Marc Schäfer 51629247a5 fix(middleware): prevent cross-org site binding in target create/update ...

Extend verifySiteAccess to check that when req.userOrgId is already set
by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the
site from req.body.siteId belongs to the same organization. This prevents
the cross-organization tunnel boundary bypass where an attacker with
resource access in one org binds that resource's target to a site in
another org.

Add verifySiteAccess to both target route stacks:
- PUT /resource/:resourceId/target (after verifyResourceAccess)
- POST /target/:targetId (after verifyTargetAccess)

The org-match check runs before req.userOrg is overwritten, so the
resource's organization context is preserved for comparison.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>

2026-05-29 22:44:16 +00:00

..

integration

Merge branch 'resource-policies' into dev

2026-05-28 15:30:16 -07:00

csrfProtection.ts

CSRF prevention

2024-12-25 22:04:20 -05:00

formatError.ts

Format all files

2025-12-09 10:56:14 -05:00

getUserOrgs.ts

first pass

2026-02-24 17:58:11 -08:00

index.ts

Merge branch 'feat/resource-policies' into resource-policies

2026-05-04 14:40:44 -07:00

logActionAudit.ts

Create missing stubs

2025-10-27 13:45:24 -07:00

logIncoming.ts

add log incoming middleware

2024-10-26 17:19:10 -04:00

notFound.ts

Format all files

2025-12-09 10:56:14 -05:00

requestTimeout.ts

Format all files

2025-12-09 10:56:14 -05:00

stripDuplicateSessions.ts

add strip duplicate sesion middleware

2025-10-05 15:41:05 -07:00

verifyAccessTokenAccess.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyAdmin.ts

first pass

2026-02-24 17:58:11 -08:00

verifyApiKeyAccess.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyClientAccess.ts

first pass

2026-02-24 17:58:11 -08:00

verifyDomainAccess.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyIsLoggedInUser.ts

create, delete, and update idp org policies

2025-04-18 15:38:50 -04:00

verifyLimits.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyOlmAccess.ts

update olm and client routes

2025-11-06 20:12:54 -08:00

verifyOrgAccess.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyResourceAccess.ts

first pass

2026-02-24 17:58:11 -08:00

verifyResourcePolicyAccess.ts

Fix API endpoint action issues

2026-05-04 16:01:40 -07:00

verifyRoleAccess.ts

first pass

2026-02-24 17:58:11 -08:00

verifySession.ts

add my-device and force login

2025-11-25 10:51:53 -05:00

verifySetResourceClients.ts

add extra org policy checks to middlewares

2025-12-03 15:50:24 -05:00

verifySetResourceUsers.ts

add extra org policy checks to middlewares

2025-12-03 15:50:24 -05:00

verifySiteAccess.ts

fix(middleware): prevent cross-org site binding in target create/update

2026-05-29 22:44:16 +00:00

verifySiteProvisioningKeyAccess.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifySiteResourceAccess.ts

first pass

2026-02-24 17:58:11 -08:00

verifyTargetAccess.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyUser.ts

add my-device and force login

2025-11-25 10:51:53 -05:00

verifyUserAccess.ts

add extra org policy checks to middlewares

2025-12-03 15:50:24 -05:00

verifyUserCanSetUserOrgRoles.ts

Fix API endpoint action issues

2026-05-04 16:01:40 -07:00

verifyUserHasAction.ts

move middlewares out of auth

2024-11-16 22:48:10 -05:00

verifyUserInRole.ts

first pass

2026-02-24 17:58:11 -08:00

verifyUserIsOrgOwner.ts

fix(security): normalize request parameters and update dependencies

2026-05-15 18:35:58 +00:00

verifyUserIsServerAdmin.ts

add server admin panel to delete users

2025-03-21 18:04:27 -04:00