Skip to content

LOOPIN-037 — Fix Auth and Authorization Gaps #61

Description

@shaig-mahmudov

Type

Security / Backend

Problem

Several API flows currently trust client-provided identity or lack ownership checks. This creates security risks around authentication, event management, and group membership.

Scope

Fix the following issues:

  • Google auth trusts googleId, email, and name from the request body.
  • Events do not have an owner, so update/delete authorization cannot be enforced.
  • Group member endpoints allow arbitrary member add/remove operations.
  • Group controller accepts X-User-Email and falls back to admin@email.com.
  • Group creation says eventId is optional, but schema requires event_id.

Acceptance Criteria

  • POST /auth/google accepts a Google ID token, not raw identity fields.
  • Google token verification checks:
    • Signature
    • Issuer
    • Audience
    • Expiry
    • email_verified
  • User identity is derived only from verified token claims.
  • Event entity has an owner/creator user reference.
  • Event creation uses the authenticated user as owner.
  • Event update/delete is allowed only for the event owner or admin.
  • Group member add/remove operations are restricted to group admin, with self-leave handled separately if needed.
  • X-User-Email fallback is removed from group flows.
  • No fallback to admin@email.com exists.
  • Product decision is made for independent groups:
    • Either make eventId required in the API
    • Or make event_groups.event_id nullable in JPA and Liquibase
  • Regression tests cover:
    • Fake Google login
    • Event ownership
    • Group member permissions
    • Group creation rules
  • Full test suite passes.

Suggested Implementation Order

  1. Replace Google auth request DTO with idToken.
  2. Add Google token verifier service/config.
  3. Remove X-User-Email and fallback identity behavior.
  4. Add event owner field and Liquibase migration.
  5. Enforce owner-or-admin event update/delete.
  6. Restrict group member mutation endpoints.
  7. Resolve independent group schema/API mismatch.
  8. Add regression tests.

Metadata

Metadata

Labels

No labels
No labels

Type

Fields

No fields configured for Task.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions