fix(security): scope invite token verification to tenant

getVerificationByKey looked up email verification tokens by key + kind
only, never checking the tenant. In a multi-tenant deployment an invite
token issued for tenant A could be redeemed on tenant B, granting the
attacker Member-level access to B (cross-tenant IDOR).

Anchor the lookup to the request's tenant by adding `tenant_id` to the
WHERE clause, mirroring the sibling getVerificationByEmailAndCode which
already does this. A mismatched tenant now yields ErrNotFound and the
redemption is rejected.

Adds a regression test asserting a key saved on one tenant is not
retrievable from another.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: mattwoberts

app/services/sqlstore/postgres/tenant.go

@@ -130,8 +130,8 @@ func getVerificationByKey(ctx context.Context, q *query.GetVerificationByKey) er
 	return using(ctx, func(trx *dbx.Trx, tenant *entity.Tenant, user *entity.User) error {
 		verification := dbEntities.EmailVerification{}
 
-		query := "SELECT id, email, name, key, code, created_at, verified_at, expires_at, kind, user_id, attempts FROM email_verifications WHERE key = $1 AND kind = $2 LIMIT 1"
-		err := trx.Get(&verification, query, q.Key, q.Kind)
+		query := "SELECT id, email, name, key, code, created_at, verified_at, expires_at, kind, user_id, attempts FROM email_verifications WHERE key = $1 AND kind = $2 AND tenant_id = $3 LIMIT 1"
+		err := trx.Get(&verification, query, q.Key, q.Kind, tenant.ID)
 		if err != nil {
 			return errors.Wrap(err, "failed to get email verification by its key")
 		}

app/services/sqlstore/postgres/tenant_test.go

@@ -316,6 +316,34 @@ func TestTenantStorage_SaveFindSet_ChangeEmailVerificationKey(t *testing.T) {
 	Expect(getKey.Result.ExpiresAt).TemporarilySimilar(getKey.Result.CreatedAt.Add(15*time.Minute), 1*time.Second)
 }
 
+func TestTenantStorage_VerificationKey_IsTenantScoped(t *testing.T) {
+	SetupDatabaseTest(t)
+	defer TeardownDatabaseTest()
+
+	//Save new Key on the demo tenant
+	err := bus.Dispatch(demoTenantCtx, &cmd.SaveVerificationKey{
+		Key:      "s3cr3tk3y",
+		Duration: 15 * time.Minute,
+		Request: &actions.CreateTenant{
+			Email: "jon.snow@got.com",
+			Name:  "Jon Snow",
+		},
+	})
+	Expect(err).IsNil()
+
+	//Same key must NOT be retrievable from a different tenant
+	getKeyFromOtherTenant := &query.GetVerificationByKey{Kind: enum.EmailVerificationKindSignUp, Key: "s3cr3tk3y"}
+	err = bus.Dispatch(avengersTenantCtx, getKeyFromOtherTenant)
+	Expect(errors.Cause(err)).Equals(app.ErrNotFound)
+	Expect(getKeyFromOtherTenant.Result).IsNil()
+
+	//But it is retrievable from the tenant it belongs to
+	getKey := &query.GetVerificationByKey{Kind: enum.EmailVerificationKindSignUp, Key: "s3cr3tk3y"}
+	err = bus.Dispatch(demoTenantCtx, getKey)
+	Expect(err).IsNil()
+	Expect(getKey.Result.Email).Equals("jon.snow@got.com")
+}
+
 func TestTenantStorage_FindUnknownVerificationKey(t *testing.T) {
 	SetupDatabaseTest(t)
 	defer TeardownDatabaseTest()