Skip to content

Add corporate_id check to ProxyAuth middleware#44

Open
UsamaSadiq wants to merge 1 commit into
foss-sandboxfrom
usama/enforce-corporate-id-auth
Open

Add corporate_id check to ProxyAuth middleware#44
UsamaSadiq wants to merge 1 commit into
foss-sandboxfrom
usama/enforce-corporate-id-auth

Conversation

@UsamaSadiq

Copy link
Copy Markdown
Collaborator

Description

Add tenant isolation enforcement to Plane's ProxyAuth middleware. When SMB_CORPORATE_ID is configured, the middleware decodes the X-Auth-Request-Access-Token JWT and verifies that custom:corporate_id matches. Individual (non-corporate) tokens and mismatched corporate tokens are rejected with HTTP 403.

This closes the Bearer token bypass path where a user from SMB-A could access SMB-B's Plane instance via a valid Cognito JWT.

Enforcement is opt-in: when SMB_CORPORATE_ID is unset, the check is skipped entirely.

Testing

  • Set SMB_CORPORATE_ID=<uuid> in .env
  • Verify matching corporate users can access Plane normally
  • Verify mismatched corporate users get 403
  • Verify unset SMB_CORPORATE_ID allows all users (backward compatible)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant