From 020f58d5b30ccf7dfd0f6d8f0f7fe59639296cf5 Mon Sep 17 00:00:00 2001 From: seniorswe <57962648+seniorswe@users.noreply.github.com> Date: Sun, 25 Jan 2026 18:00:01 -0500 Subject: [PATCH] Delete fix.md --- fix.md | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 fix.md diff --git a/fix.md b/fix.md deleted file mode 100644 index 1cab6a0..0000000 --- a/fix.md +++ /dev/null @@ -1,36 +0,0 @@ -# v1 Launch Fixes - -This file tracks potential issues, impact, and suggested fixes discovered during the pre-launch review. - -## Auth/session + UI access -- Cookie SameSite handling: `COOKIE_SAMESITE=None` on HTTP drops cookies in browsers. Fix: in `backend-services/routes/authorization_routes.py`, if `samesite == 'none'` and `_secure` is false, downgrade to `lax` and log a warning. This prevents confusing login loops in dev. - - - - -- Admin UI access inconsistency: login allows “super admin” regardless of `ui_access`, but `AuthContext` later sets `hasUIAccess` strictly from `user.ui_access`. Fix: align `AuthContext` to treat `role === 'admin'` or `username === 'admin'` as UI‑allowed (or ensure seed/restore always forces `ui_access=true`). - - - - -## Admin/user/role management -- `GET /platform/user/email/{email}` can 500 when user not found: `UserService.get_user_by_email` dereferences `user` before checking `None`. Fix: check `if not user` before accessing keys. -- Admin subscription bypass is broken: `subscription_required` compares `username` to `DOORMAN_ADMIN_EMAIL`, so admin users don’t bypass subscriptions unless username equals email. Fix: use `is_admin_user(username)` or `username == 'admin'` (or check role). -- Response schema mismatch: `GET /platform/user/email/{email}` declares `response_model=list[UserModelResponse]` but returns a single user object. Fix: adjust response_model or return list consistently. -- Super admin cannot see self: `/platform/user/all`, `/platform/user/{username}`, and `/platform/user/email/{email}` always hide `admin`. Fix: allow `admin` to see self when the requester is admin (or when `username == auth_username`). - -## Gateway routing + subscriptions -- Subscriptions allow horizontal privilege escalation: `/platform/subscription/subscribe` and `/platform/subscription/unsubscribe` allow any authenticated user to target any username; only group membership is checked. Fix: if `api_data.username != actor`, require `manage_subscriptions` (or admin) before proceeding. -- Subscription reads lack permission checks: `/platform/subscription/subscriptions/{user_id}` returns any user’s subscriptions to any authenticated caller. Fix: restrict to self or require `manage_subscriptions`. -- API allowed roles are defined but never enforced on gateway requests. If roles are intended to gate API access, add a role check alongside group/subscription enforcement; otherwise clarify docs/UI to avoid false expectations. - -## Analytics/logs/dashboard + config/security -- Config export APIs use `cursor.to_list()` on sync PyMongo cursors (`backend-services/routes/config_routes.py`). In Mongo mode this raises `AttributeError`. Fix: replace with `list(cursor)` or use async db helpers consistently. -- Subscriptions available-apis uses `cursor.to_list()` on sync cursor (`backend-services/routes/subscription_routes.py`); same issue in Mongo mode. Fix: convert to list like above or use async helper. -- Dashboard data requires only auth, not `view_analytics`. If analytics visibility is supposed to be permissioned, add a role check (or clarify that dashboard is always visible to UI‑access users). - -## Tests/smoke coverage -- No coverage for subscription permission checks (subscribe/unsubscribe another user, read others’ subscriptions). Add tests to prevent privilege escalation regressions. -- No coverage for API role enforcement on gateway access (if intended). Add a test that denies a user whose role is not in `api_allowed_roles`. -- No coverage for cookie SameSite/Secure behavior in HTTP dev. Add a web client smoke test or integration test that validates cookie presence after login when `HTTPS_ONLY=false`. -- Config export/import is only exercised in memory mode; no test for Mongo mode cursor handling. Add a small integration test or adjust code to use driver‑agnostic helper.