feat: add authorization check to listOrganizationAdmins service method

- Update ListOrganizationAdminsRequest to extend RequestorAwareRequest
- Implement authorization validation in OrganizationAdminService
- Update OrganizationAdminController to pass requestor
- Add unit test verifying authorization logic
- Document vulnerability in Sentinel journal

Author: google-labs-jules[bot]

.jules/sentinel.md

@@ -5,3 +5,9 @@
 **Vulnerability:** Found a "Fail Open" pattern in `RolePermissionChecker.scopeMatches` where unhandled scope types would default to `true` (allow access), potentially bypassing authorization checks if new scope types were added without updating the logic.
 **Learning:** Default return values in authorization checks must always be restrictive (`false` or `deny`). Code that relies on "falling through" to a default should fall to a safe state.
 **Prevention:** Always implement "Fail Closed" logic. When checking permissions, start with `false` and only switch to `true` if an explicit allow condition is met. Use exhaustive checks (like TypeScript's `never` check) in switch statements or if-else chains to ensure all cases are handled, but still default to `false` as a safety net.
+
+## 2026-02-15 - Missing Authorization in Service Method
+
+**Vulnerability:** `OrganizationAdminService.listOrganizationAdmins` exposed an endpoint without any authorization check because the method signature did not accept the requestor, making authorization checks impossible at the service layer.
+**Learning:** Service methods that perform sensitive actions must always be "Requestor Aware" to enforce authorization logic closer to the data, rather than relying solely on Controllers (which might forget to check).
+**Prevention:** Enforce a pattern where all sensitive service methods accept `RequestorAwareRequest`. Use linting or architectural reviews to flag public service methods that don't take a user context.

app/controllers/src/organization-admin/organization-admin.controller.ts

@@ -61,6 +61,7 @@ export class OrganizationAdminController {
   @Get(":organizationName/admins")
   async listOrganizationAdmins(
     @Param("organizationName") organizationName: string,
+    @GetAuthenticatedEntity() requestor: AuthenticatedEntity,
     @Query("page") page?: string,
     @Query("limit") limit?: string
   ): Promise<{data: OrganizationAdminApi[]; pagination: PaginationApi}> {
@@ -69,7 +70,7 @@ export class OrganizationAdminController {
       this.organizationAdminService.listOrganizationAdmins(req)
 
     const eitherAdminsList = await pipe(
-      {organizationName, page, limit},
+      {organizationName, page, limit, requestor},
       listOrganizationAdminsApiToServiceModel,
       TE.fromEither,
       TE.chainW(serviceListAdmins),

app/controllers/src/organization-admin/organization-admin.mappers.ts

@@ -45,6 +45,7 @@ export function listOrganizationAdminsApiToServiceModel(data: {
   organizationName: string
   page?: string
   limit?: string
+  requestor: AuthenticatedEntity
 }): Either<"invalid_number_format", ListOrganizationAdminsRequest> {
   const parseNumber = (value: string | undefined): Either<"invalid_number_format", number | undefined> => {
     if (value === undefined) return right(undefined)
@@ -58,7 +59,8 @@ export function listOrganizationAdminsApiToServiceModel(data: {
     bindW("organizationName", () => right(data.organizationName)),
     bindW("page", () => parseNumber(data.page)),
     bindW("limit", () => parseNumber(data.limit)),
-    map(({organizationName, page, limit}) => ({organizationName, page, limit}))
+    bindW("requestor", () => right(data.requestor)),
+    map(({organizationName, page, limit, requestor}) => ({organizationName, page, limit, requestor}))
   )
 }
 
@@ -127,12 +129,16 @@ export function generateErrorResponseForAddOrganizationAdmin(
 }
 
 export function generateErrorResponseForListOrganizationAdmins(
-  error: OrganizationAdminListError | "invalid_number_format",
+  error: OrganizationAdminListError | AuthorizationError | "invalid_number_format",
   context: string
 ): HttpException {
   const errorCode = error.toUpperCase()
 
   switch (error) {
+    case "requestor_not_authorized":
+      return new ForbiddenException(
+        generateErrorPayload(errorCode, `${context}: You are not authorized to perform this action`)
+      )
     case "organization_not_found":
       return new NotFoundException(generateErrorPayload(errorCode, `${context}: Organization not found`))
     case "invalid_number_format":

