[HOTFIX] Add orgId to /api/cloud-tests/providers endpoint (#1926)

github-actions[bot] · chasprowebdev · Marfuen · web-flow · commit ae1787cd71fe · 2025-12-16T15:39:36.000-05:00
* fix(app): add orgId query parameter to /api/cloud-tests/providers endpoint

* fix(app): add auth check to api/cloud-tests/providers endpoint

* fix(app): verify if the user belongs to the org in cloud-tests/provider endpoint

* fix(app): update cloud-tests/findings endpoint to have orgId as query param

---------

Co-authored-by: chasprowebdev &lt;chasgarciaprowebdev@gmail.com&gt;
Co-authored-by: Mariano Fuentes &lt;marfuen98@gmail.com&gt;
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx
@@ -75,7 +75,7 @@ export function TestsLayout({ initialFindings, initialProviders, orgId }: TestsL
   const { disconnectConnection } = useIntegrationMutations();
 
   const { data: findings = initialFindings, mutate: mutateFindings } = useSWR<Finding[]>(
-    '/api/cloud-tests/findings',
+    `/api/cloud-tests/findings?orgId=${orgId}`,
     async (url) => {
       const res = await fetch(url);
       if (!res.ok) throw new Error('Failed to fetch');
@@ -89,7 +89,7 @@ export function TestsLayout({ initialFindings, initialProviders, orgId }: TestsL
   );
 
   const { data: providers = initialProviders, mutate: mutateProviders } = useSWR<Provider[]>(
-    '/api/cloud-tests/providers',
+    `/api/cloud-tests/providers?orgId=${orgId}`,
     async (url) => {
       const res = await fetch(url);
       if (!res.ok) throw new Error('Failed to fetch');
diff --git a/apps/app/src/app/api/cloud-tests/findings/route.ts b/apps/app/src/app/api/cloud-tests/findings/route.ts
@@ -1,20 +1,38 @@
 import { auth } from '@/utils/auth';
 import { db } from '@db';
 import { headers } from 'next/headers';
-import { NextResponse } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 
 const CLOUD_PROVIDER_SLUGS = ['aws', 'gcp', 'azure'];
 
-export async function GET() {
+export async function GET(request: NextRequest) {
   try {
     const session = await auth.api.getSession({
       headers: await headers(),
     });
 
-    const orgId = session?.session.activeOrganizationId;
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const { searchParams } = new URL(request.url);
+    const orgId = searchParams.get('orgId');
 
     if (!orgId) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+      return NextResponse.json({ error: 'Organization ID is required' }, { status: 400 });
+    }
+
+    // Verify the user belongs to the requested organization
+    const member = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId: orgId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
     }
 
     // ====================================================================
diff --git a/apps/app/src/app/api/cloud-tests/providers/route.ts b/apps/app/src/app/api/cloud-tests/providers/route.ts
@@ -2,7 +2,7 @@ import { auth } from '@/utils/auth';
 import { getManifest } from '@comp/integration-platform';
 import { db } from '@db';
 import { headers } from 'next/headers';
-import { NextResponse } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 
 const CLOUD_PROVIDER_SLUGS = ['aws', 'gcp', 'azure'];
 
@@ -24,16 +24,34 @@ const getRequiredVariables = (providerSlug: string): string[] => {
   return Array.from(requiredVars);
 };
 
-export async function GET() {
+export async function GET(request: NextRequest) {
   try {
     const session = await auth.api.getSession({
       headers: await headers(),
     });
 
-    const orgId = session?.session.activeOrganizationId;
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const { searchParams } = new URL(request.url);
+    const orgId = searchParams.get('orgId');
 
     if (!orgId) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+      return NextResponse.json({ error: 'Organization ID is required' }, { status: 400 });
+    }
+
+    // Verify the user belongs to the requested organization
+    const member = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId: orgId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
     }
 
     // Fetch from NEW integration platform (IntegrationConnection)
