fix(auth): prevent cross-tenant connection enumeration via OAuth metadata endpoints#3060
Open
0xcucumbersalad wants to merge 1 commit intodecocms:mainfrom
Conversation
…data endpoints The OAuth discovery endpoints (/.well-known/oauth-protected-resource) called findById without org scoping, and returned distinct status codes (404 vs 502) that revealed whether a connection existed. Fixes both: - Passes organization ID to findById when auth context is available - Normalizes error responses to 404 for both "not found" and "proxy failed" to eliminate the enumeration oracle Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
🧪 BenchmarkShould we run the Virtual MCP strategy benchmark for this PR? React with 👍 to run the benchmark.
Benchmark will run on the next push after you react. |
Contributor
Release OptionsSuggested: Patch ( React with an emoji to override the release type:
Current version:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/.well-known/oauth-protected-resource/mcp/:connectionId) performed unscopedfindByIdand returned distinct 404/502 status codes, creating an unauthenticated connection existence oraclectx.organization?.idtofindByIdso connection lookups are org-scoped when auth context is available/.well-known/oauth-authorization-server/oauth-proxy/:connectionId)Test plan
bun test apps/mesh/src/api/routes/oauth-proxy.test.ts— 26/26 passbun run lint— passesbun run fmt— passes🤖 Generated with Claude Code
Summary by cubic
Prevents cross-tenant connection enumeration by scoping OAuth discovery lookups to the organization and normalizing errors to a single 404 response.
ctx.organization?.idtofindByIdso connection lookups are org-scoped./.well-known/oauth-protected-resource/mcp/:connectionIdand/.well-known/oauth-authorization-server/oauth-proxy/:connectionId.Written for commit 60911bd. Summary will update on new commits.