Enforce user-scoped isolation for private data and webhook triggers (#606)

* Enforce hosted current-user data isolation

* Enforce user-scoped isolation across private data paths

* Fix hosted resume previews and null-owner uniqueness

Author: DaKheera47

orchestrator/src/client/api/settings-profile.ts

@@ -122,6 +122,12 @@ export async function deleteDesignResumePicture(input?: {
   });
 }
 
+export async function getDesignResumeAssetContentBlob(
+  assetUrl: string,
+): Promise<Blob> {
+  return fetchBlobApi(normalizeApiPath(assetUrl), { cache: "no-store" });
+}
+
 export async function exportDesignResume(): Promise<DesignResumeExportResponse> {
   return fetchApi<DesignResumeExportResponse>("/design-resume/export");
 }

orchestrator/src/client/components/design-resume/DesignResumeInlineSections.test.tsx

@@ -1,6 +1,18 @@
-import { fireEvent, render, screen } from "@testing-library/react";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
 import { describe, expect, it, vi } from "vitest";
-import { BasicsCustomFieldsSection } from "./DesignResumeInlineSections";
+
+const mocks = vi.hoisted(() => ({
+  getDesignResumeAssetContentBlob: vi.fn(),
+}));
+
+vi.mock("@client/api/settings-profile", () => ({
+  getDesignResumeAssetContentBlob: mocks.getDesignResumeAssetContentBlob,
+}));
+
+import {
+  BasicsCustomFieldsSection,
+  PictureSection,
+} from "./DesignResumeInlineSections";
 
 describe("BasicsCustomFieldsSection", () => {
   it("lets the custom fields section title be renamed", () => {
@@ -44,4 +56,43 @@ describe("BasicsCustomFieldsSection", () => {
       { id: "field-1", title: "Availability", icon: "", text: "", link: "" },
     ]);
   });
+
+  it("loads JobOps asset picture previews through the authenticated blob API", async () => {
+    const createObjectUrl = vi
+      .spyOn(URL, "createObjectURL")
+      .mockReturnValue("blob:preview");
+    const revokeObjectUrl = vi
+      .spyOn(URL, "revokeObjectURL")
+      .mockImplementation(() => {});
+    mocks.getDesignResumeAssetContentBlob.mockResolvedValue(
+      new Blob(["image"], { type: "image/png" }),
+    );
+
+    const { unmount } = render(
+      <PictureSection
+        picture={{ url: "/api/design-resume/assets/asset-1/content" }}
+        pictureUploading={false}
+        pictureEnabled={true}
+        onUploadPicture={vi.fn()}
+        onDeletePicture={vi.fn()}
+        onUpdatePicture={vi.fn()}
+      />,
+    );
+
+    await waitFor(() => {
+      expect(
+        screen.getByAltText("Resume Studio profile").getAttribute("src"),
+      ).toBe("blob:preview");
+    });
+
+    expect(mocks.getDesignResumeAssetContentBlob).toHaveBeenCalledWith(
+      "/api/design-resume/assets/asset-1/content",
+    );
+
+    unmount();
+    expect(revokeObjectUrl).toHaveBeenCalledWith("blob:preview");
+
+    createObjectUrl.mockRestore();
+    revokeObjectUrl.mockRestore();
+  });
 });

orchestrator/src/client/components/design-resume/DesignResumeInlineSections.tsx

@@ -1,5 +1,7 @@
+import { getDesignResumeAssetContentBlob } from "@client/api/settings-profile";
 import type { DesignResumeJson } from "@shared/types";
 import { FileImage, ImagePlus, Plus, Trash2 } from "lucide-react";
+import { useEffect, useState } from "react";
 import { Alert, AlertDescription } from "@/components/ui/alert";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
@@ -92,6 +94,41 @@ export function PictureSection({
   onUpdatePicture,
 }: PictureSectionProps) {
   const editDisabled = !pictureEnabled;
+  const pictureUrl = toText(picture.url);
+  const [previewUrl, setPreviewUrl] = useState(pictureUrl);
+
+  useEffect(() => {
+    if (!pictureUrl) {
+      setPreviewUrl("");
+      return;
+    }
+
+    if (!pictureUrl.startsWith("/api/design-resume/assets/")) {
+      setPreviewUrl(pictureUrl);
+      return;
+    }
+
+    let objectUrl: string | null = null;
+    let cancelled = false;
+
+    getDesignResumeAssetContentBlob(pictureUrl)
+      .then((blob) => {
+        objectUrl = URL.createObjectURL(blob);
+        if (cancelled) {
+          URL.revokeObjectURL(objectUrl);
+          return;
+        }
+        setPreviewUrl(objectUrl);
+      })
+      .catch(() => {
+        if (!cancelled) setPreviewUrl(pictureUrl);
+      });
+
+    return () => {
+      cancelled = true;
+      if (objectUrl) URL.revokeObjectURL(objectUrl);
+    };
+  }, [pictureUrl]);
 
   return (
     <div className="grid gap-3">
@@ -109,7 +146,7 @@ export function PictureSection({
           className={`${insetPanelClassName} flex items-center gap-3 border-dashed p-3`}
         >
           <img
-            src={toText(picture.url)}
+            src={previewUrl}
             alt="Resume Studio profile"
             className="h-16 w-16 rounded-lg border border-border/60 object-cover"
           />

orchestrator/src/server/api/routes/auth.test.ts

@@ -213,6 +213,46 @@ describe.sequential("Auth routes", () => {
       expect(body.error.message).toContain("Username already exists");
     });
 
