fix(backend): prevent IDOR in user collection and request endpoints (hoppscotch#5902)

Author: mirarifhasan

packages/hoppscotch-backend/src/errors.ts

@@ -787,15 +787,13 @@ export const INFRA_CONFIG_OPERATION_NOT_ALLOWED =
  * Error message for when the onboarding status fetch fails
  * (InfraConfigService)
  */
-export const INFRA_CONFIG_FETCH_FAILED =
-  'infra_config/fetch_failed' as const;
+export const INFRA_CONFIG_FETCH_FAILED = 'infra_config/fetch_failed' as const;
 
 /**
  * Onboarding has already been completed and cannot be re-run
  * (OnboardingController)
  */
-export const ONBOARDING_CANNOT_BE_RERUN =
-  'onboarding/cannot_be_rerun' as const;
+export const ONBOARDING_CANNOT_BE_RERUN = 'onboarding/cannot_be_rerun' as const;
 
 /**
  * Error message for when the database table does not exist

packages/hoppscotch-backend/src/team-collection/team-collection.service.spec.ts

@@ -893,7 +893,10 @@ describe('deleteCollection', () => {
       .spyOn(teamCollectionService, 'getCollection')
       .mockResolvedValueOnce(E.right(rootTeamCollection));
     jest
-      .spyOn(teamCollectionService as any, 'deleteCollectionAndUpdateSiblingsOrderIndex')
+      .spyOn(
+        teamCollectionService as any,
+        'deleteCollectionAndUpdateSiblingsOrderIndex',
+      )
       .mockResolvedValueOnce(E.left(TEAM_COL_REORDERING_FAILED));
 
     const result = await teamCollectionService.deleteCollection(
@@ -1667,23 +1670,6 @@ describe('FIX: updateMany queries now include teamID filter for root collections
     mockReset(mockPrisma);
   });
 
-  const team2: Team = {
-    id: 'team_2',
-    name: 'Team 2',
-  };
-
-  // Team 2's root collection - should NOT be affected by Team 1's operations
-  const team2RootCollection: DBTeamCollection = {
-    id: 'team2-root-coll',
-    orderIndex: 1,
-    parentID: null,
-    title: 'Team 2 Root Collection',
-    teamID: team2.id,
-    data: {},
-    createdOn: currentTime,
-    updatedOn: currentTime,
-  };
-
   test('FIX: deleteCollection - updateMany now correctly filters by teamID for root collections', async () => {
     /**
      * Scenario: Team 1 deletes a root collection
@@ -1717,7 +1703,8 @@ describe('FIX: updateMany queries now include teamID filter for root collections
     await teamCollectionService.deleteCollection(team1RootToDelete.id);
 
     // Get the updateMany call from the transaction
-    const updateManyCall = mockPrisma.teamCollection.updateMany.mock.calls[0][0];
+    const updateManyCall =
+      mockPrisma.teamCollection.updateMany.mock.calls[0][0];
 
     // FIX VERIFICATION: The query now correctly includes teamID
     // This ensures only Team 1's root collections are affected
@@ -1769,7 +1756,8 @@ describe('FIX: updateMany queries now include teamID filter for root collections
     );
 
     // Get the actual updateMany call arguments
-    const updateManyCall = mockPrisma.teamCollection.updateMany.mock.calls[0][0];
+    const updateManyCall =
+      mockPrisma.teamCollection.updateMany.mock.calls[0][0];
 
     // FIX VERIFICATION: The query now correctly includes teamID
     expect(updateManyCall.where).toEqual({
@@ -1830,7 +1818,8 @@ describe('FIX: updateMany queries now include teamID filter for root collections
     );
 
     // Get the actual updateMany call arguments
-    const updateManyCall = mockPrisma.teamCollection.updateMany.mock.calls[0][0];
+    const updateManyCall =
+      mockPrisma.teamCollection.updateMany.mock.calls[0][0];
 
     // FIX VERIFICATION: The query now correctly includes teamID
     expect(updateManyCall.where).toEqual({

packages/hoppscotch-backend/src/team-collection/team-collection.service.ts

@@ -216,7 +216,11 @@ export class TeamCollectionService {
       await this.prisma.$transaction(async (tx) => {
         try {
           // lock the rows
-          await this.prisma.lockTeamCollectionByTeamAndParent(tx, teamID, parentID);
+          await this.prisma.lockTeamCollectionByTeamAndParent(
+            tx,
+            teamID,
+            parentID,
+          );
 
