sec: lock down 5 cross-tenant FK gaps from fifth-pass review

1. HIGH — reminders.create/updateReminder accepted clientId/interestId/ berthId from the body and persisted them with no port check; getReminder then hydrated the row via Drizzle relations (no port filter on the join), so a port-A user with reminders:create could exfiltrate any port-B client/interest/berth row by guessing its UUID. New assertReminderFksInPort gates create + update. 2. HIGH — listRecommendations(interestId, _portId) discarded portId entirely; the route GET /api/v1/interests/[id]/recommendations forwarded the URL id straight through. A port-A user with interests:view could read any other tenant's recommended berths (mooring numbers, dimensions, status). Service now verifies the interest belongs to portId and joins berths filtered by port. 3. HIGH — Berth waiting list. The PATCH route did not pre-check that the berth belonged to ctx.portId — a port-A user with manage_waiting_list could reorder a port-B berth's queue. Separately, updateWaitingList accepted arbitrary entries[].clientId and inserted them without verifying tenancy, polluting the table with foreign-port FKs. Both gaps closed. 4. MEDIUM — setEntityTags (clients/companies/yachts/interests/berths) accepted any tagId and inserted into the join table. The tags table is per-port but the join only carries a single-column FK. The downstream getById join `tags ON join.tag_id = tags.id` has no port filter, so a foreign tag's name + color render in the requesting port. Helper now batch-validates tagIds belong to portId before insert. 5. MEDIUM — /api/v1/custom-fields/[entityId] PUT had no withPermission gate (any role, including viewer, could write) and didn't validate that the URL entityId pointed at a port-scoped entity of the field definition's entityType. Route now uses withPermission('clients','view'/'edit',…); service validates the entityId per resolved entityType (client/interest/berth/yacht/company) against portId. Test mocks updated to cover the new entity-port-scope check. 818 vitest tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 03:28:31 +02:00
parent 47a1a51832
commit 4eea19a85b
8 changed files with 240 additions and 47 deletions
--- a/src/lib/services/custom-fields.service.ts
+++ b/src/lib/services/custom-fields.service.ts
@@ -266,6 +266,57 @@ export async function setValues(
    throw new ValidationError('Custom field validation failed', errors);
  }

+  // Tenant scope: verify entityId actually points at a port-scoped row of
+  // the entity type the field definitions target. Without this gate, any
+  // authenticated user could write custom-field rows pointing at arbitrary
+  // entityIds (or none at all) — polluting customFieldValues and creating
+  // a join surface that could later leak data.
+  const entityTypes = new Set(
+    values
+      .map((v) => definitionMap.get(v.fieldId)?.entityType)
+      .filter((t): t is string => Boolean(t)),
+  );
+  for (const entityType of entityTypes) {
+    const { eq: drizzleEq, and: drizzleAnd } = await import('drizzle-orm');
+    let exists = false;
+    if (entityType === 'client') {
+      const { clients } = await import('@/lib/db/schema/clients');
+      const row = await db.query.clients.findFirst({
+        where: drizzleAnd(drizzleEq(clients.id, entityId), drizzleEq(clients.portId, portId)),
+      });
+      exists = Boolean(row);
+    } else if (entityType === 'interest') {
+      const { interests } = await import('@/lib/db/schema/interests');
+      const row = await db.query.interests.findFirst({
+        where: drizzleAnd(drizzleEq(interests.id, entityId), drizzleEq(interests.portId, portId)),
+      });
+      exists = Boolean(row);
+    } else if (entityType === 'berth') {
+      const { berths } = await import('@/lib/db/schema/berths');
+      const row = await db.query.berths.findFirst({
+        where: drizzleAnd(drizzleEq(berths.id, entityId), drizzleEq(berths.portId, portId)),
+      });
+      exists = Boolean(row);
+    } else if (entityType === 'yacht') {
+      const { yachts } = await import('@/lib/db/schema/yachts');
+      const row = await db.query.yachts.findFirst({
+        where: drizzleAnd(drizzleEq(yachts.id, entityId), drizzleEq(yachts.portId, portId)),
+      });
+      exists = Boolean(row);
+    } else if (entityType === 'company') {
+      const { companies } = await import('@/lib/db/schema/companies');
+      const row = await db.query.companies.findFirst({
+        where: drizzleAnd(drizzleEq(companies.id, entityId), drizzleEq(companies.portId, portId)),
+      });
+      exists = Boolean(row);
+    } else {
+      throw new ValidationError(`Unsupported custom-field entity type: ${entityType}`);
+    }
+    if (!exists) {
+      throw new ValidationError(`${entityType} not found in this port`);
+    }
+  }
+
  // Upsert all values
  const results = await Promise.all(
    values.map(async ({ fieldId, value }) => {