Skip to content

fix(auth): enforce policies across API and Livewire#8628

Open
andrasbacsai wants to merge 30 commits intonextfrom
audit-policies
Open

fix(auth): enforce policies across API and Livewire#8628
andrasbacsai wants to merge 30 commits intonextfrom
audit-policies

Conversation

@andrasbacsai
Copy link
Member

@andrasbacsai andrasbacsai commented Feb 26, 2026
edited
Loading

Summary

Comprehensive authorization audit and hardening across the entire Coolify codebase — API controllers, Livewire components, and supporting infrastructure.

API & Sanctum auth

  • Add missing policy authorization to every API controller touching teams, servers, projects, environments, tokens, apps, keys, and security resources
  • Fix Sanctum token team resolution — current team is now derived from the token itself, not the user's last-visited team
  • Prevent snapshot-replay attacks: API token permission checks now compare against live DB state, not stale cached snapshots
  • Preserve Sanctum token prefix during lookups so bearer tokens resolve correctly

Livewire authorization

  • Wrap Livewire actions (deployments, resource ops, proxy controls, team deletion, database management, terminal access, etc.) in authorize() / policy checks with shared error handling
  • Enforce dashboard and server-navbar proxy authorization
  • Restrict sensitive data visibility (env vars, keys, tokens) for non-admin team members

Policies & models

  • Ensure instance-level (shared) databases route authorization through the root team
  • Fix team lookup for services via their relationship chain

Tests

  • Add feature tests covering authorization scenarios for API and UI (team-scoped access, forbidden paths, admin-vs-member)
  • Add browser tests for login, registration, server/project auth gates, and resource settings persistence
  • Reorganize and refresh existing API and job feature test suites

Other fixes bundled in the branch

  • Fix command injection vector in git ls-remote operations
  • Fix critical privilege escalation in team invitation system
  • Add queue-delay resilience and skip-log enrichment for scheduled jobs
  • Add bounds check to extractBalancedBraceContent in bootstrap helpers

Test plan

  • Run php artisan test --compact — all existing + new feature tests pass
  • Run browser tests in tests/v4/Browser/
  • Verify API endpoints return 403 when accessed by a member of a different team
  • Verify Livewire components show authorization errors instead of silently failing
  • Verify Sanctum token scoping works correctly when user belongs to multiple teams

🤖 Generated with Claude Code

@andrasbacsai
fix(auth): enforce authorization checks across API and Livewire compo…
86b05b9 
…nents

- Add authorization checks to API controller endpoints (view, create, update, delete)
- Wrap Livewire component methods with try-catch for consistent error handling
- Add AuthorizesRequests trait to components requiring authorization checks
- Ensure all sensitive operations verify user permissions before execution
- Implement unified error handling with handleError() helper function
@andrasbacsai
fix(auth): enforce dashboard authorization and improve team deletion
fcc58ca 
Add authorization gates to Project and Server creation buttons in the dashboard to prevent non-admin users from accessing resource creation. Improve team deletion to clear cache before deletion and automatically switch to the user's next available team.

- Hide create buttons from non-admin users in dashboard
- Clear cache before team deletion to prevent stale session resolution
- Switch user session to next available team when current team is deleted
- Handle refreshSession when user has no remaining teams
- Add tests for dashboard authorization enforcement and team deletion flow
@andrasbacsai
fix(auth): enforce proxy authorization checks in server navbar
41e1248 
Add authorization gate using @can('manageProxy') directive to ensure only
authorized users can view and interact with proxy control buttons (restart,
stop, start) in the server navbar component. Refactor tests to validate that
members cannot see proxy buttons while admins can.
@andrasbacsai
fix(auth): enforce authorization checks in Livewire components
94dfd6a 
- Replace manual ownership checks with authorize() in Destination/Show, NavbarDeleteTeam, and Project/Show
- Add authorization checks for team deletion and environment creation
- Add proper exception handling with try-catch blocks
- Add comprehensive feature and browser tests for authorization scenarios
- Update CLAUDE.md with Pest Browser Plugin testing guidelines
@andrasbacsai
test(browser): expand server/project auth coverage
ede7528
@andrasbacsai
Merge remote-tracking branch 'origin/next' into audit-policies
f09bbb4 
# Conflicts:
#	tests/Unit/Policies/GithubAppPolicyTest.php
#	tests/Unit/Policies/SharedEnvironmentVariablePolicyTest.php
@andrasbacsai
test(browser): cover resource settings persistence
37eac11
@andrasbacsai
test(browser): remove notification prompt helper
9c1ca42
@andrasbacsai
test(browser): improve "ResourceSettingsPersistence" assertions
52b8813 
Adjusted Discord notification setup, Livewire form submission handling, and checkbox interactions in `ResourceSettingsPersistenceTest` to better reflect page flows.
@andrasbacsai
test(auth): cover authorization scenarios for api and ui
34d8499
@andrasbacsai
chore(tests): reorganize feature suites and expand team auth coverage
347af07
@andrasbacsai
test: refresh api and job feature suites
e82942b
@andrasbacsai
refactor(auth): enforce team member authorization across app
b878dc8 
Restrict sensitive operations to admins/owners and hide sensitive data
from team members:
- Add authorization checks to Livewire components and API endpoints
- Restrict team members from accessing sensitive permissions and data
- Hide environment variable values from non-admin team members
- Update policies to enforce team-level admin status requirement
- Add useSensitivePermissions policy for read:sensitive tokens
- Improve disabled button UX with auth-specific tooltips
- Add authorization checks in middleware for API tokens

Closes authorization gaps in project management, server management,
and settings components.
@andrasbacsai andrasbacsai mentioned this pull request Feb 27, 2026
Closed
@andrasbacsai
fix(storage): add error handling for S3 connection error notifications
dbbc778 
Wrap email notification logic in try-catch to prevent email sending failures from breaking the connection test. If notification fails, log a warning and continue instead of letting the exception propagate.
@andrasbacsai
fix(policies): ensure instance-level databases use root team
cebef8e 
Instance-level databases like coolify-db (with id = 0) should always
be assigned to the root team (id = 0) rather than attempting to resolve
their team from the database object itself.
@andrasbacsai
refactor(auth): enforce authorization checks across livewire components
68f81df 
Add authorization checks to multiple Livewire components to ensure users
have proper permissions before performing sensitive operations. This includes:

- Adding AuthorizesRequests trait to components handling deployments, backups,
  services, and configuration uploads
- Enforcing 'deploy', 'update', and 'manageBackups' authorization checks
- Adding instance admin check for system upgrade operations
- Improving database queries with team ownership scope
- Moving backup trigger from component to button with new backupNow() method
@andrasbacsai
nothing to see here (#8652)
af90321
@andrasbacsai
chore: prepare for PR
c1cc792
@andrasbacsai
Merge remote-tracking branch 'origin/next' into audit-policies
0636789
@andrasbacsai
feat(auth): restrict sensitive data visibility for team members
c924655 
Hide database passwords, connection URLs, and debug logs from team members:
- Database components: hide passwords and connection URLs for members
- Deployment UI: gate debug log toggle behind update permission
- Debug logs: prevent members from viewing debug output
- Storage/services: hide sensitive credentials from members

Members can still view non-sensitive configuration while admins retain full access to all data.
@andrasbacsai
fix(security): prevent snapshot replay in API token permission checks
66dc151 
Never trust Livewire component properties for authorization decisions, as
snapshots can be replayed from another user's session. Re-evaluate all
permission checks fresh using auth()->user()->can() against current policies
to ensure the authenticated user is being authorized, not a replayed copy.

- Replace cached canUse* booleans with fresh policy evaluation
- Add comprehensive security tests for token creation permissions
- Update API authorization tests to verify middleware blocking behavior
@andrasbacsai
fix(auth): resolve current team from Sanctum token for API requests
b2f09f4 
Add fallback to resolve team from Sanctum access token when session team
is unavailable, enabling proper team context for stateless API requests.
@andrasbacsai andrasbacsai mentioned this pull request Feb 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andrasbacsai