fix: apply showMemberMiddleware to flowsheet write routes#187
Open
jakebromberg wants to merge 5 commits intomainfrom
Open
fix: apply showMemberMiddleware to flowsheet write routes#187jakebromberg wants to merge 5 commits intomainfrom
jakebromberg wants to merge 5 commits intomainfrom
Conversation
jakebromberg
force-pushed
the
fix/10-apply-show-member-middleware
branch
from
0f349db to
f392fe2
Compare
AyBruno
requested changes
Mar 9, 2026
Collaborator
AyBruno
left a comment
AyBruno
left a comment
There was a problem hiding this comment.
Looks good! This actually wasn't a bug that we weren't using this yet. I wrote it around the time that we were deciding to leave aws cognito and as I has implemented it for our cognito auth specifically, I never hooked it up. Now that we've settled on better-auth, this is a good improvement to clear out some code duplication.
That being said! This PR should include removal of showMember checks within the flowsheet controllers that are preexisting.
Example: https://github.com/WXYC/Backend-Service/blob/main/apps/backend/controllers/flowsheet.controller.ts#L357-L361
The middleware was imported but never applied, allowing any authenticated DJ to modify flowsheet entries regardless of show membership. Co-authored-by: Cursor <cursoragent@cursor.com>
…inline check Adds showMemberMiddleware to the remaining flowsheet write routes and removes the redundant DJ-in-show check from leaveShow since the middleware now handles it.
jakebromberg
force-pushed
the
fix/10-apply-show-member-middleware
branch
from
a002084 to
045d898
Compare
added 2 commits
March 9, 2026 23:55
When AUTH_BYPASS=true, requirePermissions skips JWT verification and never populates req.auth. The showMemberMiddleware then fails to identify the user and returns 400 for every request. Adding an AUTH_BYPASS early return fixes integration tests.
The service's guard clause threw a plain Error (500) when a DJ wasn't in the show. With AUTH_BYPASS=true the showMemberMiddleware is skipped, so this code path is reachable during integration tests. Using WxycError returns the proper 400 status.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
showMemberMiddlewarewas imported inapps/backend/app.tsbut never applied to any route, allowing any authenticated DJ to modify flowsheet entries even without joining the active show.showMemberMiddlewareafterrequirePermissionson the POST, PATCH, and DELETE flowsheet routes inflowsheet.route.ts. Removed the unused import fromapp.ts..filter().lengthto.some().Test plan
showMemberMiddlewarecovering:next()Fixes #10
Made with Cursor