Skip to content

Main#109

Merged
RikepilB merged 2 commits into
masterfrom
main
Jun 25, 2026
Merged

Main#109
RikepilB merged 2 commits into
masterfrom
main

Conversation

@RikepilB

@RikepilB RikepilB commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • New Features

    • Added stricter access checks for resume downloads and previews so only the owning workspace can open stored resumes.
  • Bug Fixes

    • Resume requests now return clearer responses when a user is not signed in, lacks access, or the file can’t be found.
    • Resume file serving now runs in the correct server environment and preserves the existing PDF delivery behavior.

RikepilB added 2 commits June 24, 2026 17:00
The resume-serving routes leaked candidate PII. The main file route
(src/app/api/resumes/[...objectName]/route.ts) had zero auth, and the
preview route authenticated but never checked ownership — anyone with an
object path could fetch any applicant's resume.

- New shared guard src/lib/resume/access.ts: authorizeResumeRequest()
  (session -> org -> applicant ownership) + resumeObjectBelongsToOrg().
  Cross-org access returns 404 (not 403) so the route never leaks the
  existence of another workspace's resume.
- Both resume routes call the guard first and stay thin; main route
  pinned to runtime="nodejs".
- Unaffected paths: worker parsing reads disk/DB directly (HTTP fetch
  only for external GCS/S3 URLs); browser requests carry the session
  cookie so inline viewing still works.
- Tests: access.test.ts (7) + route.test.ts (3 boundary) prove
  401-and-file-never-read / 404 cross-org / 200 owned; upload.test.ts
  mocks auth+ownership for the storage round-trip. 206 tests pass.

Closes #102
fix(resume): require auth + org ownership on /api/resumes/* routes
@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scoutlane Ready Ready Preview, Comment Jun 25, 2026 5:03am

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c63820a3-5c0e-4576-84fb-51c72c4bafbb

📥 Commits

Reviewing files that changed from the base of the PR and between 7a42262 and 67f14ca.

📒 Files selected for processing (6)
  • src/app/api/resumes/[...objectName]/route.test.ts
  • src/app/api/resumes/[...objectName]/route.ts
  • src/app/api/resumes/preview/[...objectName]/route.ts
  • src/lib/resume/access.test.ts
  • src/lib/resume/access.ts
  • src/lib/storage/upload.test.ts

📝 Walkthrough

Walkthrough

The PR adds a shared resume access helper, updates both resume-serving routes to use it, adds route and helper tests, and expands a storage upload test’s Prisma/auth mocks.

Changes

Resume access authorization

Layer / File(s) Summary
Shared access helper and test mocks
src/lib/resume/access.ts, src/lib/resume/access.test.ts, src/lib/storage/upload.test.ts
resumeObjectBelongsToOrg and authorizeResumeRequest add org-scoped resume checks, and the Vitest node mocks cover the new Prisma/auth calls in node tests.
Resume routes use shared authorization
src/app/api/resumes/[...objectName]/route.ts, src/app/api/resumes/preview/[...objectName]/route.ts, src/app/api/resumes/[...objectName]/route.test.ts
The download route now runs in Node.js and both resume routes call authorizeResumeRequest before reading or converting stored files; the route test covers 401, 404, and 200 responses.

Sequence Diagram(s)

sequenceDiagram
  participant ResumeRoute as GET /api/resumes/[...objectName]
  participant AuthorizeResumeRequest as authorizeResumeRequest
  participant Auth as auth()
  participant PrismaUserFindUnique as prisma.user.findUnique
  participant ResumeObjectBelongsToOrg as resumeObjectBelongsToOrg
  participant PrismaApplicantFindFirst as prisma.applicant.findFirst
  participant ReadResumeObject as readResumeObject

  ResumeRoute->>AuthorizeResumeRequest: authorizeResumeRequest(storedObjectName)
  AuthorizeResumeRequest->>Auth: auth()
  AuthorizeResumeRequest->>PrismaUserFindUnique: lookup session.user.email
  AuthorizeResumeRequest->>ResumeObjectBelongsToOrg: verify object ownership
  ResumeObjectBelongsToOrg->>PrismaApplicantFindFirst: find matching resumeUrl
  AuthorizeResumeRequest-->>ResumeRoute: ok or error status
  ResumeRoute->>ReadResumeObject: read stored object on success
Loading

Possibly related issues

Poem

Hop, hop — the resume gate is set just right,
I sniff the org tag in the moonlit night.
PDFs stay tucked, previews bloom with grace,
A bunny approves this safer file-space. 🐇

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is too vague and does not convey the change made in this pull request. Use a concise, specific title that summarizes the main change, such as adding resume access control and route authorization.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch main

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RikepilB RikepilB merged commit f101a63 into master Jun 25, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant