fix: RLS auth bypass for signup/login flows

- Add set_config('app.tenant_id') before user INSERT in signup tx - Add 004_auth_rls_fix.sql: permissive SELECT on users/api_keys for auth lookups, INSERT on users with tenant context check - db-setup now runs migrations on every up (idempotent)
2026-03-03 05:38:25 +00:00
parent 1d068c3f75
commit 76715d169e
11 changed files with 127 additions and 0 deletions
--- a/products/05-aws-cost-anomaly/migrations/004_auth_rls_fix.sql
+++ b/products/05-aws-cost-anomaly/migrations/004_auth_rls_fix.sql
@@ -0,0 +1,18 @@
+-- Fix RLS for auth operations (login/signup)
+-- Login needs to SELECT users by email before tenant context is known.
+-- Signup needs to check for duplicate emails and INSERT new users.
+
+-- Allow SELECT on users without tenant context (for login email lookup + signup dupe check)
+CREATE POLICY auth_select_users ON users
+    FOR SELECT
+    USING (true);
+
+-- Allow INSERT on users when tenant context is set (signup sets it via set_config)
+CREATE POLICY auth_insert_users ON users
+    FOR INSERT
+    WITH CHECK (tenant_id::text = current_setting('app.tenant_id', true));
+
+-- Allow SELECT on api_keys without tenant context (for API key auth lookup)
+CREATE POLICY auth_select_api_keys ON api_keys
+    FOR SELECT
+    USING (true);
--- a/products/05-aws-cost-anomaly/src/auth/middleware.ts
+++ b/products/05-aws-cost-anomaly/src/auth/middleware.ts
@@ -222,6 +222,9 @@ export function registerAuthRoutes(app: FastifyInstance, jwtSecret: string, pool
        role = 'owner';
      }

+      // Set tenant context for RLS before inserting user
+      await client.query("SELECT set_config('app.tenant_id', $1, true)", [tenantId]);
+
      const user = await client.query(
        `INSERT INTO users (tenant_id, email, password_hash, role) VALUES ($1, $2, $3, $4) RETURNING id`,
        [tenantId, body.email, passwordHash, role],