@checkstack/auth-backend 0.4.7 → 0.4.9

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @checkstack/auth-backend
 
+## 0.4.9
+
+### Patch Changes
+
+- 0ebbe56: Security Vulnerability Remediation completed:
+  - Refactored core authorization to Fail-Closed architecture with secure defaults.
+  - Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
+  - Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
+  - Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
+  - Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
+  - Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
+  - Enforced strict token/API Key parsing with URLSearchParams checking.
+  - Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
+  - Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
+- Updated dependencies [0ebbe56]
+  - @checkstack/auth-common@0.5.6
+  - @checkstack/backend-api@0.8.1
+  - @checkstack/common@0.6.3
+  - @checkstack/command-backend@0.1.12
+  - @checkstack/notification-common@0.2.6
+
+## 0.4.8
+
+### Patch Changes
+
+- Updated dependencies [869b4ab]
+  - @checkstack/backend-api@0.8.0
+  - @checkstack/command-backend@0.1.11
+
 ## 0.4.7
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.4.7",
+  "version": "0.4.9",
   "type": "module",
   "main": "src/index.ts",
   "scripts": {
@@ -11,16 +11,16 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/auth-common": "0.5.4",
-    "@checkstack/backend-api": "0.5.2",
-    "@checkstack/notification-common": "0.2.4",
-    "@checkstack/command-backend": "0.1.8",
+    "@checkstack/auth-common": "0.5.5",
+    "@checkstack/backend-api": "0.8.0",
+    "@checkstack/notification-common": "0.2.5",
+    "@checkstack/command-backend": "0.1.11",
     "better-auth": "^1.4.7",
     "drizzle-orm": "^0.45.1",
     "hono": "^4.0.0",
     "jose": "^6.1.3",
     "zod": "^4.2.1",
-    "@checkstack/common": "0.6.1"
+    "@checkstack/common": "0.6.2"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.3",

package/src/api-key-parsing.test.ts

@@ -0,0 +1,26 @@
+import { describe, it, expect } from "bun:test";
+
+describe("API Key Parsing", () => {
+  it("should extract application ID and secret safely", () => {
+    // This is essentially simulating the logic added in Fix 8.A
+    const token = "ck_123e4567-e89b-12d3-a456-426614174000_sec_test_12345";
+    const tokenWithoutPrefix = token.slice(3); // Remove "ck_"
+    const separatorIndex = tokenWithoutPrefix.indexOf("_", 36);
+
+    expect(separatorIndex).not.toBe(-1);
+
+    const applicationId = tokenWithoutPrefix.slice(0, separatorIndex);
+    const secret = tokenWithoutPrefix.slice(separatorIndex + 1);
+
+    expect(applicationId).toBe("123e4567-e89b-12d3-a456-426614174000");
+    expect(secret).toBe("sec_test_12345");
+  });
+
+  it("should reject improperly formatted tokens without throwing", () => {
+    const malformedToken = "ck_short_bad";
+    const tokenWithoutPrefix = malformedToken.slice(3); // Remove "ck_"
+    const separatorIndex = tokenWithoutPrefix.indexOf("_", 36);
+
+    expect(separatorIndex).toBe(-1);
+  });
+});

package/src/index.ts

@@ -349,10 +349,15 @@ export default createBackendPlugin({
             // The UUID is parts[1] and potentially includes more parts if UUID has dashes
             // For a UUID like "abc-def-ghi", after "ck_", we get the rest split by _
             // Safer approach: find the application ID by parsing
+            // Token format: ck_<uuid>_<secret>
+            // Parse using the known ck_ prefix and structured delimiter
             const tokenWithoutPrefix = token.slice(3); // Remove "ck_"
-            // UUID is 36 chars, secret is 32 chars
-            const applicationId = tokenWithoutPrefix.slice(0, 36);
-            const secret = tokenWithoutPrefix.slice(37); // Skip the _ separator
+            // Find the last underscore: UUID may contain dashes but not underscores
+            // UUID is always 36 chars (8-4-4-4-12 with dashes)
+            const separatorIndex = tokenWithoutPrefix.indexOf("_", 36);
+            if (separatorIndex === -1) return; // Malformed token
+            const applicationId = tokenWithoutPrefix.slice(0, separatorIndex);
+            const secret = tokenWithoutPrefix.slice(separatorIndex + 1);
 
             if (applicationId && secret) {
               // Look up application
@@ -420,7 +425,7 @@ export default createBackendPlugin({
                     id: app.id,
                     name: app.name,
                     roles: roleIds,
-                    accessRulesArray,
+                    accessRules: accessRulesArray,
                     teamIds,
                   };
                 }
@@ -562,9 +567,15 @@ export default createBackendPlugin({
                 const notificationClient = rpcClient.forPlugin(NotificationApi);
                 const frontendUrl =
                   process.env.BASE_URL || "http://localhost:5173";
-                const resetUrl = `${frontendUrl}/auth/reset-password?token=${
-                  url.split("token=")[1] ?? ""
-                }`;
+                // SECURITY: Use URL parsing instead of brittle string splitting
+                const parsedUrl = new URL(url);
+                const resetToken = parsedUrl.searchParams.get("token");
+                if (!resetToken) {
+                  throw new APIError("BAD_REQUEST", {
+                    message: "Malformed password reset URL: missing token parameter",
+                  });
+                }
+                const resetUrl = `${frontendUrl}/auth/reset-password?token=${encodeURIComponent(resetToken)}`;
 
                 void notificationClient.sendTransactional({
                   userId: user.id,

package/src/router.ts

@@ -8,7 +8,8 @@ import {
   type ConfigService,
   toJsonSchema,
 } from "@checkstack/backend-api";
-import { authContract, passwordSchema } from "@checkstack/auth-common";
+import { authContract, passwordSchema, authAccess, pluginMetadata } from "@checkstack/auth-common";
+import { qualifyAccessRuleId } from "@checkstack/common";
 import { hashPassword } from "better-auth/crypto";
 import * as schema from "./schema";
 import { eq, inArray, and } from "drizzle-orm";
@@ -117,6 +118,45 @@ function generateSecret(): string {
   return Array.from(array, (byte) => chars[byte % chars.length]).join("");
 }
 