           // Get the last order index
           const lastEntry = await tx.teamCollection.findFirst({
@@ -397,15 +401,18 @@ export class TeamCollectionService {
    * @param collectionID The collection ID
    * @returns An Either of the Collection details
    */
-  async getCollection(collectionID: string, tx: Prisma.TransactionClient | null = null) {
+  async getCollection(
+    collectionID: string,
+    tx: Prisma.TransactionClient | null = null,
+  ) {
     try {
-      const teamCollection = await (tx || this.prisma).teamCollection.findUniqueOrThrow(
-        {
-          where: {
-            id: collectionID,
-          },
+      const teamCollection = await (
+        tx || this.prisma
+      ).teamCollection.findUniqueOrThrow({
+        where: {
+          id: collectionID,
         },
-      );
+      });
       return E.right(teamCollection);
     } catch (error) {
       return E.left(TEAM_COLL_NOT_FOUND);
@@ -469,7 +476,11 @@ export class TeamCollectionService {
       teamCollection = await this.prisma.$transaction(async (tx) => {
         try {
           // lock the rows
-          await this.prisma.lockTeamCollectionByTeamAndParent(tx, teamID, parentID);
+          await this.prisma.lockTeamCollectionByTeamAndParent(
+            tx,
+            teamID,
+            parentID,
+          );
 
           // fetch last collection
           const lastCollection = await tx.teamCollection.findFirst({
@@ -552,15 +563,19 @@ export class TeamCollectionService {
         await this.prisma.$transaction(async (tx) => {
           try {
             // lock the rows
-            await this.prisma.lockTeamCollectionByTeamAndParent(tx, collection.teamID, collection.parentID);
+            await this.prisma.lockTeamCollectionByTeamAndParent(
+              tx,
+              collection.teamID,
+              collection.parentID,
+            );
 
             const deletedCollection = await tx.teamCollection.delete({
               where: { id: collection.id },
             });
-            
+
             // if collection is deleted, update siblings orderIndexes
             // if collection was deleted before the transaction started (race condition), do not update siblings orderIndexes
-            if (deletedCollection) { 
+            if (deletedCollection) {
               // update siblings orderIndexes
               await tx.teamCollection.updateMany({
                 where: {
@@ -623,7 +638,7 @@ export class TeamCollectionService {
     );
 
     return E.right(true);
-  } 
+  }
 
   /**
    * Change parentID of TeamCollection's
@@ -638,11 +653,10 @@ export class TeamCollectionService {
     newParentID: string | null,
   ) {
     // fetch last collection
-    const lastCollectionUnderNewParent =
-      await tx.teamCollection.findFirst({
-        where: { teamID: collection.teamID, parentID: newParentID },
-        orderBy: { orderIndex: 'desc' },
-      });
+    const lastCollectionUnderNewParent = await tx.teamCollection.findFirst({
+      where: { teamID: collection.teamID, parentID: newParentID },
+      orderBy: { orderIndex: 'desc' },
+    });
 
     // decrement orderIndex of all next sibling collections from original collection
     await tx.teamCollection.updateMany({
@@ -736,47 +750,52 @@ export class TeamCollectionService {
         const collection = await this.getCollection(collectionID, tx);
         if (E.isLeft(collection)) return E.left(collection.left);
         // lock the rows of the collection and its siblings
-        await this.prisma.lockTeamCollectionByTeamAndParent(tx, collection.right.teamID, collection.right.parentID);
+        await this.prisma.lockTeamCollectionByTeamAndParent(
+          tx,
+          collection.right.teamID,
+          collection.right.parentID,
+        );
         // destCollectionID == null i.e move collection to root
         if (!destCollectionID) {
           if (!collection.right.parentID) {
             // collection is a root collection
             // Throw error if collection is already a root collection
             return E.left(TEAM_COL_ALREADY_ROOT);
           }
-    
+
           // Change parent from child to root i.e child collection becomes a root collection
           // Move child collection into root and update orderIndexes for root teamCollections
           const updatedCollection = await this.changeParentAndUpdateOrderIndex(
             tx,
             collection.right,
             null,
           );
-          if (E.isLeft(updatedCollection)) return E.left(updatedCollection.left);
-    
+          if (E.isLeft(updatedCollection))
+            return E.left(updatedCollection.left);
+
           this.pubsub.publish(
             `team_coll/${collection.right.teamID}/coll_moved`,
             updatedCollection.right,
           );
-    
+
           return E.right(updatedCollection.right);
         }
-    
+
         // destCollectionID != null i.e move into another collection
         if (collectionID === destCollectionID) {
           // Throw error if collectionID and destCollectionID are the same
           return E.left(TEAM_COLL_DEST_SAME);
         }
-    
+
         // Get collection details of destCollectionID
         const destCollection = await this.getCollection(destCollectionID, tx);
         if (E.isLeft(destCollection)) return E.left(TEAM_COLL_NOT_FOUND);
-    
+
         // Check if collection and destCollection belong to the same user account
         if (collection.right.teamID !== destCollection.right.teamID) {
           return E.left(TEAM_COLL_NOT_SAME_TEAM);
         }
-    
+
         // Check if collection is present on the parent tree for destCollection
         const checkIfParent = await this.isParent(
           collection.right,
@@ -788,8 +807,12 @@ export class TeamCollectionService {
         }
 
         // lock the rows of the destination collection and its siblings
-        await this.prisma.lockTeamCollectionByTeamAndParent(tx, destCollection.right.teamID, destCollection.right.parentID);
-    
+        await this.prisma.lockTeamCollectionByTeamAndParent(
+          tx,
+          destCollection.right.teamID,
+          destCollection.right.parentID,
+        );
+
         // Change parent from null to teamCollection i.e collection becomes a child collection
         // Move root/child collection into another child collection and update orderIndexes of the previous parent
         const updatedCollection = await this.changeParentAndUpdateOrderIndex(
@@ -807,11 +830,7 @@ export class TeamCollectionService {
         return E.right(updatedCollection.right);
       });
     } catch (error) {
-
-      console.error(
-        'Error from TeamCollectionService.moveCollection',
-        error,
-      );
+      console.error('Error from TeamCollectionService.moveCollection', error);
       return E.left(TEAM_COL_REORDERING_FAILED);
     }
   }
@@ -823,7 +842,11 @@ export class TeamCollectionService {
    * @param teamID The Team ID (required when collectionID is null for root collections)
    * @returns Number of collections
    */
-  getCollectionCount(collectionID: string, teamID: string, tx: Prisma.TransactionClient | null = null): Promise<number> {
+  getCollectionCount(
+    collectionID: string,
+    teamID: string,
+    tx: Prisma.TransactionClient | null = null,
+  ): Promise<number> {
     return (tx || this.prisma).teamCollection.count({
       where: { parentID: collectionID, teamID: teamID },
     });
@@ -867,7 +890,7 @@ export class TeamCollectionService {
 
             // if collection is found, update orderIndexes of siblings
             // if collection was deleted before the transaction started (race condition), do not update siblings orderIndexes
-            if(collectionInTx) {
+            if (collectionInTx) {
               // Step 1: Decrement orderIndex of all items that come after collection.orderIndex till end of list of items
               await tx.teamCollection.updateMany({
                 where: {
@@ -881,7 +904,7 @@ export class TeamCollectionService {
                   orderIndex: { decrement: 1 },
                 },
               });
-  
+
               // Step 2: Update orderIndex of collection to length of list
               await tx.teamCollection.update({
                 where: { id: collection.right.id },
@@ -894,7 +917,6 @@ export class TeamCollectionService {
                 },
               });
             }
-            
           } catch (error) {
             throw new ConflictException(error);
           }
@@ -927,7 +949,11 @@ export class TeamCollectionService {
       await this.prisma.$transaction(async (tx) => {
         try {
           // Step 0: lock the rows
-          await this.prisma.lockTeamCollectionByTeamAndParent(tx, collection.right.teamID, collection.right.parentID);
+          await this.prisma.lockTeamCollectionByTeamAndParent(
+            tx,
+            collection.right.teamID,
+            collection.right.parentID,
+          );
 
           const collectionInTx = await tx.teamCollection.findFirst({
             where: { id: collectionID },
@@ -940,10 +966,10 @@ export class TeamCollectionService {
 
           // if collection and subsequentCollection are found, update orderIndexes of siblings
           // if collection or subsequentCollection was deleted before the transaction started (race condition), do not update siblings orderIndexes
-          if(collectionInTx && subsequentCollectionInTx) {
+          if (collectionInTx && subsequentCollectionInTx) {
             // Step 1: Determine if we are moving collection up or down the list
             const isMovingUp =
-            subsequentCollectionInTx.orderIndex < collectionInTx.orderIndex;
+              subsequentCollectionInTx.orderIndex < collectionInTx.orderIndex;
 
             // Step 2: Update OrderIndex of items in list depending on moving up or down
             const updateFrom = isMovingUp
@@ -1490,7 +1516,11 @@ export class TeamCollectionService {
 
     try {
       await this.prisma.$transaction(async (tx) => {
-        await this.prisma.lockTeamCollectionByTeamAndParent(tx, teamID, parentID);
+        await this.prisma.lockTeamCollectionByTeamAndParent(
+          tx,
+          teamID,
+          parentID,
+        );
 
         const collections = await tx.teamCollection.findMany({
           where: { teamID, parentID },