Skip to content

docs(readme): document the secure-404 cross-tenant pattern (#356) #357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CryptoJones merged 1 commit into from
May 19, 2026
Merged

docs(readme): document the secure-404 cross-tenant pattern (#356) #357

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,18 @@ The `/healthz` endpoint is intentionally unauthenticated so it can be
hit by orchestrators (Docker `HEALTHCHECK`, Kubernetes liveness, uptime
monitors) without sharing a credential.

### Secure-404 on cross-tenant access

Single-row GET / PATCH / DELETE endpoints return `404 Not Found` —
not `403 Forbidden` — when a non-master key references a row in a
different company's scope. The two outcomes look identical from the
client's side so a scoped caller can't probe sequential IDs to
enumerate the size of another tenant's table by status code. Master
keys still see all rows. The same pattern applies across all 16
single-row entity endpoints; the auth-scope check that produces it
is the same `getCompanyId(...) !== row.<entity>CompId` comparison
the controllers use for the 403 paths on other surfaces.

![example image](https://github.com/CryptoJones/TimeTrackerAPI/blob/master/setup/postman_example.PNG?raw=true)

*(authKey example using Postman)*
Expand Down