+async function assertTeamManagementAccess({
+  user,
+  teamId,
+  internalDb,
+}: {
+  user: AuthUser | undefined;
+  teamId: string;
+  internalDb: SafeDatabase<typeof schema>;
+}): Promise<void> {
+  // Services are trusted via middleware
+  if (user?.type === "service") return;
+
+  const hasGlobalManage =
+    user?.accessRules?.includes("*") ||
+    user?.accessRules?.includes(qualifyAccessRuleId(pluginMetadata, authAccess.teams.manage));
+
+  if (hasGlobalManage) return; // Global manage allows all teams
+
+  // Check if user is a manager of this specific team
+  if (isRealUser(user)) {
+    const [managerRecord] = await internalDb
+      .select()
+      .from(schema.teamManager)
+      .where(
+        and(
+          eq(schema.teamManager.teamId, teamId),
+          eq(schema.teamManager.userId, user.id),
+        ),
+      )
+      .limit(1);
+
+    if (managerRecord) return; // Is team manager
+  }
+
+  throw new ORPCError("FORBIDDEN", {
+    message: "You do not have permission to manage this team",
+  });
+}
+
 export const createAuthRouter = (
   internalDb: SafeDatabase<typeof schema>,
   strategyRegistry: { getStrategies: () => AuthStrategy<unknown>[] },
@@ -1385,7 +1425,13 @@ export const createAuthRouter = (
 
   const updateTeam = os.updateTeam.handler(async ({ input, context }) => {
     const { id, name, description } = input;
-    // TODO: Check if user is manager or has teamsManage access
+
+    await assertTeamManagementAccess({
+      user: context.user,
+      teamId: id,
+      internalDb,
+    });
+
     const updates: {
       name?: string;
       description?: string | null;
@@ -1403,6 +1449,11 @@ export const createAuthRouter = (
   });
 
   const deleteTeam = os.deleteTeam.handler(async ({ input: id, context }) => {
+    await assertTeamManagementAccess({
+      user: context.user,
+      teamId: id,
+      internalDb,
+    });
     await internalDb.transaction(async (tx) => {
       await tx.delete(schema.userTeam).where(eq(schema.userTeam.teamId, id));
       await tx
@@ -1419,7 +1470,12 @@ export const createAuthRouter = (
     context.logger.info(`[auth-backend] Deleted team: ${id}`);
   });
 
-  const addUserToTeam = os.addUserToTeam.handler(async ({ input }) => {
+  const addUserToTeam = os.addUserToTeam.handler(async ({ input, context }) => {
+    await assertTeamManagementAccess({
+      user: context.user,
+      teamId: input.teamId,
+      internalDb,
+    });
     await internalDb
       .insert(schema.userTeam)
       .values({ userId: input.userId, teamId: input.teamId })
@@ -1427,7 +1483,12 @@ export const createAuthRouter = (
   });
 
   const removeUserFromTeam = os.removeUserFromTeam.handler(
-    async ({ input }) => {
+    async ({ input, context }) => {
+      await assertTeamManagementAccess({
+        user: context.user,
+        teamId: input.teamId,
+        internalDb,
+      });
       await internalDb
         .delete(schema.userTeam)
         .where(
@@ -1439,14 +1500,24 @@ export const createAuthRouter = (
     },
   );
 
-  const addTeamManager = os.addTeamManager.handler(async ({ input }) => {
+  const addTeamManager = os.addTeamManager.handler(async ({ input, context }) => {
+    await assertTeamManagementAccess({
+      user: context.user,
+      teamId: input.teamId,
+      internalDb,
+    });
     await internalDb
       .insert(schema.teamManager)
       .values({ userId: input.userId, teamId: input.teamId })
       .onConflictDoNothing();
   });
 
-  const removeTeamManager = os.removeTeamManager.handler(async ({ input }) => {
+  const removeTeamManager = os.removeTeamManager.handler(async ({ input, context }) => {
+    await assertTeamManagementAccess({
+      user: context.user,
+      teamId: input.teamId,
+      internalDb,
+    });
     await internalDb
       .delete(schema.teamManager)
       .where(
@@ -1577,7 +1648,12 @@ export const createAuthRouter = (
         );
 
       // No grants = global access applies
-      if (grants.length === 0) return { hasAccess: hasGlobalAccess };
+      if (grants.length === 0) {
+        // SECURITY NOTE: No team grants configured for this resource.
+        // Defaulting to global access check. If this resource should be restricted,
+        // configure team grants or enable 'teamOnly' on the resource access settings.
+        return { hasAccess: hasGlobalAccess };
+      }
 
       // Check resource-level settings for teamOnly
       const settingsRows = await internalDb
@@ -1685,7 +1761,10 @@ export const createAuthRouter = (
 
       return resourceIds.filter((id) => {
         const resourceGrants = grantsByResource.get(id) || [];
-        if (resourceGrants.length === 0) return hasGlobalAccess;
+        if (resourceGrants.length === 0) {
+          // No team grants configured — fall through to global access
+          return hasGlobalAccess;
+        }
         const isTeamOnly = teamOnlyByResource.get(id) ?? false;
         if (!isTeamOnly && hasGlobalAccess) return true;
         return resourceGrants.some(