fix(auth): lookup user role from membership for mesh JWT and API keys #2137
Conversation
🧪 BenchmarkShould we run the MCP Gateway benchmark for this PR? React with 👍 to run the benchmark.
Benchmark will run on the next push after you react. |
Release OptionsShould a new version be published when this PR is merged? React with an emoji to vote on the release type:
Current version: Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="apps/mesh/src/core/context-factory.ts">
<violation number="1" location="apps/mesh/src/core/context-factory.ts:478">
P1: Role lookup query doesn't filter by organization. A user with memberships in multiple organizations could get the wrong role (e.g., 'member' role from Org A instead of 'owner' from Org B), breaking the admin/owner bypass. Add `.where("member.organizationId", "=", meshJwtPayload.metadata?.organizationId)` to scope the query.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| // Look up user's organization role for admin/owner bypass | ||
| let role: string | undefined; | ||
| if (meshJwtPayload.sub) { | ||
| const membership = await db |
There was a problem hiding this comment.
P1: Role lookup query doesn't filter by organization. A user with memberships in multiple organizations could get the wrong role (e.g., 'member' role from Org A instead of 'owner' from Org B), breaking the admin/owner bypass. Add .where("member.organizationId", "=", meshJwtPayload.metadata?.organizationId) to scope the query.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/mesh/src/core/context-factory.ts, line 478:
<comment>Role lookup query doesn't filter by organization. A user with memberships in multiple organizations could get the wrong role (e.g., 'member' role from Org A instead of 'owner' from Org B), breaking the admin/owner bypass. Add `.where("member.organizationId", "=", meshJwtPayload.metadata?.organizationId)` to scope the query.</comment>
<file context>
@@ -472,10 +472,22 @@ async function authenticateRequest(
+ // Look up user's organization role for admin/owner bypass
+ let role: string | undefined;
+ if (meshJwtPayload.sub) {
+ const membership = await db
+ .selectFrom("member")
+ .select(["member.role"])
</file context>
✅ Addressed in de852d5
Previously, mesh JWT tokens and API keys didn't include the user's organization role, preventing admin/owner bypass in access control. This adds role lookup from the member table for both auth methods.
viktormarinho
force-pushed
the
fix/mesh-jwt-role-lookup
branch
from
af54a44 to
c7eee6d
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| .select(["member.role"]) | ||
| .where("member.userId", "=", meshJwtPayload.sub) | ||
| .executeTakeFirst(); | ||
| role = membership?.role; |
There was a problem hiding this comment.
DB error in role lookup silently fails valid authentication
The new database queries for role lookup are placed inside try blocks designed only for JWT/API key validation errors. If the database query throws (connection error, timeout, etc.), the exception is caught by the outer catch block, causing valid authentication to silently fail. For Mesh JWT, there's no logging at all - the code just proceeds to try API key authentication. For API keys, the error is logged with a misleading message. A transient database error would cause authenticated users to unexpectedly lose access.
Additional Locations (1)
| user: { | ||
| id: meshJwtPayload.sub, | ||
| connectionId: meshJwtPayload.metadata?.connectionId, | ||
| role, |
There was a problem hiding this comment.
Missing top-level role breaks bypass in two code paths
The PR adds role to the user object for Mesh JWT and API key authentication, but fails to also set the top-level role property in the return object. Session auth correctly returns both user.role AND a top-level role. However, the top-level role is what's used by createBoundAuthClient (line 674) and the main AccessControl instance (line 705) for the built-in role bypass. Since authResult.role will be undefined for Mesh JWT and API key auth, the admin/owner bypass won't work in boundAuth.hasPermission() or the default access instance—only the proxy-specific AccessControl instances that use ctx.auth.user?.role will correctly bypass.
Additional Locations (1)
Co-authored-by: viktor <[email protected]>
Previously, mesh JWT tokens and API keys didn't include the user's organization role, preventing admin/owner bypass in access control. This adds role lookup from the member table for both auth methods.
What is this contribution about?
Screenshots/Demonstration
Review Checklist
Summary by cubic
Fixes missing organization role in auth for mesh JWTs and API keys. We now look up member.role by userId and attach it to user in the request context, so admin/owner bypass works.
Written for commit b1a752e. Summary will update on new commits.
Note
Adds role resolution to Bearer-token auth paths.
member.role(byuserId+ organization) and setuser.rolein the returned auth contextAccessControlvia populatedroleWritten by Cursor Bugbot for commit de852d5. This will update automatically on new commits. Configure here.