Merge branch 'main' into intercom-for-mobile

Author: lyubov-voloshko

backend/src/ai-core/tools/collect-mongo-pipeline-collections.ts

@@ -0,0 +1,59 @@
+import { CollectQueryTablesResult } from '../../entities/visualizations/panel/utils/collect-query-tables.util.js';
+import { getErrorMessage } from '../../helpers/get-error-message.js';
+
+/**
+ * Recursively collects collection names referenced by stages that read from
+ * other collections (`$lookup`, `$graphLookup`, `$unionWith`) anywhere in a
+ * MongoDB aggregation pipeline, including nested sub-pipelines.
+ */
+function collectReferencedCollections(node: unknown, collected: Set<string>): void {
+	if (Array.isArray(node)) {
+		for (const item of node) {
+			collectReferencedCollections(item, collected);
+		}
+		return;
+	}
+	if (!node || typeof node !== 'object') {
+		return;
+	}
+	for (const [key, value] of Object.entries(node as Record<string, unknown>)) {
+		if (key === '$lookup' || key === '$graphLookup') {
+			const from = (value as { from?: unknown })?.from;
+			if (typeof from === 'string' && from.length > 0) {
+				collected.add(from);
+			}
+		} else if (key === '$unionWith') {
+			// `$unionWith` accepts either a collection-name string or `{ coll: <name>, pipeline: [...] }`.
+			if (typeof value === 'string' && value.length > 0) {
+				collected.add(value);
+			} else {
+				const coll = (value as { coll?: unknown })?.coll;
+				if (typeof coll === 'string' && coll.length > 0) {
+					collected.add(coll);
+				}
+			}
+		}
+		collectReferencedCollections(value, collected);
+	}
+}
+
+/**
+ * Resolves the collections a MongoDB aggregation pipeline reads from besides
+ * its base collection (the `$lookup` / `$graphLookup` / `$unionWith` targets),
+ * so the caller can verify the user has read permission on each.
+ *
+ * Returns `{ kind: 'tables' }` (possibly empty) when the pipeline parses, and
+ * `{ kind: 'indeterminate' }` when it cannot be parsed — in which case the
+ * caller must fall back to a stricter check rather than assume it is harmless.
+ */
+export function collectMongoPipelineCollections(pipeline: string): CollectQueryTablesResult {
+	let parsedPipeline: unknown;
+	try {
+		parsedPipeline = JSON.parse(pipeline);
+	} catch (error) {
+		return { kind: 'indeterminate', reason: `pipeline parse error: ${getErrorMessage(error)}` };
+	}
+	const collected = new Set<string>();
+	collectReferencedCollections(parsedPipeline, collected);
+	return { kind: 'tables', tables: Array.from(collected) };
+}

backend/src/ai-core/tools/query-validators.ts

@@ -28,6 +28,53 @@ export function isValidSQLQuery(query: string): boolean {
 	return true;
 }
 
