fix: enforce user auth check third party service credentials

[nimish-ks]

🔍 Overview

Enforce authorization checks for Integration Credential retrieval in GraphQL.

💡 Proposed Changes

Updated the resolve_credentials method within the ProviderCredentialsType GraphQL resolver to validate that the requesting user has the necessary permissions before returning decrypted third-party credentials (e.g., AWS keys, GitHub tokens).

Previously, the resolver returned credentials for any ProviderCredentials object found by ID without verifying the caller's organization-level permissions for the IntegrationCredentials resource. The fix now explicitly calls user_has_permission(info.context.user, "read", "IntegrationCredentials", self.organisation).

This addresses security finding V2 from the Kolega.dev report.

📝 Release Notes

• Security Hardening: Enforced organization-level permission checks for retrieving integration credentials via GraphQL.
• Finding Ref: V2
• Severity: Medium (Disputed from Critical)

➕ Additional Context

Severity Dispute

The original report flagged this finding as Critical. However, the practical severity is assessed as Medium for the following reasons:

1. Authentication Requirement: Accessing this resolver requires a valid, authenticated session.
2. UUID Complexity: ProviderCredentials use Version 4 UUIDs. These are non-enumerable and have high entropy, making it practically impossible for an attacker to guess the ID of credentials belonging to another organization.
3. Internal Context: The underlying utility get_credentials remains restricted to backend use, and this change specifically patches the client-facing GraphQL entry point to ensure proper access control.

Finding reported by kolega.dev.

🧪 Testing

• Logged in as a user with access to Organization A.
• Attempted to query the credentials field for a ProviderCredentials object belonging to Organization B (using a known ID).
• Verified that the resolver now returns null (or raises an error depending on schema configuration) instead of the decrypted credential object.
• Confirmed that users with correct permissions can still retrieve their own organization's credentials.

💚 Did You...

• Ensure linting passes (code style checks)?
• Verify the app builds locally?
• Manually test the changes?

[Copilot]

Pull request overview

This PR addresses a security vulnerability (Finding V2) by adding authorization checks before allowing access to third-party integration credentials (AWS keys, GitHub tokens, etc.) through GraphQL resolvers. The fix ensures that users have proper permissions before retrieving or using sensitive credential data.

Key Changes:

• Added user_has_permission checks to credential field resolvers and query resolvers
• Added organization validation to sync creation mutations
• Enforces "read" permission for "IntegrationCredentials" resource before exposing credential data

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.

File	Description
backend/backend/graphene/types.py	Added permission check to resolve_credentials field resolver, returning None when unauthorized
backend/backend/graphene/queries/syncing.py	Added permission checks to query resolvers that retrieve credentials for Cloudflare Pages, AWS Secrets Manager, GitHub repos, and GitLab projects
backend/backend/graphene/mutations/syncing.py	Added organization membership validation to sync creation mutations for various providers (AWS, GitLab, GitHub, Cloudflare, etc.)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.