Enhance chat creation endpoint to check project access using user email
From the PR description
Fix Issue #1
Added an explicit authorisation check to POST /chat/create so chats can only be created against projects the caller can access.
In backend/src/routes/chat.ts, the route now reads userEmail from auth context and, when project_id is provided, calls checkProjectAccess(projectId, userId, userEmail, db) before insert. If access is denied, the endpoint now returns 404 Project not found and does not write a chat row. If access is allowed (owner or shared member), behaviour is unchanged and chat creation proceeds. This closes the app-layer project spoofing vector where authenticated users could previously create chats under arbitrary existing project_id values.
Our analysis
Authorize project_id on chat creation — read the full analysis →
Think the analysis missed something the PR description covers?
Commits in this PR (1)
| SHA | Subject | Author | Date | |
|---|---|---|---|---|
69c283ee | Enhance chat creation endpoint to check project access using user email | ryanmcdonough | 2026-04-30 | ↗ GitHub |
Capture this PR into my fork
Download a Markdown prompt that tells Claude how to port every
commit in this PR into your working tree. Run it via
claude -p < capture-pull-2.md from
inside the repo you want the changes in.