+// Aggregation operators that either write to a collection ($out, $merge) or execute
+// server-side JavaScript ($function, $accumulator, $where). None of these belong in a
+// read-only AI query, and the substring blocklist in `isValidMongoDbCommand` cannot
+// detect them, so they must be rejected by walking the parsed pipeline.
+const FORBIDDEN_MONGO_OPERATORS: ReadonlySet<string> = new Set([
+	'$out',
+	'$merge',
+	'$function',
+	'$accumulator',
+	'$where',
+]);
+
+function pipelineContainsForbiddenOperator(node: unknown): boolean {
+	if (Array.isArray(node)) {
+		return node.some((item) => pipelineContainsForbiddenOperator(item));
+	}
+	if (!node || typeof node !== 'object') {
+		return false;
+	}
+	for (const [key, value] of Object.entries(node as Record<string, unknown>)) {
+		if (FORBIDDEN_MONGO_OPERATORS.has(key)) {
+			return true;
+		}
+		if (pipelineContainsForbiddenOperator(value)) {
+			return true;
+		}
+	}
+	return false;
+}
+
+/**
+ * Ensures a MongoDB aggregation pipeline is read-only: it must parse as JSON and contain
+ * no write stages (`$out`, `$merge`) or server-side JavaScript operators (`$function`,
+ * `$accumulator`, `$where`) at any nesting depth (including `$lookup` sub-pipelines). This
+ * AST-level check complements the substring-based `isValidMongoDbCommand`, which cannot
+ * detect these stages. Returns false for unparseable pipelines (fail-closed).
+ */
+export function isReadOnlyMongoAggregationPipeline(pipeline: string): boolean {
+	let parsedPipeline: unknown;
+	try {
+		parsedPipeline = JSON.parse(pipeline);
+	} catch {
+		return false;
+	}
+	return !pipelineContainsForbiddenOperator(parsedPipeline);
+}
+
 export function isValidMongoDbCommand(command: string): boolean {
 	const upperCaseCommand = command.toUpperCase();
 	const forbiddenKeywords = ['DROP', 'REMOVE', 'UPDATE', 'INSERT', 'DELETE'];

backend/src/authorization/auth-with-api.middleware.ts

@@ -9,7 +9,7 @@ import {
 } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
 import Sentry from '@sentry/minimal';
-import { NextFunction, Request, Response } from 'express';
+import { NextFunction, Response } from 'express';
 import jwt from 'jsonwebtoken';
 import { Repository } from 'typeorm';
 import { JwtScopesEnum } from '../entities/user/enums/jwt-scopes.enum.js';
@@ -48,7 +48,7 @@ export class AuthWithApiMiddleware implements NestMiddleware {
 		}
 	}
 
-	private getTokenFromCookie(req: Request): string | undefined {
+	private getTokenFromCookie(req: IRequestWithCognitoInfo): string | undefined {
 		return req.cookies?.[Constants.JWT_COOKIE_KEY_NAME];
 	}
 
@@ -62,6 +62,9 @@ export class AuthWithApiMiddleware implements NestMiddleware {
 	private async authenticateWithToken(tokenFromCookie: string, req: IRequestWithCognitoInfo): Promise<void> {
 		try {
 			const jwtSecret = appConfig.auth.jwtSecret;
+			if (!jwtSecret) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
 			const data = jwt.verify(tokenFromCookie, jwtSecret) as jwt.JwtPayload;
 			const userId = data.id;
 

backend/src/authorization/auth.middleware.ts

@@ -30,7 +30,7 @@ export class AuthMiddleware implements NestMiddleware {
 		private readonly logOutRepository: Repository<LogOutEntity>,
 	) {}
 	async use(req: IRequestWithCognitoInfo, _res: Response, next: NextFunction): Promise<void> {
-		let token: string;
+		let token: string | undefined;
 		try {
 			token = req.cookies[Constants.JWT_COOKIE_KEY_NAME];
 		} catch (_e) {
@@ -50,6 +50,9 @@ export class AuthMiddleware implements NestMiddleware {
 
 		try {
 			const jwtSecret = appConfig.auth.jwtSecret;
+			if (!jwtSecret) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
 			const data = jwt.verify(token, jwtSecret) as jwt.JwtPayload;
 			const userId = data.id;
 

backend/src/authorization/non-scoped-auth.middleware.ts

@@ -26,7 +26,7 @@ export class NonScopedAuthMiddleware implements NestMiddleware {
 	) {}
 	async use(req: IRequestWithCognitoInfo, _res: Response, next: NextFunction): Promise<void> {
 		console.log(`auth middleware triggered ->: ${new Date().toISOString()}`);
-		let token: string;
+		let token: string | undefined;
 		try {
 			token = req.cookies[Constants.JWT_COOKIE_KEY_NAME];
 		} catch (_e) {
@@ -46,6 +46,9 @@ export class NonScopedAuthMiddleware implements NestMiddleware {
 
