fix: resolve cross-workspace IDOR in workspace management endpoints (#47)

christianmat · claude · web-flow · commit 43add903dbb1 · 2026-04-06T16:11:33.000-07:00
Use getWorkspace(request) to scope GET/PUT/DELETE operations to the authenticated workspace instead of accepting arbitrary workspaceId from URL params. This matches the secure pattern used by events and webhooks controllers. Closes #46 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/apps/trench/src/workspaces/workspaces.controller.ts b/apps/trench/src/workspaces/workspaces.controller.ts
@@ -4,16 +4,16 @@ import {
   Body,
   UseGuards,
   Delete,
-  Param,
   Put,
-  NotFoundException,
   Get,
+  Request,
 } from '@nestjs/common'
 
 import { AdminApiGuard } from 'src/middlewares/admin-api.guard'
 import { WorkspacesService } from 'src/workspaces/workspaces.service'
 import { CreateWorkspaceDto, Workspace } from 'src/workspaces/workspaces.interface'
 import { ApiOperation, ApiResponse } from '@nestjs/swagger'
+import { getWorkspace } from 'src/common/request'
 
 @Controller('workspaces')
 @UseGuards(AdminApiGuard)
@@ -33,45 +33,39 @@ export class WorkspacesController {
     return newWorkspace
   }
 
-  @Delete(':workspaceId')
-  async delete(@Param('workspaceId') workspaceId: string) {
-    await this.workspacesService.deleteWorkspace(workspaceId)
+  @Delete()
+  async delete(@Request() request: Request) {
+    const workspace = getWorkspace(request)
+    await this.workspacesService.deleteWorkspace(workspace.workspaceId)
   }
 
-  @Put(':workspaceId')
+  @Put()
   @ApiOperation({ summary: 'Update a workspace' })
   @ApiResponse({
     status: 200,
     description:
       'The workspace has been successfully updated. Requires private API key in Bearer token.',
     type: Workspace,
   })
-  async update(
-    @Param('workspaceId') workspaceId: string,
-    @Body() updateWorkspaceDto: CreateWorkspaceDto
-  ) {
-    // Assuming the method name should be 'updateWorkspace' based on the error
+  async update(@Request() request: Request, @Body() updateWorkspaceDto: CreateWorkspaceDto) {
+    const workspace = getWorkspace(request)
     const updatedWorkspace = await this.workspacesService.updateWorkspace(
-      workspaceId,
+      workspace.workspaceId,
       updateWorkspaceDto
     )
 
     return updatedWorkspace
   }
 
-  @Get(':workspaceId')
-  @ApiOperation({ summary: 'Get a workspace by ID' })
+  @Get()
+  @ApiOperation({ summary: 'Get the authenticated workspace' })
   @ApiResponse({
     status: 200,
     description: 'The workspace has been successfully retrieved.',
     type: Workspace,
   })
-  async getById(@Param('workspaceId') workspaceId: string) {
-    const workspace = await this.workspacesService.getWorkspaceById(workspaceId)
-
-    if (!workspace) {
-      throw new NotFoundException('Workspace not found')
-    }
+  async getById(@Request() request: Request) {
+    const workspace = getWorkspace(request)
 
     return workspace
   }
