fix(bundle): enforce metadata RBAC

[riderx]

Summary (AI generated)

• add the missing RBAC permission check to POST /bundle/metadata
• require app.upload_bundle before bundle metadata writes proceed
• add a route-level regression test proving denied writers are blocked before any database call

Motivation (AI generated)

GHSA-4x68-9j9p-frf5 reports that /bundle/metadata only enforced API key mode via middlewareKey(['all', 'write']) and skipped the RBAC layer used by the other bundle write endpoints. That allowed an API key with write mode but insufficient RBAC rights to update bundle metadata.

Business Impact (AI generated)

This closes an RBAC bypass on bundle metadata updates. It reduces the chance that a restricted member can change bundle links or comments and keeps bundle write behavior consistent across the API.

Test Plan (AI generated)

• bun run lint:backend
• bunx vitest run tests/bundle-metadata-rbac.unit.test.ts
• bun run supabase:with-env -- bunx vitest run tests/bundle.test.ts tests/bundle-error-cases.test.ts tests/bundle-metadata-rbac.unit.test.ts
• bun test:backend (current worktree is timing out in unrelated existing tests such as tests/channel_self.test.ts, tests/stats-download.test.ts, tests/updates.test.ts, tests/bundle-semver-validation.test.ts, and tests/cron_stat_org.test.ts)

Generated with AI

Summary by CodeRabbit

• Bug Fixes

  • Bundle metadata updates now require the app.upload_bundle permission. Requests from users without this permission will be rejected with an authorization error; authorized requests proceed normally.

• Tests

  • Added unit tests covering both denied and allowed permission scenarios to ensure permission checks and update behavior are enforced.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 828f9a4b-e562-4527-9b37-679c7671bd90

📥 Commits

Reviewing files that changed from the base of the PR and between 1ea3515 and c8c1753.

📒 Files selected for processing (1)

• tests/bundle-metadata-rbac.unit.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/bundle-metadata-rbac.unit.test.ts

---

📝 Walkthrough

Walkthrough

Adds an RBAC permission check to the bundle metadata update handler requiring app.upload_bundle, and introduces unit tests that verify rejection when permission is denied and acceptance when permission is granted.

Changes

Cohort / File(s)	Summary
RBAC Permission Check Implementation supabase/functions/_backend/public/bundle/update_metadata.ts	Imported checkPermission and added an early runtime permission check requiring app.upload_bundle; returns an authorization error when denied. Removed an obsolete inline comment.
RBAC Guard Unit Tests tests/bundle-metadata-rbac.unit.test.ts	Added tests that mock RBAC, middleware, and Supabase API key resolution. Two cases: deny (expect HTTP 400 and no API key fetch) and allow (expect HTTP 200 and API key fetch). Includes helper mocks and request builder.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant Handler as BundleUpdateHandler
  participant RBAC as RBAC Service
  participant Supabase as Supabase API

  Client->>Handler: POST /bundle/update_metadata (appId, update payload)
  Handler->>RBAC: checkPermission(appId, "app.upload_bundle")
  alt permission denied
    RBAC-->>Handler: denied
    Handler-->>Client: 400 { error: "cannot_update_bundle_metadata" }
  else permission granted
    RBAC-->>Handler: granted
    Handler->>Supabase: fetch apikey / persist metadata
    Supabase-->>Handler: 200 OK
    Handler-->>Client: 200 { status: "ok" }
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I checked the gate with careful paws,
A tiny key between my claws,
If permission's true, the bundle flies,
If not — a polite, firm "no" replies,
Hoppity-hop, the guard saves the day! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(bundle): enforce metadata RBAC' directly and concisely describes the main change: adding RBAC enforcement to bundle metadata updates.
Description check	✅ Passed	The PR description includes a summary of changes, motivation, business impact, and a comprehensive test plan. It covers all key sections from the template, though screenshots are appropriately omitted for backend changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/advisory-ghsa-4x68-bundle-metadata-rbac

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/bundle-metadata-rbac.unit.test.ts`:
- Around line 52-80: Convert the two tests that use it(...) to concurrent mode
by replacing it(...) with it.concurrent(...) for the test cases "rejects
metadata writes when upload permission is denied" and "allows metadata writes
when upload permission is granted"; keep the existing mock reset in beforeEach
(vi.clearAllMocks()) so checkPermissionMock and supabaseApikeyMock remain
isolated, and ensure any other tests in this file follow the same
it.concurrent(...) pattern to allow the test file to run in parallel.
- Around line 4-12: The top-level arrow function queryBuilderFactory should be
converted to a function declaration to satisfy the antfu/top-level-function
rule; replace the const queryBuilderFactory = () => ({ ... }) with a function
queryBuilderFactory() { return { select: vi.fn().mockReturnThis(), eq:
vi.fn().mockReturnThis(), single: vi.fn().mockResolvedValue({ data: { id: 123,
app_id: 'com.example.app' }, error: null }), update: vi.fn().mockReturnThis(),
}; } so the implementation and vi.fn mocks remain identical but use function
declaration syntax.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 22ddca38-cedd-4e5c-bd90-dd118042d25f

📥 Commits

Reviewing files that changed from the base of the PR and between 00c115e and 1ea3515.

📒 Files selected for processing (2)

• supabase/functions/_backend/public/bundle/update_metadata.ts
• tests/bundle-metadata-rbac.unit.test.ts

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud