fix auth bypass on picker endpoint, async safety, and picker error handling

CREDO23 · CREDO23 · commit cf8f70da2b77 · 2026-03-10T23:21:35.000+02:00
- Add check_permission to drive-picker-token endpoint (IDOR fix)
- Use get_composio_service singleton + asyncio.to_thread to avoid blocking the event loop
- Sanitize error detail in 500 response to prevent internal info leakage
- Dispose picker on unmount to prevent orphaned overlay
- Surface error state on Google Picker Action.ERROR instead of silently closing
diff --git a/surfsense_backend/app/routes/search_source_connectors_routes.py b/surfsense_backend/app/routes/search_source_connectors_routes.py
@@ -52,7 +52,9 @@
     SearchSourceConnectorRead,
     SearchSourceConnectorUpdate,
 )
-from app.services.composio_service import ComposioService
+import asyncio
+
+from app.services.composio_service import ComposioService, get_composio_service
 from app.services.notification_service import NotificationService
 from app.tasks.connector_indexers import (
     index_airtable_records,
@@ -3080,6 +3082,14 @@ async def get_drive_picker_token(
     if not connector:
         raise HTTPException(status_code=404, detail="Connector not found")
 
+    await check_permission(
+        session,
+        user,
+        connector.search_space_id,
+        Permission.CONNECTORS_READ.value,
+        "You don't have permission to access this connector",
+    )
+
     if connector.connector_type not in DRIVE_CONNECTOR_TYPES:
         raise HTTPException(
             status_code=400,
@@ -3113,8 +3123,8 @@ async def get_drive_picker_token(
                 status_code=400,
                 detail="Composio connected account not found. Please reconnect.",
             )
-        service = ComposioService()
-        access_token = service.get_access_token(composio_account_id)
+        service = get_composio_service()
+        access_token = await asyncio.to_thread(service.get_access_token, composio_account_id)
         return {
             "access_token": access_token,
             "client_id": config.GOOGLE_OAUTH_CLIENT_ID,
@@ -3127,5 +3137,5 @@ async def get_drive_picker_token(
         logger.error(f"Failed to get Drive picker token: {e!s}", exc_info=True)
         raise HTTPException(
             status_code=500,
-            detail=f"Failed to retrieve access token: {e!s}",
+            detail="Failed to retrieve access token. Check server logs for details.",
         ) from e
diff --git a/surfsense_web/hooks/use-google-picker.ts b/surfsense_web/hooks/use-google-picker.ts
@@ -87,7 +87,14 @@ export function useGooglePicker({ connectorId, onPicked }: UseGooglePickerOption
 			}
 		};
 		window.addEventListener("keydown", onEscape);
-		return () => window.removeEventListener("keydown", onEscape);
+		return () => {
+			window.removeEventListener("keydown", onEscape);
+			if (pickerRef.current) {
+				pickerRef.current.dispose();
+				pickerRef.current = null;
+			}
+			openingRef.current = false;
+		};
 	}, [closePicker]);
 
 	const openPicker = useCallback(async () => {
@@ -147,13 +154,17 @@ export function useGooglePicker({ connectorId, onPicked }: UseGooglePickerOption
 						}
 					}
 
-					if (
-						action === google.picker.Action.PICKED ||
-						action === google.picker.Action.CANCEL ||
-						action === google.picker.Action.ERROR
-					) {
-						closePicker();
-					}
+				if (action === google.picker.Action.ERROR) {
+					setError("Google Drive encountered an error. Please try again.");
+				}
+
+				if (
+					action === google.picker.Action.PICKED ||
+					action === google.picker.Action.CANCEL ||
+					action === google.picker.Action.ERROR
+				) {
+					closePicker();
+				}
 				})
 				.build();
 
