Skip to content

security: Fix multi-tenancy and ownership verification (#7, #8)#25

Merged
DevanshuNEU merged 3 commits into
OpenCodeIntel:mainfrom
DevanshuNEU:security/multi-tenancy-fix
Dec 5, 2025
Merged

security: Fix multi-tenancy and ownership verification (#7, #8)#25
DevanshuNEU merged 3 commits into
OpenCodeIntel:mainfrom
DevanshuNEU:security/multi-tenancy-fix

Conversation

@DevanshuNEU

@DevanshuNEU DevanshuNEU commented Dec 5, 2025

Copy link
Copy Markdown
Collaborator

Summary

Critical security fixes for multi-tenancy isolation and hardcoded credentials.

Security Issues Fixed

Issue #7 - Broken Multi-tenancy (CRITICAL)

Before: Any authenticated user could see ALL repositories in the system.
After: Users can only see and access their own repositories.

Endpoints Fixed:

Endpoint Fix Applied
GET /api/repos Filter by user_id
POST /api/repos/{id}/index Ownership verification
GET /api/repos/{id}/dependencies Ownership verification
POST /api/repos/{id}/impact Ownership verification
GET /api/repos/{id}/insights Ownership verification
GET /api/repos/{id}/style-analysis Ownership verification
POST /api/search Repo ownership check
POST /api/explain Repo ownership check
WebSocket /ws/index/{id} Ownership verification

Issue #8 - Hardcoded API Key (MEDIUM)

Before: Default dev-secret-key could work in production if DEBUG not explicitly false.
After: Dev key requires BOTH DEBUG=true AND explicit DEV_API_KEY env var.

Technical Changes

New Helper Functions (main.py)

def get_repo_or_404(repo_id: str, user_id: str) -> dict
def verify_repo_access(repo_id: str, user_id: str) -> None

New Supabase Methods

  • list_repositories_for_user(user_id)
  • get_repository_with_owner(repo_id, user_id)
  • verify_repo_ownership(repo_id, user_id)

Security Design Decisions

  • Returns 404 instead of 403 to avoid leaking repo existence
  • All ownership checks happen at the start of each endpoint
  • WebSocket connections validated before accept()

Testing

  • User A cannot see User B's repos
  • User A cannot index User B's repos
  • User A cannot search in User B's repos
  • Dev API key doesn't work without DEBUG=true AND DEV_API_KEY set

Closes #7, Closes #8

@DevanshuNEU
security: Fix multi-tenancy and ownership verification (#7, #8)
9c80728 
CRITICAL SECURITY FIXES:

1. Multi-tenancy isolation (Issue #7):
   - GET /api/repos now only returns user's own repositories
   - Added verify_repo_ownership() and get_repo_or_404() helpers
   - All repo-specific endpoints now verify ownership:
     * POST /api/repos/{id}/index
     * GET /api/repos/{id}/dependencies
     * POST /api/repos/{id}/impact
     * GET /api/repos/{id}/insights
     * GET /api/repos/{id}/style-analysis
     * POST /api/search
     * POST /api/explain
     * WebSocket /ws/index/{id}
   - Returns 404 (not 403) to not leak repo existence

2. Hardcoded API key removal (Issue #8):
   - Removed default 'dev-secret-key' fallback
   - Dev key now requires BOTH DEBUG=true AND explicit DEV_API_KEY env var
   - Production environments cannot accidentally use dev keys

3. New Supabase methods:
   - list_repositories_for_user(user_id)
   - get_repository_with_owner(repo_id, user_id)
   - verify_repo_ownership(repo_id, user_id)

4. New RepoManager methods:
   - list_repos_for_user(user_id)
   - get_repo_for_user(repo_id, user_id)
   - verify_ownership(repo_id, user_id)

Closes #7, Closes #8
@DevanshuNEU
test: Add comprehensive multi-tenancy security tests
4120520 
Tests for Issue #7 (multi-tenancy) and #8 (hardcoded API key):

1. SupabaseService ownership methods:
   - list_repositories_for_user filters by user_id
   - get_repository_with_owner requires both repo_id and user_id
   - verify_repo_ownership returns bool

2. RepoManager delegation tests:
   - list_repos_for_user delegates to supabase
   - verify_ownership delegates to supabase

3. Security helper tests:
   - get_repo_or_404 raises 404 for unauthorized access
   - get_repo_or_404 returns repo for owner
   - verify_repo_access raises 404 for unauthorized

4. Dev API key security tests:
   - Dev key fails without DEBUG=true
   - Dev key fails without explicit DEV_API_KEY env var
   - Dev key works with both DEBUG=true AND DEV_API_KEY
   - Wrong dev key fails even in DEBUG mode

5. Info leakage prevention tests:
   - Non-existent and unauthorized repos get identical 404

6. Integration tests (code inspection):
   - list_repositories uses user-filtered method
   - All repo endpoints use ownership verification
   - search endpoint verifies repo ownership
   - explain endpoint verifies repo ownership

All 18 tests passing.
@vercel

vercel Bot commented Dec 5, 2025

Copy link
Copy Markdown

@DevanshuNEU is attempting to deploy a commit to the Dev's projects Team on Vercel.

A member of the Team first needs to authorize it.

@vercel

vercel Bot commented Dec 5, 2025
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
opencodeintel Ready Ready Preview Comment Dec 5, 2025 7:03am

@DevanshuNEU
fix: Update test fixtures to work with new auth
e26f759 
- Add client_no_auth fixture for testing auth behavior
- client fixture now bypasses auth for functional tests
- Update test assertions to handle 404 from ownership checks
- Simplify mock-based tests to signature verification
- All 49 tests passing
@DevanshuNEU DevanshuNEU merged commit 047dc32 into OpenCodeIntel:main Dec 5, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Remove hardcoded default API key [SECURITY] Users can see all repositories (broken multi-tenancy)

1 participant

@DevanshuNEU