 		try {
 			const jwtSecret = appConfig.auth.jwtSecret;
+			if (!jwtSecret) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
 			const data = jwt.verify(token, jwtSecret) as jwt.JwtPayload;
 			const userId = data.id;
 			if (!userId) {

backend/src/authorization/saas-auth.middleware.ts

@@ -16,6 +16,9 @@ export class SaaSAuthMiddleware implements NestMiddleware {
 		}
 		try {
 			const jwtSecret = appConfig.auth.microserviceJwtSecret;
+			if (!jwtSecret) {
+				throw new UnauthorizedException(Messages.AUTHORIZATION_REJECTED);
+			}
 			const data = jwt.verify(token, jwtSecret) as jwt.JwtPayload;
 			const requestId = data.request_id;
 

backend/src/authorization/temporary-auth.middleware.ts

@@ -28,7 +28,7 @@ export class TemporaryAuthMiddleware implements NestMiddleware {
 	) {}
 	async use(req: IRequestWithCognitoInfo, _res: Response, next: NextFunction): Promise<void> {
 		console.log(`temporary auth middleware triggered ->: ${new Date().toISOString()}`);
-		let token: string;
+		let token: string | undefined;
 		try {
 			token = req.cookies[Constants.JWT_COOKIE_KEY_NAME];
 		} catch (_e) {
@@ -48,6 +48,9 @@ export class TemporaryAuthMiddleware implements NestMiddleware {
 
 		try {
 			const jwtSecret = appConfig.auth.temporaryJwtSecret;
+			if (!jwtSecret) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
 			const data = jwt.verify(token, jwtSecret) as jwt.JwtPayload;
 			const userId = data.id;
 			if (!userId) {

backend/src/authorization/utils/extract-token-from-header.ts

@@ -1,5 +1,5 @@
 import { Request } from 'express';
-export const extractTokenFromHeader = (request: Request): string | null => {
+export const extractTokenFromHeader = (request: Pick<Request, 'headers'>): string | null => {
 	const [type, token] = request.headers.authorization?.split(' ') ?? [];
 	return type === 'Bearer' ? token : null;
 };

backend/src/common/abstract-use.case.ts

@@ -30,20 +30,27 @@ abstract class AbstractUseCase<TInputData = void, TOutputData = void> {
 
 	protected abstract implementation(inputData: TInputData): Promise<TOutputData> | TOutputData;
 
+	private getDbContext(): IDatabaseContext {
+		if (!this._dbContext) {
+			throw new Error('Database context is not initialized for this use case.');
+		}
+		return this._dbContext;
+	}
+
 	private async startTransaction(): Promise<void> {
-		await this._dbContext.startTransaction();
+		await this.getDbContext().startTransaction();
 	}
 
 	private async commitTransaction(): Promise<void> {
-		await this._dbContext.commitTransaction();
+		await this.getDbContext().commitTransaction();
 	}
 
 	private async rollbackTransaction(): Promise<void> {
-		await this._dbContext.rollbackTransaction();
+		await this.getDbContext().rollbackTransaction();
 	}
 
 	private async releaseQueryRunner(): Promise<void> {
-		await this._dbContext.releaseQueryRunner();
+		await this.getDbContext().releaseQueryRunner();
 	}
 }
 

backend/src/common/application/global-database-context.ts

@@ -452,10 +452,9 @@ export class GlobalDatabaseContext implements IGlobalDatabaseContext {
 		return this._schemaChangeChatMessageRepository;
 	}
 
-	public startTransaction(): Promise<void> {
+	public async startTransaction(): Promise<void> {
 		this._queryRunner = this.appDataSource.createQueryRunner();
-		this._queryRunner.startTransaction();
-		return;
+		await this._queryRunner.startTransaction();
 	}
 
 	public async commitTransaction(): Promise<void> {