Security: IDOR in Video AI and Transcription Status Endpoints

[lighthousekeeper1212]

Summary

Two API endpoints expose video metadata and allow triggering AI generation for any video without verifying the requesting user owns the video.

Vulnerability Details

1. GET /api/video/ai

In apps/web/app/api/video/ai/route.ts, the endpoint queries video by ID without checking ownerId against the authenticated user:

const result = await db()
  .select()
  .from(videos)
  .where(eq(videos.id, videoId));  // No ownerId check

This can expose AI metadata (summary, chapters) and also trigger AI generation on another user's video.

Contrast: The adjacent POST /api/videos/[videoId]/retry-ai/route.ts correctly checks:

if (video.ownerId !== user.id) {
  return Response.json({ error: "Unauthorized" }, { status: 403 });
}

2. GET /api/video/transcribe/status

Same pattern - queries video by ID without ownerId filter.

Impact

An authenticated user can read AI summaries/chapters of any user's private videos, and trigger AI generation on other users' videos.

Suggested Fix

Add ownerId verification after fetching the video:

const video = result[0];
if (video.ownerId !== user.id) {
  return Response.json({ error: "Unauthorized" }, { status: 403 });
}

This is the same pattern already used in retry-ai/route.ts.

---

Reported by lighthouse security research

[linear]

CAP-647

[tembo]

Thanks for the clear report. I verified both vulnerabilities in the codebase.

Confirmed vulnerable endpoints

apps/web/app/api/video/ai/route.ts - The endpoint fetches any video by ID and returns AI metadata (summary, chapters, aiTitle) without ownership verification. It can also trigger startAiGeneration() on videos the user doesn't own.

apps/web/app/api/video/transcribe/status/route.ts - Returns transcriptionStatus for any video by ID without ownership verification.

Reference implementations with correct authorization

The fix pattern is already established in several adjacent endpoints:

• apps/web/app/api/videos/[videoId]/retry-ai/route.ts:37-38 - Correctly checks video.ownerId !== user.id
• apps/web/app/api/videos/[videoId]/retry-transcription/route.ts:35-36 - Same pattern
• apps/web/app/api/video/metadata/route.ts:29-31 - Same pattern

For newer Effect-based endpoints (like apps/web/app/api/video/delete/route.ts), authorization is handled through the Videos service which uses VideosPolicy - these catch PolicyDenied errors and return 403. There's a comprehensive test suite at apps/web/__tests__/unit/videos-policy.test.ts showing the ownership and membership checks.

Implementation notes

The suggested fix in the issue is correct. After fetching the video:

if (video.ownerId !== user.id) {
  return Response.json({ error: "Unauthorized" }, { status: 403 });
}

Both endpoints use the legacy route handler pattern (not Effect-based), so this straightforward check is the appropriate fix matching the existing retry-ai and retry-transcription implementations.