⚠️ Potential issue | 🟠 Major
Executive summary and report endpoints don’t enforce investigation ownership.
The reporting endpoints:
POST /forensics/investigations/:id/generate-summaryPOST /forensics/investigations/:id/reportsGET /forensics/investigations/:id/reports
all:
- Are unauthenticated.
- Use only the path
:id to scope operations, without confirming that the investigation belongs to the caller.
- For creation routes, accept
req.body directly (no Zod validation), despite the presence of insertForensicReportSchema.
For a forensic/reporting system, these should:
- Require auth.
- Verify investigation ownership before generating/creating/fetching reports.
- Validate report creation payloads via
insertForensicReportSchema and return 400s on invalid data.
Based on learnings, forensic reports should be both tenant‑scoped and schema‑validated for defensibility.
Originally posted by @coderabbitai[bot] in #5 (comment)
Executive summary and report endpoints don’t enforce investigation ownership.
The reporting endpoints:
POST /forensics/investigations/:id/generate-summaryPOST /forensics/investigations/:id/reportsGET /forensics/investigations/:id/reportsall:
:idto scope operations, without confirming that the investigation belongs to the caller.req.bodydirectly (no Zod validation), despite the presence ofinsertForensicReportSchema.For a forensic/reporting system, these should:
insertForensicReportSchemaand return 400s on invalid data.Based on learnings, forensic reports should be both tenant‑scoped and schema‑validated for defensibility.
Originally posted by @coderabbitai[bot] in #5 (comment)