⚠️ Potential issue | 🟠 Major
Missing authorization check: verify user owns the investigation.
The route fetches an investigation by ID without verifying that it belongs to the requesting user. This could allow users to access other users' forensic investigations.
api.get("/forensics/investigations/:id", async (req: Request, res: Response) => {
try {
+ const user = await storage.getUserByUsername("demo");
+ if (!user) {
+ return res.status(404).json({ message: "User not found" });
+ }
+
const investigationId = parseInt(req.params.id);
if (isNaN(investigationId)) {
return res.status(400).json({ message: "Invalid investigation ID" });
}
const investigation = await getInvestigation(investigationId);
if (!investigation) {
return res.status(404).json({ message: "Investigation not found" });
}
+ if (investigation.userId !== user.id) {
+ return res.status(403).json({ message: "Access denied" });
+ }
+
res.json(investigation);This pattern should be applied to all investigation-specific routes (status update, evidence, analysis, reports, etc.).
Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In server/routes.ts around lines 518-536, the route returns an investigation by
ID without checking that the requesting user owns it; retrieve the authenticated
user ID (e.g. req.user.id or req.auth.userId from your auth middleware), compare
it to the investigation's owner/userId after getInvestigation(investigationId),
and if they differ respond with 403 Forbidden and an explanatory message; keep
the existing 400/404/500 handling and short-circuit before returning the
investigation, and apply the same ownership check pattern to all other
investigation-specific routes (status updates, evidence, analysis, reports,
etc.).
Originally posted by @coderabbitai[bot] in #5 (comment)
Missing authorization check: verify user owns the investigation.
The route fetches an investigation by ID without verifying that it belongs to the requesting user. This could allow users to access other users' forensic investigations.
api.get("/forensics/investigations/:id", async (req: Request, res: Response) => { try { + const user = await storage.getUserByUsername("demo"); + if (!user) { + return res.status(404).json({ message: "User not found" }); + } + const investigationId = parseInt(req.params.id); if (isNaN(investigationId)) { return res.status(400).json({ message: "Invalid investigation ID" }); } const investigation = await getInvestigation(investigationId); if (!investigation) { return res.status(404).json({ message: "Investigation not found" }); } + if (investigation.userId !== user.id) { + return res.status(403).json({ message: "Access denied" }); + } + res.json(investigation);This pattern should be applied to all investigation-specific routes (status update, evidence, analysis, reports, etc.).
🤖 Prompt for AI Agents
Originally posted by @coderabbitai[bot] in #5 (comment)