mirror of
https://github.com/bigcapitalhq/bigcapital.git
synced 2026-06-01 15:39:00 +00:00
7efac090a9
Resolve a CLS middleware in App.module.ts to copy the request `organization-id` header straight into `cls.organizationId`, which the TenancyDB factory used to pick the per-tenant database. The JWT path never set `organizationId` from the authenticated user, and TenancyGlobalGuard only checked that the header was present — so any authenticated user could read or write another tenant's database by sending their own JWT plus the victim's `organization-id`. Make the JWT-resolved tenant the source of truth and validate the header at the edge: - AuthSigninService.verifyPayload now loads the user's tenant and sets `cls.organizationId` from `tenant.organizationId`, mirroring the API-key path in AuthApiKeyAuthorizeService. - TenancyGlobalGuard rejects with `Organization mismatch.` when the request header disagrees with the CLS value set by the auth guard. - App.module.ts no longer seeds `cls.organizationId` from the attacker-controlled request header. GHSA-2g96-86rw-qmvg Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>