timestamp, data.lockId)
     return state
 })
 
 export const getUnitStatusFn = createServerFn({method: 'GET'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    const unitStatus : any = await getUnitStatus(data.organisationId, data.userId, data.email, data.unitId)
+    const auth = await requireAuth();
+    const unitStatus : any = await getUnitStatus(auth.organizationId, auth.userId, auth.email, data.unitId)
     return unitStatus
 })
 
 export const createUnitFn = createServerFn({method: 'POST'})
   .inputValidator((data : {
-    userId: string, 
-    organisationId: string, 
-    email: string, 
-    name: string, 
+    name: string,
     requestId?: string,
     tfeAutoApply?: boolean,
     tfeExecutionMode?: string,
@@ -78,10 +84,11 @@ export const createUnitFn = createServerFn({method: 'POST'})
     tfeWorkingDirectory?: string
   }) => data)
   .handler(async ({ data }) => {
+    const auth = await requireAuth();
     const unit : any = await createUnit(
-      data.organisationId, 
-      data.userId, 
-      data.email, 
+      auth.organizationId,
+      auth.userId,
+      auth.email,
       data.name,
       data.tfeAutoApply,
       data.tfeExecutionMode,
@@ -94,9 +101,6 @@ export const createUnitFn = createServerFn({method: 'POST'})
 
 export const updateUnitFn = createServerFn({method: 'POST'})
   .inputValidator((data : {
-    userId: string, 
-    organisationId: string, 
-    email: string, 
     unitId: string,
     tfeAutoApply?: boolean,
     tfeExecutionMode?: string,
@@ -105,11 +109,12 @@ export const updateUnitFn = createServerFn({method: 'POST'})
     tfeWorkingDirectory?: string
   }) => data)
   .handler(async ({ data }) => {
+    const auth = await requireAuth();
     const { updateUnit } = await import("./statesman_units")
     const unit : any = await updateUnit(
-      data.organisationId, 
-      data.userId, 
-      data.email, 
+      auth.organizationId,
+      auth.userId,
+      auth.email,
       data.unitId,
       data.tfeAutoApply,
       data.tfeExecutionMode,
@@ -121,7 +126,8 @@ export const updateUnitFn = createServerFn({method: 'POST'})
 })
 
 export const deleteUnitFn = createServerFn({method: 'POST'})
-  .inputValidator((data : {userId: string, organisationId: string, email: string, unitId: string}) => data)
+  .inputValidator((data : {unitId: string}) => data)
   .handler(async ({ data }) => {
-    await deleteUnit(data.organisationId, data.userId, data.email, data.unitId)
-})
+    const auth = await requireAuth();
+    await deleteUnit(auth.organizationId, auth.userId, auth.email, data.unitId)
+})

ui/src/api/tokens_serverFunctions.ts

@@ -2,17 +2,19 @@ import { createServerFn } from "@tanstack/react-start";
 import { createToken, getTokens } from "./tokens";
 import { verifyToken } from "./tokens";
 import { deleteToken } from "./tokens";
+import { requireAuth } from "./helpers";
 
 export const getTokensFn = createServerFn({method: 'GET'})
-    .inputValidator((data: {organizationId: string, userId: string}) => data)
-    .handler(async ({data: {organizationId, userId}}) => {
-        return getTokens(organizationId, userId);
+    .handler(async () => {
+        const auth = await requireAuth();
+        return getTokens(auth.organizationId, auth.userId);
 })
 
 export const createTokenFn = createServerFn({method: 'POST'})
-    .inputValidator((data: {organizationId: string, userId: string, name: string, expiresAt: string | null}) => data)
-    .handler(async ({data: {organizationId, userId, name, expiresAt}}) => {
-        return createToken(organizationId, userId, name, expiresAt);
+    .inputValidator((data: {name: string, expiresAt: string | null}) => data)
+    .handler(async ({data: {name, expiresAt}}) => {
+        const auth = await requireAuth();
+        return createToken(auth.organizationId, auth.userId, name, expiresAt);
 })
 
 export const verifyTokenFn = createServerFn({method: 'POST'})
@@ -22,7 +24,8 @@ export const verifyTokenFn = createServerFn({method: 'POST'})
 })
 
 export const deleteTokenFn = createServerFn({method: 'POST'})
-    .inputValidator((data: {organizationId: string, userId: string, tokenId: string}) => data)
-    .handler(async ({data: {organizationId, userId, tokenId}}) => {
-        return deleteToken(organizationId, userId, tokenId);
-})
+    .inputValidator((data: {tokenId: string}) => data)
+    .handler(async ({data: {tokenId}}) => {
+        const auth = await requireAuth();
+        return deleteToken(auth.organizationId, auth.userId, tokenId);
+})