_⚠️ Potential issue_ | _🟠 Major_ #20
Description
Missing authorization check for flow-of-funds creation.
The endpoint validates input but doesn't verify that the user owns the investigation. Other forensic endpoints (e.g., /analyze, /generate-summary) include ownership verification via verifyInvestigationOwnership.
Apply this fix to add authorization:
api.post("/forensics/investigations/:id/flow-of-funds", async (req: Request, res: Response) => {
try {
const investigationId = parseInt(req.params.id);
if (isNaN(investigationId)) {
return res.status(400).json({ message: "Invalid investigation ID" });
}
+ const user = await storage.getUserByUsername("demo");
+ if (!user) {
+ return res.status(404).json({ message: "User not found" });
+ }
+
+ // Authorization check: verify investigation ownership
+ const investigation = await verifyInvestigationOwnership(investigationId, user.id);
+ if (!investigation) {
+ return res.status(404).json({ message: "Investigation not found or access denied" });
+ }
+
// Validate input data
const validation = insertForensicFlowOfFundsSchema.safeParse({Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In server/routes.ts around lines 1622–1635 add an authorization check before
creating the flow record: after input validation and before calling
createFlowOfFundsRecord, call the existing verifyInvestigationOwnership helper
(await verifyInvestigationOwnership(...)) with the current request/context and
the investigationId; if it throws or returns false, return a 403 response (or
propagate the helper's error) so only the investigation owner can create
flow-of-funds records. Ensure the helper is imported at the top of the file if
not already.
Originally posted by @coderabbitai[bot] in #18 (comment)