Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix proxy UUID validation: reject non-UUID tenant/user IDs and use defaults

Browse Source 
The training API client sends X-Tenant-ID: "default" which the proxy was
forwarding as-is, causing the backend to return 0 results. Now both proxies
validate that tenant/user IDs match UUID format before forwarding, falling
back to the configured defaults.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-02-26 15:55:09 +01:00
parent 20bc51b86c
commit 77a8170a6e
3 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin-compliance/app/(sdk)/sdk/academy/new/page.tsx
View File

@@ -32,7 +32,7 @@ export default function NewCoursePage() {
// AI generation state - module selection // AI generation state - module selection
const [trainingModules, setTrainingModules] = useState<TrainingModule[]>([]) const [trainingModules, setTrainingModules] = useState<TrainingModule[]>([])
const [selectedModuleId, setSelectedModuleId] = useState('') const [selectedModuleId, setSelectedModuleId] = useState('')
const [modulesLoading, setModulesLoading] = useState(false) const [modulesLoading, setModulesLoading] = useState(true)
// Load training modules on mount // Load training modules on mount
useEffect(() => { useEffect(() => {

6
admin-compliance/app/api/sdk/v1/academy/[[...path]]/route.ts
View File

@@ -30,11 +30,13 @@ async function proxyRequest(
} }
// Forward identity headers for RBAC context // Forward identity headers for RBAC context
// Only use client-provided values if they look like UUIDs
const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
const userHeader = request.headers.get('x-user-id') const userHeader = request.headers.get('x-user-id')
headers['X-User-ID'] = userHeader || '00000000-0000-0000-0000-000000000001' headers['X-User-ID'] = (userHeader && uuidRegex.test(userHeader)) ? userHeader : '00000000-0000-0000-0000-000000000001'
const tenantHeader = request.headers.get('x-tenant-id') const tenantHeader = request.headers.get('x-tenant-id')
headers['X-Tenant-ID'] = tenantHeader || (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e') headers['X-Tenant-ID'] = (tenantHeader && uuidRegex.test(tenantHeader)) ? tenantHeader : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
const fetchOptions: RequestInit = { const fetchOptions: RequestInit = {
method, method,

8
admin-compliance/app/api/sdk/v1/training/[[...path]]/route.ts
View File

@@ -33,8 +33,12 @@ async function proxyRequest(
} }
// Forward identity headers with defaults for RBAC context // Forward identity headers with defaults for RBAC context
headers['X-User-ID'] = request.headers.get('x-user-id') || '00000000-0000-0000-0000-000000000001' // Only use client-provided values if they look like UUIDs
headers['X-Tenant-ID'] = request.headers.get('x-tenant-id') || (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e') const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
const clientUserId = request.headers.get('x-user-id')
const clientTenantId = request.headers.get('x-tenant-id')
headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
const fetchOptions: RequestInit = { const fetchOptions: RequestInit = {
method, method,