fix(auth): restrict signup write-surface to client-settable fields (mass assignment)#3867
Conversation
|
Warning Review limit reached
More reviews will be available in 34 minutes and 33 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3867 +/- ##
=======================================
Coverage 92.48% 92.48%
=======================================
Files 165 165
Lines 5400 5403 +3
Branches 1735 1735
=======================================
+ Hits 4994 4997 +3
Misses 326 326
Partials 80 80
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
… invite path The P8a integration test (and real invite-flow clients) sends referredBy in the signup body to verify the server ignores it. The .strict() SignupUser schema rejected it with 422 instead of stripping it. Fix: accept referredBy as optional in SignupUser (avoids the 422) and unconditionally delete it in the controller serverOwned list — the server always sets it via the invite finalize seam. Security invariant preserved: a client can never self-assign a referrer.
There was a problem hiding this comment.
Pull request overview
This PR hardens the public /api/auth/signup path against mass-assignment by narrowing the validated request schema to a dedicated strict signup write-surface and adding controller-side scrubbing as defense in depth.
Changes:
- Added a new strict
SignupUserZod schema exposing only client-settable signup fields and exported it fromusers.schema.js. - Updated the signup route to validate against
UsersSchema.SignupUserinstead of the fullUsersSchema.User. - Added/updated tests to ensure server-owned fields are rejected at the route layer and stripped before
UserService.create.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| modules/users/models/users.schema.js | Adds and exports SignupUser strict Zod schema intended for public signup validation. |
| modules/auth/routes/auth.routes.js | Switches /api/auth/signup validation from full User schema to SignupUser. |
| modules/auth/controllers/auth.controller.js | Adds controller-side scrubbing/forcing of roles and emailVerified (defense in depth). |
| modules/auth/tests/auth.silent.catch.unit.tests.js | Adds a unit test asserting controller-side stripping before UserService.create. |
| modules/auth/tests/auth.integration.tests.js | Adds an integration test asserting strict schema rejects server-owned fields (422) and prevents persistence. |
| * `SignupUser` exposes ONLY the fields a public signup may legitimately set — the same | ||
| * safe surface encoded by `config.whitelists.users.default` / `.update` — and is | ||
| * `.strict()`, so any unknown / server-owned key is REJECTED (422) instead of silently |
| const safeBody = { ...req.body, roles: ['user'], emailVerified: false }; | ||
| for (const serverOwned of [ | ||
| 'providerData', | ||
| 'additionalProvidersData', | ||
| 'resetPasswordToken', | ||
| 'resetPasswordExpires', | ||
| 'emailVerificationToken', | ||
| 'emailVerificationExpires', | ||
| 'failedLoginAttempts', | ||
| 'lockUntil', | ||
| 'lastLoginAt', | ||
| 'currentOrganization', | ||
| 'referredBy', | ||
| ]) delete safeBody[serverOwned]; |
Summary
SignupUserJoi schema that exposes only client-settable fields (name, firstName, lastName, email, password). The signup controller now stripsrolesand forcesemailVerified:false, and explicitly deletes all server-owned fields (currentOrganization,providerData,token,lock) before passing data to the service.emailVerified,providerData,token, and lock fields client-writable. SettingemailVerified:trueon signup defeats the OAuth-annexation guard (a HIGH finding in the security audit). Both the schema restriction and the controller strip are independent defence-in-depth layers, each covered by failing-first tests.Scope
modules/auth(controller, routes, tests),modules/users/models(newSignupUserschema export)none— the new schema is self-contained inusers.schema.jsand consumed only by the auth signup pathlow— strictly reduces the accepted write-surface; no behaviour change for well-formed requestsValidation
npm run lintnpm testGuardrails check
.env*,secrets/**, keys, tokens)Notes for reviewers
.strict()schema at the route level rejects unknown fields before they reach the controller; (2) controller hard-deletes server-owned fields and forcesroles/emailVerifiedto safe defaults. Either layer alone closes the mass-assignment vector.SignupUserschema export without any breaking change to existing exports.