Skip to content

collab changes#1

Open
szilagyib wants to merge 2 commits intomasterfrom
collab-changes
Open

collab changes#1
szilagyib wants to merge 2 commits intomasterfrom
collab-changes

Conversation

@szilagyib
Copy link
Copy Markdown
Owner

@szilagyib szilagyib commented Feb 13, 2026

  • chore: preexisting changes
  • feat: team collaboration foundation

szilagyib

This comment was marked as duplicate.

Sign in to view

@szilagyib
Copy link
Copy Markdown
Owner Author

szilagyib commented Feb 13, 2026

Review findings (clean copy):

  1. Critical: WebSocket auth can be bypassed by user impersonation
  • File: packages/backend/src/routes/collab.routes.ts:12
  • GET /yjs/:diagramId does not use authenticate, and trusts userId from query/header (:14, :15).
  • Any client can claim another user ID and inherit that user's project access.
  1. Critical: Cross-project authorization bypass on diagram endpoints
  • File: packages/backend/src/routes/diagram.routes.ts
  • Access is checked against URL :projectId, but handlers operate on diagramId without verifying ownership (:40, :97, :136, :166, :192).
  • A user with access to project A can target a diagram from project B by passing B's diagramId and A's projectId.
  1. High: Team data disclosure to non-members
  • Files: packages/backend/src/routes/team.routes.ts:24, packages/backend/src/services/team.service.ts:36
  • GET /api/teams/:teamId only requires authentication and returns member identities/emails, without membership check.
  1. High: Lockfile/dependency graph is out of sync with package manifests
  • Files: packages/backend/package.json, packages/frontend/package.json, package-lock.json:10350, package-lock.json:10381
  • y-websocket/yjs were added to workspace package.json files but are absent from lockfile workspace entries.
  • This produces concrete breakage: npm run typecheck and npm run test:unit fail with missing module y-websocket/bin/utils.js.
  1. Medium: Frontend unit test mock no longer matches registry API
  • Files: packages/frontend/src/diagram-types/registry.ts:79, packages/frontend/tests/unit/stores/diagramStore.test.ts:10
  • Registry expects createNode, but mocked module only exports createNewState/createNewTransition, causing test failure.

Validation run:

  • npm run test:unit failed (issues above).
  • npm run typecheck failed (issues above).
  • npm run db:generate could not complete in this environment due blocked Prisma engine download, so post-generate typing could not be re-verified here.

Testing gap:

  • No focused API authorization tests were observed for impersonation and project/diagram ID mismatch paths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@szilagyib