Impersonation routes: missing auth checks on 3 endpoints + expiry bug #77

New Issue

Closed

opened 2026-03-20 02:26:32 +00:00 by ghost · 3 comments

ghost commented 2026-03-20 02:26:32 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

PR #75 (feat/impersonation-backend) introduces impersonation session routes with security and logic issues found during QA review.

Issues

1. Missing authorization on read/log endpoints (Security)

Affected endpoints:

• GET /api/impersonation/sessions/:id (line 133) — no ownership check
• GET /api/impersonation/sessions/:id/audit-log (line 254) — no ownership check
• POST /api/impersonation/sessions/:id/log (line 222) — no ownership check

Impact: Any authenticated user can read any impersonation session details, view its full audit trail, or inject arbitrary audit log entries — just by guessing/knowing a session UUID.

Expected behavior: These endpoints should verify session.staffId === caller.staffId (or require manager role), matching the pattern already used in the extend and end endpoints.

2. Extend allows extending expired sessions (Bug)

Reproduction:

1. Start an impersonation session (creates session with 30-min expiresAt)
2. Wait for expiresAt to pass (or simulate by setting a short timeout)
3. Call POST /api/impersonation/sessions/:id/extend
4. Session is extended even though it should be expired

Root cause: expireTimedOutSessions() is only called during session creation (POST /sessions). The extend endpoint checks session.status !== "active" but the DB status is never updated to "expired" until someone creates a new session.

Expected behavior: All session-specific endpoints should check session.expiresAt <= now before operating on the session.

Related

• PR: feat: Staff Impersonation backend + frontend wiring (#75)
• Parent feature: bug: Staff Impersonation Mode missing from customer portal (#74)

## Summary PR #75 (`feat/impersonation-backend`) introduces impersonation session routes with security and logic issues found during QA review. ## Issues ### 1. Missing authorization on read/log endpoints (Security) **Affected endpoints:** - `GET /api/impersonation/sessions/:id` (line 133) — no ownership check - `GET /api/impersonation/sessions/:id/audit-log` (line 254) — no ownership check - `POST /api/impersonation/sessions/:id/log` (line 222) — no ownership check **Impact:** Any authenticated user can read any impersonation session details, view its full audit trail, or inject arbitrary audit log entries — just by guessing/knowing a session UUID. **Expected behavior:** These endpoints should verify `session.staffId === caller.staffId` (or require manager role), matching the pattern already used in the `extend` and `end` endpoints. ### 2. Extend allows extending expired sessions (Bug) **Reproduction:** 1. Start an impersonation session (creates session with 30-min `expiresAt`) 2. Wait for `expiresAt` to pass (or simulate by setting a short timeout) 3. Call `POST /api/impersonation/sessions/:id/extend` 4. Session is extended even though it should be expired **Root cause:** `expireTimedOutSessions()` is only called during session creation (`POST /sessions`). The `extend` endpoint checks `session.status !== "active"` but the DB status is never updated to `"expired"` until someone creates a new session. **Expected behavior:** All session-specific endpoints should check `session.expiresAt <= now` before operating on the session. ## Related - PR: #75 - Parent feature: #74

ghost commented 2026-03-20 04:18:30 +00:00 (Migrated from github.com)

Copy Link

Copy Source

All 3 issues reported here have been fixed in PR #75:

1. Auth checks: resolveStaff() + ownership verification added to GET /sessions/:id, POST /sessions/:id/log, and GET /sessions/:id/audit-log
2. Expiry bug: checkAndExpireSession() helper now called in extend, end, get, and log endpoints
3. Test coverage: 23 new tests covering all paths including auth rejection and expiry behavior

QA verified and approved. Keeping this issue open until PR #75 is merged per policy.

All 3 issues reported here have been fixed in PR #75: 1. **Auth checks**: `resolveStaff()` + ownership verification added to `GET /sessions/:id`, `POST /sessions/:id/log`, and `GET /sessions/:id/audit-log` 2. **Expiry bug**: `checkAndExpireSession()` helper now called in extend, end, get, and log endpoints 3. **Test coverage**: 23 new tests covering all paths including auth rejection and expiry behavior QA verified and approved. Keeping this issue open until PR #75 is merged per policy.

ghost commented 2026-03-20 06:27:21 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Both issues reported here have been fixed in PR #75:

1. Auth checks — All 3 endpoints now enforce ownership via resolveStaff() + session.staffId === staffRow.id
2. Expiry bug — New checkAndExpireSession() helper auto-expires timed-out sessions in DB, called in extend, end, GET /sessions/:id, and POST /sessions/:id/log

23 new tests cover all these scenarios. QA re-reviewed and approved. This issue will close when PR #75 merges.

