Security: Add transaction wrapper to prevent TOCTOU vulnerabilities

calebbourg · calebbourg · commit bbe89131db81 · 2025-12-10T16:49:30.000-05:00
Wrap role-based data access in a database transaction to eliminate
Time-of-Check to Time-of-Use (TOCTOU) race conditions.

Changes:
1. Update entity_api coaching relationship functions to accept ConnectionTrait
   - find_by_organization_with_user_names: &amp;DatabaseConnection -&gt; &amp;impl ConnectionTrait
   - find_by_user_and_organization_with_user_names: &amp;DatabaseConnection -&gt; &amp;impl ConnectionTrait
   - Now compatible with both database connections and transactions

2. Wrap domain::coaching_relationship function in transaction
   - Begin transaction before role check
   - Execute all queries within transaction scope
   - Commit transaction after data retrieval
   - Ensures atomic snapshot of database state

Security Benefits:
- Prevents race condition where user roles change between check and data access
- Provides REPEATABLE READ isolation level guarantees (PostgreSQL default)
- Ensures consistent view of user permissions and accessible data
- Eliminates window for privilege escalation during query execution

The transaction ensures that the role check and coaching relationship
retrieval see the same consistent snapshot of the database, preventing
scenarios where a user's admin privileges are revoked mid-query but they
still receive admin-level data.

All existing tests pass with no behavioral changes.
diff --git a/domain/src/coaching_relationship.rs b/domain/src/coaching_relationship.rs
@@ -2,7 +2,7 @@ use crate::coaching_relationships::Model;
 use crate::error::{DomainErrorKind, EntityErrorKind, Error, InternalErrorKind};
 use entity_api::query::{IntoQueryFilterMap, QuerySort};
 use entity_api::{coaching_relationships, query};
-use sea_orm::DatabaseConnection;
+use sea_orm::{DatabaseConnection, TransactionTrait};
 
 pub use entity_api::coaching_relationship::{
     create, find_by_id, find_by_organization_with_user_names, find_by_user,
@@ -27,13 +27,25 @@ where
 /// - SuperAdmins (global role with organization_id = NULL) see all relationships in the organization
 /// - Admins (organization-specific role) see all relationships in their organization
 /// - Regular users see only relationships where they are the coach or coachee
+///
+/// This function uses a database transaction to prevent Time-of-Check to Time-of-Use (TOCTOU)
+/// vulnerabilities by ensuring the role check and data retrieval happen atomically within
+/// a consistent database snapshot.
 pub async fn find_by_organization_for_user_with_user_names(
     db: &DatabaseConnection,
     user_id: crate::Id,
     organization_id: crate::Id,
 ) -> Result<Vec<CoachingRelationshipWithUserNames>, Error> {
+    // Begin transaction to ensure atomicity and prevent TOCTOU vulnerabilities
+    let txn = db.begin().await.map_err(|e| Error {
+        source: Some(Box::new(e)),
+        error_kind: DomainErrorKind::Internal(InternalErrorKind::Entity(
+            EntityErrorKind::DbTransaction,
+        )),
+    })?;
+
     // Check if user has admin access using entity_api layer
-    let is_admin = entity_api::user::has_admin_access(db, user_id, organization_id)
+    let is_admin = entity_api::user::has_admin_access(&txn, user_id, organization_id)
         .await
         .map_err(|e| Error {
             source: Some(Box::new(e)),
@@ -44,11 +56,19 @@ pub async fn find_by_organization_for_user_with_user_names(
 
     let coaching_relationships = if is_admin {
         // Admin users see all relationships in the organization
-        find_by_organization_with_user_names(db, organization_id).await?
+        find_by_organization_with_user_names(&txn, organization_id).await?
     } else {
         // Regular users see only relationships they're associated with (as coach or coachee)
-        find_by_user_and_organization_with_user_names(db, user_id, organization_id).await?
+        find_by_user_and_organization_with_user_names(&txn, user_id, organization_id).await?
     };
 
+    // Commit transaction
+    txn.commit().await.map_err(|e| Error {
+        source: Some(Box::new(e)),
+        error_kind: DomainErrorKind::Internal(InternalErrorKind::Entity(
+            EntityErrorKind::DbTransaction,
+        )),
+    })?;
+
     Ok(coaching_relationships)
 }
diff --git a/entity_api/src/coaching_relationship.rs b/entity_api/src/coaching_relationship.rs
@@ -125,7 +125,7 @@ pub async fn find_by_organization(
 }
 
 pub async fn find_by_organization_with_user_names(
-    db: &DatabaseConnection,
+    db: &impl ConnectionTrait,
     organization_id: Id,
 ) -> Result<Vec<CoachingRelationshipWithUserNames>, Error> {
     let coaches = Alias::new("coaches");
@@ -160,7 +160,7 @@ pub async fn find_by_organization_with_user_names(
 }
 
 pub async fn find_by_user_and_organization_with_user_names(
-    db: &DatabaseConnection,
+    db: &impl ConnectionTrait,
     user_id: Id,
     organization_id: Id,
 ) -> Result<Vec<CoachingRelationshipWithUserNames>, Error> {
