[Security] Prevent privilege escalation via arbitrary role assignment in signup

[kingksjo]

Domain: Identity

---

Issue [Security] Prevent privilege escalation via arbitrary role assignment in signup

Tier: 🔴 Hard

Description:

• Problem: src/modules/auth/auth.validation.ts line 8 allows the role field in the signup request body to be any value from the enum ['SUPER_ADMIN', 'ADMIN', 'MANAGER', 'VIEWER', 'CUSTOMER']. Since the signup endpoint is unauthenticated, any anonymous user can self-assign SUPER_ADMIN or ADMIN roles during registration, granting themselves full system access. This is a critical privilege escalation vulnerability.
• Implementation: Remove the role field from SignupBodySchema entirely, or restrict it to only CUSTOMER / VIEWER. The signup service should assign a safe default role (e.g., VIEWER or CUSTOMER). Admin and manager roles should only be assignable by authenticated admins via the user management or invitation endpoints. If the business requires org-creator roles, implement a separate "create organization" flow with controlled role assignment.

Dependencies:

• Depends on None

Acceptance Criteria:

• SignupBodySchema does not accept SUPER_ADMIN, ADMIN, or MANAGER as role values.
• Signup service assigns a safe default role when no role is provided.
• Existing admin-only user creation endpoints (POST /users, invitations) retain full role assignment capability.
• Proper HTTP status codes and our standard JSON response wrapper are used.
• Edge cases (e.g., missing data, unauthorized roles) are handled gracefully.

Testing Requirements:

• Add test: signup with role: 'SUPER_ADMIN' returns 400 validation error.
• Add test: signup without role field assigns default role.
• Verify admin user creation endpoint still allows all roles.
• Unit tests written for the core logic (target 80%+ coverage).
• External API calls or database connections are mocked in unit tests.
• Postman collection or Swagger spec updated (if this adds/modifies an endpoint).

PR Checklist:

• Branch is named conventionally (e.g., security/issue-45-prevent-role-escalation).
• npm run lint and npm run build pass with zero warnings.
• Screenshot of passing Jest terminal logs is attached to the PR.
• Database migrations/seed scripts updated (if applicable).

[spiffamani]

@spiffamani has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hey,

I'm a full-stack Software Engineer with 3 years of experience and a background in Blockchain development. I'm relatively new to open-source but I pick things up fast and I'm genuinely interested in this issue.
My main stack is React, TypeScript and Next.js on the frontend — I focus on clean component architecture, responsive design and performance. On the backend I work with Node.js, Java and Rust, handling everything from API design to database modeling.
A few things I've built:

https://www.zendvo.com/
https://cleanrest.vercel.app/

I'm comfortable jumping into an existing codebase, following conventions and shipping clean, maintainable code. My GitHub shows the kind of work I do better than I can describe it.
I'd love to take this on — thanks for considering me.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @spiffamani to this issue.

[Clinton6801]

@Clinton6801 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello, I'd love to work on this project

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Clinton6801 to this issue.

[Abdullahi-Code9]

@Abdullahi-Code9 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I would like to work on this

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Abdullahi-Code9 to this issue.