fix(backend): harden runtime config and verification access

2026-03-19 16:36:28 +01:00
parent 8d0ef309e6
commit 2f25d10368
15 changed files with 262 additions and 14 deletions
--- a/backend/core-api/test/app.test.js
+++ b/backend/core-api/test/app.test.js
@@ -3,7 +3,11 @@ import assert from 'node:assert/strict';
 import request from 'supertest';
 import { createApp } from '../src/app.js';
 import { __resetLlmRateLimitForTests } from '../src/services/llm-rate-limit.js';
-import { __resetVerificationJobsForTests } from '../src/services/verification-jobs.js';
+import {
+  __resetVerificationJobsForTests,
+  createVerificationJob,
+  getVerificationJob,
+} from '../src/services/verification-jobs.js';

 beforeEach(async () => {
  process.env.AUTH_BYPASS = 'true';
@@ -13,7 +17,7 @@ beforeEach(async () => {
  process.env.MAX_SIGNED_URL_SECONDS = '900';
  process.env.LLM_RATE_LIMIT_PER_MINUTE = '20';
  process.env.VERIFICATION_REQUIRE_FILE_EXISTS = 'false';
-  process.env.VERIFICATION_ACCESS_MODE = 'authenticated';
+  process.env.VERIFICATION_ACCESS_MODE = 'tenant';
  process.env.VERIFICATION_ATTIRE_PROVIDER = 'mock';
  process.env.VERIFICATION_STORE = 'memory';
  __resetLlmRateLimitForTests();
@@ -66,6 +70,16 @@ test('GET /readyz reports database not configured when env is absent', async ()
  assert.equal(res.body.status, 'DATABASE_NOT_CONFIGURED');
 });

+test('createApp fails fast in protected env when unsafe core flags are enabled', async () => {
+  process.env.APP_ENV = 'staging';
+  process.env.AUTH_BYPASS = 'true';
+
+  assert.throws(() => createApp(), /AUTH_BYPASS must be disabled/);
+
+  delete process.env.APP_ENV;
+  process.env.AUTH_BYPASS = 'true';
+});
+
 test('POST /core/create-signed-url requires auth', async () => {
  process.env.AUTH_BYPASS = 'false';
  const app = createApp();
@@ -404,3 +418,24 @@ test('POST /core/verifications/:id/retry requeues verification', async () => {
  assert.equal(retried.status, 202);
  assert.equal(retried.body.status, 'PENDING');
 });
+
+test('verification access is denied to a different actor by default', async () => {
+  const created = await createVerificationJob({
+    actorUid: 'owner-user',
+    payload: {
+      type: 'attire',
+      subjectType: 'staff',
+      subjectId: 'staff_1',
+      fileUri: 'gs://krow-workforce-dev-private/uploads/owner-user/attire.jpg',
+      rules: { attireType: 'shoes' },
+    },
+  });
+
+  await assert.rejects(
+    () => getVerificationJob(created.verificationId, 'foreign-user'),
+    (error) => {
+      assert.equal(error.code, 'FORBIDDEN');
+      return true;
+    }
+  );
+});