Security: Cross-Organization Project Creation IDOR (CWE-639)

[overcut-ai]

Security: Cross-Organization Project Creation IDOR (CWE-639)

Overview

This PR implements Security: Cross-Organization Project Creation IDOR (CWE-639) based on the approved design document.

Issue: #343

Implementation Summary

Phase 1: Update resolver method signature for authenticated user context

• Updated createProject in apps/server/src/app/identity/projects.resolver.ts to accept @CurrentUser() user: RequestUser while preserving the existing @Args('data') data: CreateProjectInput.
• Kept resolver guard structure and behavior unchanged.
• Commit: fa89da7

Phase 2: Enforce organization membership before project creation

• Added isOrgMemberOrThrow(user, data.organizationId) at the start of createProject.
• Authorization now executes before slug generation, slug uniqueness checks, and project creation.
• Commit: aecc693

Phase 3: Preserve existing creation flow and scope

• Verified existing create flow remained intact: slugify, getProjectBySlug, createProject, and analytics tracking.
• Scope remained limited to resolver area as planned.
• Commit: 73714d0

Tests Added

• Added apps/server/src/app/identity/projects.resolver.spec.ts with 3 focused createProject tests:
  • verifies isOrgMemberOrThrow(user, data.organizationId) is called
  • verifies unauthorized path throws and short-circuits before slug/service/analytics calls
  • verifies authorized path preserves existing create flow (slug lookup, create call, analytics, return value)
• Test Commit: bf2c202

Testing

• ✅ Comprehensive tests written for new authorization behavior and flow integrity
• ✅ All tests passing (npx nx test server --testPathPattern=projects.resolver.spec.ts)
• ✅ Coverage includes both authorized and unauthorized paths

Validation

• ✅ Lint checks passed (npx nx run-many --target=lint --all)
• ✅ Format checks passed (npx nx format:check / npx nx format:write)
• ✅ Code quality verified; no additional validation fixes required

Files Changed

• Total Commits: 4
• Implementation Commits: 3
• Test Commit: 1
• Validation Commit: 0 (validation completed with no additional commit required)

Review Notes

• Root cause addressed by enforcing org membership directly in createProject, aligning it with existing sibling resolver authorization patterns.
• Authorization check is intentionally placed before all business logic to prevent unauthorized side effects.
• Change is scoped and low-risk, with focused tests covering regression and expected flow.

---

Implementation complete and ready for review.

[overcut-ai]

🔧 Implementation Progress

Implementing the following phases:

• [PHASE-1] Update resolver method signature for authenticated user context (fa89da7)
• [PHASE-2] Enforce organization membership before project creation (aecc693)
• [PHASE-3] Preserve existing creation flow and scope (73714d0)

---

This comment will be updated as phases are completed.

[overcut-ai]

CI Failure Requires Manual Intervention

The failed run appears to be a CI/infrastructure issue, not a code defect on this branch.

• Run: Continuous Integration — https://github.com/pezzolabs/pezzo/actions/runs/23753602542
• The job is marked failed, but logs are unavailable:
  • Per-job logs returned 404 ... BlobNotFound
  • Full run logs returned [Logs expired or unavailable]
  • Job step details are empty (steps: [])

Because no actionable stderr/stdout is available, the specific failing command cannot be identified from this run. This requires manual CI investigation/intervention (e.g., re-running the workflow to regenerate logs and then diagnosing the actual failing step).

[overcut-ai]

CI Fix Status: Cannot Apply Code Fix

The failed CI run appears to be caused by a CI/logging infrastructure issue rather than a code defect on this branch.

Failed CI Run: Continuous Integration — https://github.com/pezzolabs/pezzo/actions/runs/23753626894

Root Cause from Analysis

• The run is marked as failed, but job logs are unavailable/expired.
• Attempts to fetch logs returned infrastructure errors:
  • 404 The specified blob does not exist
  • BlobNotFound
• Full run logs also report logs as expired/unavailable.

Because there is no retrievable command output, stack trace, or failing test/build step, there is no actionable code-level fix to apply safely.

Required Manual Intervention

Please re-run the workflow (or regenerate logs/artifacts) so concrete failure output is available. Once logs are accessible, I can apply a targeted code fix if needed.

[overcut-ai]

CI Fix Applied

Failed CI Run: Continuous Integration — https://github.com/pezzolabs/pezzo/actions/runs/23754001669

Changes Made

• Updated ProjectsResolver.createProject to consistently use destructured organizationId/name locals for authorization check, slug generation input, and service calls.
• Fixed resolver unit test fixture shape to match RequestUser organization membership structure (orgMemberships + organizationId), preventing mismatch with identity authorization utilities.

Files Modified

• apps/server/src/app/identity/projects.resolver.ts
• apps/server/src/app/identity/projects.resolver.spec.ts

[overcut-ai]

CI Infrastructure Issue Detected

The failed CI run appears to be caused by a CI/infrastructure problem, not by code changes on this branch.

Summary

• Run: Continuous Integration — https://github.com/pezzolabs/pezzo/actions/runs/23754370812
• The workflow failed extremely early (~3 seconds), before normal project validation steps (format/lint/test/build) would run.
• Logs are unavailable/expired (BlobNotFound / [Logs expired or unavailable]), so there is no retrievable step-level error output.
• The PR changes are limited to application resolver/spec files and do not affect CI bootstrap behavior.

Root Cause (from analysis)

• This failure is most consistent with a runner/workflow infrastructure issue or log artifact availability issue, not a branch code defect.

Action Needed

This requires manual CI investigation/intervention (workflow environment/runner/log retrieval), rather than code changes in this PR.