+    it("scopes backend analytics identity by hosted user", async () => {
+      async function signup(username: string): Promise<string> {
+        const res = await fetch(`${baseUrl}/api/auth/signup`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            username,
+            password: `${username}-secret`,
+          }),
+        });
+        expect(res.status).toBe(201);
+        const body = await res.json();
+        expect(body.ok).toBe(true);
+        return body.data.token as string;
+      }
+
+      async function analyticsDistinctId(token: string): Promise<string> {
+        const res = await fetch(`${baseUrl}/api/auth/me`, {
+          headers: { Authorization: `Bearer ${token}` },
+        });
+        expect(res.status).toBe(200);
+        const body = await res.json();
+        expect(body.ok).toBe(true);
+        return body.data.analyticsDistinctId as string;
+      }
+
+      const aliceToken = await signup("analytics-alice");
+      const bobToken = await signup("analytics-bob");
+
+      const aliceFirst = await analyticsDistinctId(aliceToken);
+      const aliceSecond = await analyticsDistinctId(aliceToken);
+      const bob = await analyticsDistinctId(bobToken);
+
+      expect(aliceFirst).toMatch(
+        /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,
+      );
+      expect(aliceSecond).toBe(aliceFirst);
+      expect(bob).not.toBe(aliceFirst);
+    });
+
     it("returns 400 for invalid signup input", async () => {
       const res = await fetch(`${baseUrl}/api/auth/signup`, {
         method: "POST",

orchestrator/src/server/api/routes/design-resume.ts

@@ -1,6 +1,7 @@
 import { badRequest, conflict, notFound, toAppError } from "@infra/errors";
 import { asyncRoute, fail, ok } from "@infra/http";
 import { logger } from "@infra/logger";
+import { getJobOpsAppConfig } from "@server/config/app-mode";
 import { getRequestId } from "@server/infra/request-context";
 import { enqueueAutoPdfRegenerationForReadyJobs } from "@server/services/auto-pdf-regeneration";
 import {
@@ -421,7 +422,7 @@ designResumeRouter.get(
     }
 
     const { asset, content } = await readDesignResumeAssetContent(assetId, {
-      bypassTenantScope: true,
+      bypassTenantScope: getJobOpsAppConfig().appMode !== "hosted",
     });
     res.setHeader("Content-Type", asset.mimeType);
     res.setHeader("Cache-Control", "private, max-age=60");

orchestrator/src/server/api/routes/post-application-providers.ts

@@ -3,7 +3,7 @@ import { badRequest, serviceUnavailable, upstreamError } from "@infra/errors";
 import { asyncRoute, fail, ok } from "@infra/http";
 import { logger } from "@infra/logger";
 import { executePostApplicationProviderAction } from "@server/services/post-application/providers";
-import { getActiveTenantId } from "@server/tenancy/context";
+import { getPrivateDataScope } from "@server/tenancy/private-scope";
 import {
   POST_APPLICATION_PROVIDER_ACTIONS,
   POST_APPLICATION_PROVIDERS,
@@ -47,6 +47,7 @@ const oauthStateStore = new Map<
   {
     accountKey: string;
     tenantId: string;
+    userId: string | null;
     redirectUri: string;
     createdAt: number;
   }
@@ -102,6 +103,7 @@ function setOauthState(
   entry: {
     accountKey: string;
     tenantId: string;
+    userId: string | null;
     redirectUri: string;
     createdAt: number;
   },
@@ -236,10 +238,12 @@ postApplicationProvidersRouter.get(
       const accountKey = parsed.accountKey ?? "default";
       const oauth = resolveGmailOauthConfig(req);
       const state = randomUUID();
+      const scope = getPrivateDataScope();
 
       setOauthState(state, {
         accountKey,
-        tenantId: getActiveTenantId(),
+        tenantId: scope.tenantId,
+        userId: scope.enforceUserIsolation ? scope.userId : null,
         redirectUri: oauth.redirectUri,
         createdAt: Date.now(),
       });
@@ -289,10 +293,15 @@ postApplicationProvidersRouter.post(
         fail(res, badRequest("OAuth state/account mismatch."));
         return;
       }
-      if (oauthState.tenantId !== getActiveTenantId()) {
+      const scope = getPrivateDataScope();
+      if (oauthState.tenantId !== scope.tenantId) {
         fail(res, badRequest("OAuth state/workspace mismatch."));
         return;
       }
+      if (scope.enforceUserIsolation && oauthState.userId !== scope.userId) {
+        fail(res, badRequest("OAuth state/user mismatch."));
+        return;
+      }
 
       const oauth = resolveGmailOauthConfig(req);
       const tokenPayload = await exchangeGmailAuthorizationCode({