fix(security): viewer RBAC isolation + tenant-scoped key enumeration (#3382)

OneStepAt4time · web-flow · commit 44bc04e1da57 · 2026-05-14T10:04:43.000+02:00
Closes #3361, closes #3359. Viewer blocked from 6 admin-only endpoints. Rate-limits tenant-scoped for non-system viewers.
diff --git a/src/routes/analytics.ts b/src/routes/analytics.ts
@@ -10,7 +10,8 @@
 
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import type { RouteContext } from './context.js';
-import { requireRole, registerWithLegacy } from './context.js';
+import { requireRole, registerWithLegacy, getRequestRole } from './context.js';
+import { SYSTEM_TENANT } from '../config.js';
 import type {
   RateLimitKeyUsage,
   RateLimitForecast,
@@ -29,6 +30,12 @@ export function registerAnalyticsRoutes(app: FastifyInstance, ctx: RouteContext)
     config: { rateLimit: { max: 60, timeWindow: '1 minute' } },
     handler: async (req: FastifyRequest, reply: FastifyReply) => {
       if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
+      // #3361: Viewer on non-system tenant blocked — summary is global operational data
+      const role = getRequestRole(auth, req);
+      if (role === 'viewer' && req.tenantId && req.tenantId !== SYSTEM_TENANT) {
+        reply.status(403).send({ error: 'Forbidden: insufficient role' });
+        return;
+      }
       return metricsCache.getMetrics();
     },
   });
@@ -38,6 +45,12 @@ export function registerAnalyticsRoutes(app: FastifyInstance, ctx: RouteContext)
     config: { rateLimit: { max: 60, timeWindow: '1 minute' } },
     handler: async (req: FastifyRequest, reply: FastifyReply) => {
       if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
+      // #3361: Viewer on non-system tenant blocked — costs are global operational data
+      const role = getRequestRole(auth, req);
+      if (role === 'viewer' && req.tenantId && req.tenantId !== SYSTEM_TENANT) {
+        reply.status(403).send({ error: 'Forbidden: insufficient role' });
+        return;
+      }
 
       const metrics = metricsCache.getMetrics();
       const totalCostUsd = metrics.costTrends.reduce((sum, d) => sum + d.cost, 0);
@@ -78,6 +91,12 @@ export function registerAnalyticsRoutes(app: FastifyInstance, ctx: RouteContext)
     config: { rateLimit: { max: 60, timeWindow: '1 minute' } },
     handler: async (req: FastifyRequest, reply: FastifyReply) => {
       if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
+      // #3361: Viewer on non-system tenant blocked — tokens are global operational data
+      const role = getRequestRole(auth, req);
+      if (role === 'viewer' && req.tenantId && req.tenantId !== SYSTEM_TENANT) {
+        reply.status(403).send({ error: 'Forbidden: insufficient role' });
+        return;
+      }
 
       const query = req.query as { from?: string; to?: string };
       const metrics = metricsCache.getMetrics();
@@ -125,6 +144,40 @@ export function registerAnalyticsRoutes(app: FastifyInstance, ctx: RouteContext)
     handler: async (req: FastifyRequest, reply: FastifyReply) => {
       if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
 
+      // #3359: Tenant-scope key enumeration — viewer sees only own tenant's keys
+      const role = getRequestRole(auth, req);
+      const callerTenantId = req.tenantId;
+      const isSystemTenant = !callerTenantId || callerTenantId === SYSTEM_TENANT;
+      if (role === 'viewer' && !isSystemTenant) {
+        const allKeys = auth.listKeys();
+        const keys = allKeys.filter(k => k.tenantId === callerTenantId);
+        const allSessions = sessions.listSessions();
+        const perKey: RateLimitKeyUsage[] = keys.map((key) => {
+          const owned = allSessions.filter((s) => s.ownerKeyId === key.id);
+          const usage = quotas.getUsage(key as unknown as ApiKey, owned.length);
+          return {
+            keyId: key.id,
+            keyName: key.name,
+            activeSessions: usage.activeSessions,
+            maxSessions: usage.maxSessions,
+            tokensInWindow: usage.tokensInWindow,
+            maxTokens: usage.maxTokens,
+            spendInWindowUsd: usage.spendInWindow,
+            maxSpendUsd: usage.maxSpend,
+            windowMs: usage.windowMs,
+          };
+        });
+        const forecast = computeForecast(perKey);
+        return {
+          global: { ...GLOBAL_RATE_LIMIT },
+          perKey,
+          forecast,
+          generatedAt: new Date().toISOString(),
+        };
+      }
+
+      // Admin/operator/system: show all keys
+
       const keys = auth.listKeys();
       const allSessions = sessions.listSessions();
 
diff --git a/src/routes/audit.ts b/src/routes/audit.ts
@@ -231,19 +231,21 @@ export function registerAuditRoutes(app: FastifyInstance, ctx: RouteContext): vo
 
   // Global metrics (Issue #40)
   // Note: cannot use registerWithLegacy because legacy path /metrics is used by Prometheus
+  // #3361: Restricted to admin/operator — operational metrics are not viewer data
   app.get('/v1/metrics', {
     config: { rateLimit: { max: 120, timeWindow: '1 minute' } },
     handler: async (req: FastifyRequest, reply: FastifyReply) => {
-      if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
+      if (!requireRole(auth, req, reply, 'admin', 'operator')) return;
       return metrics.getGlobalMetrics(sessions.listSessions().length);
     },
   });
 
   // Bounded no-PII diagnostics channel (Issue #881)
+  // #3361: Restricted to admin/operator — diagnostics are operational data
   registerWithLegacy(app, 'get', '/v1/diagnostics', {
     config: { rateLimit: { max: 120, timeWindow: '1 minute' } },
     handler: async (req: FastifyRequest, reply: FastifyReply) => {
-      if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
+      if (!requireRole(auth, req, reply, 'admin', 'operator')) return;
       const parsed = diagnosticsQuerySchema.safeParse(req.query ?? {});
       if (!parsed.success) {
         return reply.status(400).send({
diff --git a/src/routes/health.ts b/src/routes/health.ts
@@ -178,8 +178,9 @@ export function registerHealthRoutes(app: FastifyInstance, ctx: RouteContext): v
   });
 
   // Issue #89 L15: Per-channel health reporting
+  // #3361: Restricted to admin/operator — channel config is operational data
   registerWithLegacy(app, 'get', '/v1/channels/health', async (req: FastifyRequest, reply: FastifyReply) => {
-    if (!requireRole(auth, req, reply, 'admin', 'operator', 'viewer')) return;
+    if (!requireRole(auth, req, reply, 'admin', 'operator')) return;
     return channels.getChannels().map(ch => {
       const health = ch.getHealth?.();
       if (health) return health;
