@pylonsync/create-pylon 0.3.158 → 0.3.161

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pylonsync/create-pylon",
-  "version": "0.3.158",
+  "version": "0.3.161",
   "description": "Scaffold a new Pylon app — realtime backend + web/mobile/expo frontends in one command. Run via `npm create @pylonsync/pylon@latest`.",
   "publishConfig": {
     "access": "public"

package/templates/backend/b2b/apps/api/schema.ts

@@ -27,23 +27,29 @@ import {
 const Org = entity("Org", {
 	slug: field.string(),
 	name: field.string(),
-	ownerId: field.id("User"),
-	createdAt: field.datetime(),
+	// `.readonly()` blocks HTTP PATCH from rewriting ownership — closes
+	// the IDOR-via-update-payload shape where an attacker would
+	// `PATCH /api/entities/Org/<id>` with `{ownerId: <them>}` and the
+	// policy's `existing.ownerId == auth.userId` would already be true
+	// because they read the row. Server-side ctx.db.update still goes
+	// through, so admin migrations + transfers work.
+	ownerId: field.id("User").readonly(),
+	createdAt: field.datetime().readonly(),
 });
 
 const Membership = entity("Membership", {
-	orgId: field.id("Org"),
-	userId: field.id("User"),
+	orgId: field.id("Org").readonly(),
+	userId: field.id("User").readonly(),
 	role: field.enum_(["owner", "admin", "member"]),
-	createdAt: field.datetime(),
+	createdAt: field.datetime().readonly(),
 });
 
 const Project = entity("Project", {
-	orgId: field.id("Org"),
+	orgId: field.id("Org").readonly(),
 	name: field.string(),
-	createdBy: field.id("User"),
+	createdBy: field.id("User").readonly(),
 	archived: field.bool(),
-	createdAt: field.datetime(),
+	createdAt: field.datetime().readonly(),
 });
 
 // ---------------------------------------------------------------------------
@@ -108,11 +114,18 @@ const archiveProject = action("archiveProject", {
 const orgPolicy = policy({
 	name: "org_membership",
 	entity: "Org",
-	// Anyone can read an org if they're a member; only the owner can update.
+	// Anyone can read an org if they're a member; only the owner can
+	// update / delete. Update + delete pin `existing.ownerId` (the
+	// current row's value) rather than `data.ownerId` (the proposed
+	// payload) — without this pin, an attacker could PATCH with
+	// `{ownerId: <attacker>}` and the policy would happily compare
+	// the payload value to their own userId. `ownerId` is also marked
+	// `.readonly()` on the entity so updates never get to set it via
+	// HTTP regardless — belt + suspenders.
 	allowRead: "exists(Membership where orgId = data.id and userId = auth.userId)",
 	allowInsert: "auth.userId == data.ownerId",
-	allowUpdate: "data.ownerId == auth.userId",
-	allowDelete: "data.ownerId == auth.userId",
+	allowUpdate: "existing.ownerId == auth.userId",
+	allowDelete: "existing.ownerId == auth.userId",
 });
 
 const membershipPolicy = policy({
@@ -120,31 +133,40 @@ const membershipPolicy = policy({
 	entity: "Membership",
 	// You can see your own memberships, plus all memberships in any org
 	// where you're an owner/admin (so the admin UI can list everyone).
+	// Update/delete pin `existing.orgId` so an attacker can't move a
+	// membership to another org by PATCHing the payload. The entity
+	// also marks `orgId` + `userId` as `.readonly()` so HTTP PATCH
+	// rejects those fields outright — server actions like
+	// `setMemberRole` write only `role`.
 	allowRead:
 		"data.userId == auth.userId or exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
 	allowInsert:
 		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
 	allowUpdate:
-		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+		"exists(Membership where orgId = existing.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
 	allowDelete:
-		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+		"exists(Membership where orgId = existing.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
 });
 
 const projectPolicy = policy({
 	name: "project_org_scope",
 	entity: "Project",
 	// Tenant scope: you can only touch a project if you're a member of
-	// its org. Regardless of which `orgId` the client claims, the policy
-	// pulls the row's actual orgId and checks membership.
+	// its org. `existing.orgId` on update/delete pins the row's
+	// current org — without it, an attacker could PATCH with
+	// `{orgId: <my_org>}` to "import" a project from a foreign org
+	// into one they own. `orgId` is also `.readonly()` on the entity,
+	// so PATCH can't even set it. Insert uses `data.orgId` because
+	// there is no `existing` row yet.
 	allowRead:
 		"exists(Membership where orgId = data.orgId and userId = auth.userId)",
 	allowInsert:
 		"exists(Membership where orgId = data.orgId and userId = auth.userId)",
 	// Only owners/admins can rename or archive.
 	allowUpdate:
-		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+		"exists(Membership where orgId = existing.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
 	allowDelete:
-		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+		"exists(Membership where orgId = existing.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
 });
 