app/services/src/organization-admin/organization-admin.service.spec.ts

@@ -0,0 +1,102 @@
+// eslint-disable-next-line node/no-unpublished-import
+import {Test, TestingModule} from "@nestjs/testing"
+import {OrganizationAdminService} from "./organization-admin.service"
+import {ORGANIZATION_ADMIN_REPOSITORY_TOKEN} from "./interfaces"
+import * as TE from "fp-ts/TaskEither"
+import {isRight, isLeft} from "fp-ts/Either"
+import {AuthenticatedEntity, OrgRole, User} from "@domain"
+
+// Manual mock implementation
+const mockRepository = {
+  createOrganizationAdmin: jest.fn(),
+  listOrganizationAdmins: jest.fn(),
+  removeOrganizationAdminIfNotLast: jest.fn(),
+  removeOrganizationAdminByEmailIfNotLast: jest.fn()
+}
+
+const mockMemberUser = {
+  id: "user-123",
+  email: "member@example.com",
+  displayName: "Member User",
+  createdAt: new Date(),
+  orgRole: OrgRole.MEMBER,
+  roles: [],
+  occ: BigInt(1)
+} as User & {occ: bigint}
+
+const mockAdminUser = {
+  id: "admin-123",
+  email: "admin@example.com",
+  displayName: "Admin User",
+  createdAt: new Date(),
+  orgRole: OrgRole.ADMIN,
+  roles: [],
+  occ: BigInt(1)
+} as User & {occ: bigint}
+
+const mockMemberEntity: AuthenticatedEntity = {
+  entityType: "user",
+  user: mockMemberUser
+}
+
+const mockAdminEntity: AuthenticatedEntity = {
+  entityType: "user",
+  user: mockAdminUser
+}
+
+describe("OrganizationAdminService Security", () => {
+  let service: OrganizationAdminService
+
+  beforeEach(async () => {
+    // Reset mocks
+    jest.clearAllMocks()
+
+    // Mock successful list response
+    mockRepository.listOrganizationAdmins.mockReturnValue(
+      TE.right({
+        admins: [],
+        page: 1,
+        limit: 20,
+        total: 0
+      })
+    )
+
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        OrganizationAdminService,
+        {
+          provide: ORGANIZATION_ADMIN_REPOSITORY_TOKEN,
+          useValue: mockRepository
+        }
+      ]
+    }).compile()
+
+    service = module.get<OrganizationAdminService>(OrganizationAdminService)
+  })
+
+  it("should return requestor_not_authorized when user is not admin", async () => {
+    const result = await service.listOrganizationAdmins({
+      organizationName: "default",
+      requestor: mockMemberEntity
+    })()
+
+    expect(isLeft(result)).toBe(true)
+    if (isLeft(result)) {
+      expect(result.left).toBe("requestor_not_authorized")
+    }
+
+    // Repository should NOT be called
+    expect(mockRepository.listOrganizationAdmins).not.toHaveBeenCalled()
+  })
+
+  it("should list admins when user is admin", async () => {
+    const result = await service.listOrganizationAdmins({
+      organizationName: "default",
+      requestor: mockAdminEntity
+    })()
+
+    expect(isRight(result)).toBe(true)
+    // Repository SHOULD be called
+    expect(mockRepository.listOrganizationAdmins).toHaveBeenCalled()
+  })
+})

app/services/src/organization-admin/organization-admin.service.ts

@@ -55,8 +55,9 @@ export class OrganizationAdminService {
 
   listOrganizationAdmins(
     request: ListOrganizationAdminsRequest
-  ): TaskEither<OrganizationAdminListError, PaginatedOrganizationAdminsList> {
-    const validateRequest = (req: ListOrganizationAdminsRequest) => {
+  ): TaskEither<OrganizationAdminListError | AuthorizationError, PaginatedOrganizationAdminsList> {
+    const validateRequest = (req: ListOrganizationAdminsRequest, requestor: User) => {
+      if (requestor.orgRole !== "admin") return E.left("requestor_not_authorized" as const)
       if (req.organizationName !== SUPPORTED_ORGANIZATION) return E.left("organization_not_found" as const)
 
       const page = req.page ?? 1
@@ -76,8 +77,8 @@ export class OrganizationAdminService {
       })
 
     return pipe(
-      request,
-      validateRequest,
+      validateUserEntity(request.requestor),
+      E.chainW(requestor => validateRequest(request, requestor)),
       TE.fromEither,
       TE.chainW(fetchAdmins),
       logSuccess("Organization admins listed", "OrganizationAdminService", result => ({count: result.admins.length}))
@@ -117,7 +118,7 @@ export interface AddOrganizationAdminRequest extends RequestorAwareRequest {
   readonly email: string
 }
 
-export interface ListOrganizationAdminsRequest {
+export interface ListOrganizationAdminsRequest extends RequestorAwareRequest {
   readonly organizationName: string
   readonly page?: number
   readonly limit?: number