Both issues reported here have been fixed in PR #75: 1. **Auth checks** — All 3 endpoints now enforce ownership via `resolveStaff()` + `session.staffId === staffRow.id` 2. **Expiry bug** — New `checkAndExpireSession()` helper auto-expires timed-out sessions in DB, called in `extend`, `end`, `GET /sessions/:id`, and `POST /sessions/:id/log` 23 new tests cover all these scenarios. QA re-reviewed and approved. This issue will close when PR #75 merges.

ghost commented 2026-03-20 08:17:05 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Resolved in PR #75 (merged 2026-03-20). All 3 authorization checks and the expiry bug were fixed before merge — see QA re-review approval on the PR.

Resolved in PR #75 (merged 2026-03-20). All 3 authorization checks and the expiry bug were fixed before merge — see QA re-review approval on the PR.

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

dev

flea/gro-1636-better-auth-seed

pr-434

uat

docs/GRO-1502-uat-mcp-migration

flea/gro-1496-e2e-err-connection-refused

flea-flicker/gro-1489-lint-fixes

cpfarhood/gro-1162-pet-buffer

flea-flicker/gro-1162-pet-buffer

fix/gro-1368-consent-ts

fix/ci-e2e-dind-networking-registry-auth

fix/gro-1369-types-sync

fix/ci-registry-auth-main

gitea/migrate-workflows

flea-flicker/gro-1162-pet-buffer-time

feat/GRO-106-portal-communication-real

archived-readme

feat/GRO-106-stop-help

fix/gro-1248-path-prefixes

fix/GRO-1212-portal-test-mock-imports

fix/GRO-1108-test-mocks

feat/GRO-106-stop-help-v2

docs/GRO-1099-uat-playbook-app

fleaflicker/deploy-telnyx-webhook-secret

fix/gro-1024-clean

fix/gro-1021-auth-rate-limit

fix/gro-1021-auth-rate-limit-v2

feat/GRO-984-outbound-sms-persistence

fix/GRO-980-indentation

docs/GRO-106-10dlc-runbook

fix/gro-898-demo-sso-env-vars

fix/gro-609-cherry-pick

fix/gro-866-uat-seed-personas

fix/gro-867-logo-proxy

fix/gro-816-portal-pets-crash

fix/gro-844-network-policy

fix/gro-820-e2e-invoices-mock

feature/gro-609-refund-payment-stats

fix/gro-765-portal-appointments-service

fix/gro-805-allow-groomer-invoices

fix/gro-720-gitignore-hardening

fix/gro-721-harden-gitignore

feature/gro-633-db-indexes-constraints

fix/gro-639-n-plus-one-reminder-scheduler

ci-dev-trigger2

fix/gro-624-input-validation

feature/gro-653-portal-session-middleware

fix/gro-640-n-plus-one-email

clean-gro-639

fix/gro-637-invoice-refund-fixes

fix/gro-665-staff-auto-link

fix/gro-636-input-validation-v3

fix-gro-624-input-validation

fix/gro-655-corepack-only

feature/gro-597-payment-admin

feature/gro-631-graceful-shutdown

fix/gro-660-uat-seed-manager-superuser

fix/gro-655-corepack-enoent

feature/gro-623-groomer-isolation

feature/gro-632-impersonation-session-hardening

feature/gro-607-payment-ui

feature/gro-597-payment-backend

feature/gro-597-payment-ui

feature/gro-597-stripe-webhooks

feature/gro-597-payment-api

GRO-574-rate-limit-migration

chore/gro-575-promote-gro-574-to-uat

fix/gro-566-skip-oobe

fix/gro-557-e2e-stability

chore/gro-558-agents-instructions

fix/gro-531-social-login

fix/gro-545-social-providers-config

fix/gro-540-prod-oidc-env-vars

feat/gro-526-seed-profile-param

No results found.

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#77