 // ---------------------------------------------------------------------------

package/templates/backend/chat/apps/api/schema.ts

@@ -25,11 +25,14 @@ const Room = entity("Room", {
 });
 
 const Message = entity("Message", {
-	roomId: field.id("Room"),
-	authorId: field.id("User"),
+	// `.readonly()` on identity fields blocks HTTP PATCH from
+	// rewriting authorship / message location. Server-side
+	// ctx.db.update still goes through inside actions.
+	roomId: field.id("Room").readonly(),
+	authorId: field.id("User").readonly(),
 	authorName: field.string(),
 	body: field.string(),
-	createdAt: field.datetime(),
+	createdAt: field.datetime().readonly(),
 });
 
 // ---------------------------------------------------------------------------

package/templates/backend/consumer/apps/api/schema.ts

@@ -23,23 +23,26 @@ import {
 // ---------------------------------------------------------------------------
 
 const Profile = entity("Profile", {
-	userId: field.id("User"),
+	// Ownership fields lock with `.readonly()` so HTTP PATCH can't
+	// rewrite them. Server-side ctx.db.update inside actions still
+	// goes through — readonly is an HTTP-boundary check only.
+	userId: field.id("User").readonly(),
 	handle: field.string(),
 	displayName: field.string(),
 	bio: field.string().optional(),
-	createdAt: field.datetime(),
+	createdAt: field.datetime().readonly(),
 });
 
 const Post = entity("Post", {
-	authorId: field.id("Profile"),
+	authorId: field.id("Profile").readonly(),
 	body: field.string(),
-	createdAt: field.datetime(),
+	createdAt: field.datetime().readonly(),
 });
 
 const Like = entity("Like", {
-	profileId: field.id("Profile"),
-	postId: field.id("Post"),
-	createdAt: field.datetime(),
+	profileId: field.id("Profile").readonly(),
+	postId: field.id("Post").readonly(),
+	createdAt: field.datetime().readonly(),
 });
 
 // ---------------------------------------------------------------------------
@@ -79,33 +82,43 @@ const profilePolicy = policy({
 	entity: "Profile",
 	allowRead: "true",
 	allowInsert: "auth.userId == data.userId",
-	allowUpdate: "auth.userId == data.userId",
-	allowDelete: "auth.userId == data.userId",
+	// Update + delete pin `existing.userId` so an attacker can't
+	// PATCH `{userId: <attacker>}` to "claim" someone else's profile.
+	// `userId` is also `.readonly()` on the entity so PATCH bounces
+	// the field outright — belt + suspenders.
+	allowUpdate: "auth.userId == existing.userId",
+	allowDelete: "auth.userId == existing.userId",
 });
 
 const postPolicy = policy({
 	name: "post_public",
 	entity: "Post",
 	allowRead: "true",
-	// Caller must own a Profile that's being claimed as the author.
+	// Insert: caller must own a Profile they're claiming as author.
 	allowInsert:
 		"exists(Profile where id = data.authorId and userId = auth.userId)",
+	// Update + delete pin `existing.authorId` so an attacker can't
+	// rewrite the author in the PATCH payload to grant themselves
+	// access. `authorId` is also `.readonly()` on the entity.
 	allowUpdate:
-		"exists(Profile where id = data.authorId and userId = auth.userId)",
+		"exists(Profile where id = existing.authorId and userId = auth.userId)",
 	allowDelete:
-		"exists(Profile where id = data.authorId and userId = auth.userId)",
+		"exists(Profile where id = existing.authorId and userId = auth.userId)",
 });
 
 const likePolicy = policy({
 	name: "like_public",
 	entity: "Like",
 	allowRead: "true",
-	// Caller must own the Profile doing the liking.
+	// Caller must own the Profile doing the liking. Like has no
+	// update path (allowUpdate: "false"), so the IDOR-via-PATCH
+	// shape doesn't apply — but delete pins `existing.profileId`
+	// for consistency with the other policies.
 	allowInsert:
 		"exists(Profile where id = data.profileId and userId = auth.userId)",
 	allowUpdate: "false",
 	allowDelete:
-		"exists(Profile where id = data.profileId and userId = auth.userId)",
+		"exists(Profile where id = existing.profileId and userId = auth.userId)",
 });
 
 // ---------------------------------------------------------------------------