Skip to content

fix(auth): add auth + org ownership check to public events endpoint#3040

Open
0xcucumbersalad wants to merge 2 commits intodecocms:mainfrom
0xcucumbersalad:fix/authz-vuln-05-unauthenticated-event-injection
Open

fix(auth): add auth + org ownership check to public events endpoint#3040
0xcucumbersalad wants to merge 2 commits intodecocms:mainfrom
0xcucumbersalad:fix/authz-vuln-05-unauthenticated-event-injection

Conversation

@0xcucumbersalad
Copy link
Copy Markdown
Contributor

@0xcucumbersalad 0xcucumbersalad commented Apr 7, 2026
edited
Loading

Summary

  • AUTHZ-VULN-05: POST /org/:organizationId/events/:type had zero authentication — any unauthenticated request could inject events (including persistent cron events) into any organization's event bus
  • Adds auth check (401 for unauthenticated) and org ownership verification (403 when the URL org doesn't match the caller's org), matching the pattern already used by the adjacent /org/:organizationId/watch endpoint
  • Adds 5 regression tests covering: unauthenticated requests, cross-tenant access, org-less API keys, cron injection from wrong org, and legitimate same-org publish

Test plan

  • bun test apps/mesh/src/api/routes/public-events.test.ts — 5/5 pass
  • bun run lint — passes
  • bun run fmt — passes

🤖 Generated with Claude Code

Summary by cubic

Locks down POST /org/:organizationId/events/:type with auth and org-ownership checks to stop unauthenticated or cross-tenant event injection (AUTHZ-VULN-05). Returns 401 when unauthenticated and 403 when the org does not match.

  • Bug Fixes
    • Require auth (user session or API key) for the events endpoint (401 on failure).
    • Enforce organization ownership by matching :organizationId to the caller’s org (403 on mismatch).
    • Align authorization with /org/:organizationId/watch.
    • Add 5 tests: unauthenticated, cross-tenant, org-less API key, cross-org cron injection, same-org publish.

Written for commit 6d8ff9d. Summary will update on new commits.

@0xcucumbersalad @claude
fix(auth): add auth + org ownership check to public events endpoint
de89d6f 
The POST /org/:organizationId/events/:type endpoint had no
authentication gate, allowing unauthenticated cross-tenant event
injection including persistent cron events. Adds the same auth + org
ownership pattern used by the adjacent watch endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction Action
👍 Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

Release Options

Suggested: Patch (2.244.1) — based on fix: prefix

React with an emoji to override the release type:

Reaction Type Next Version
👍 Prerelease 2.244.1-alpha.1
🎉 Patch 2.244.1
❤️ Minor 2.245.0
🚀 Major 3.0.0

Current version: 2.244.0

Note: If multiple reactions exist, the smallest bump wins. If no reactions, the suggested bump is used (default: patch).

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0xcucumbersalad