pr-review-appsec-vendored

# Stack-Specific Application Security Checks

Security patterns specific to this repo's technology stack.

## How to Use This Checklist

- Review changed files against the relevant sections below.
- Not every section applies to every PR — better-auth checks apply to auth code, SpiceDB checks apply to `.zed` files and permission-check code, Next.js RSC checks apply to components with `'use server'` or `'use client'` directives.
- When unsure whether a pattern is vulnerable, lower confidence rather than asserting.

---

## §1 better-auth

- **SSO session missing organization context**: After SSO callback, `activeOrganizationId` is not explicitly set on the session. better-auth does not auto-set this — downstream code reading `session.activeOrganizationId` gets `undefined`, silently bypassing org-scoped authorization. Flag SSO callback handlers or `afterSignIn` hooks that do not call `setActiveOrganization()`.

- **SSO auto-provisioning bypasses membership hooks**: SSO auto-provisioning creates organization memberships directly, bypassing `beforeAddMember` hooks. Any gating logic (role assignment, approval workflows, seat limits) in those hooks is silently circumvented. Flag SSO config with `autoProvision: true` where `beforeAddMember` hooks enforce business rules.

- **Triple onboarding path creates duplicate memberships**: Three independent paths can create memberships: invitation acceptance, SSO auto-provisioning, and SCIM provisioning. Each may assign different roles, creating duplicates with conflicting permissions. Flag membership creation in invitation handlers, SSO callbacks, AND SCIM endpoints without a shared upsert-or-reconcile layer.

- **Social providers not enforceable per-tenant at runtime**: better-auth freezes social provider configuration at startup. Per-tenant control ("Tenant A allows Google SSO, Tenant B does not") can only be enforced via UI-layer gating, which is bypassable by calling the auth endpoint directly. Flag tenant-specific social auth restrictions implemented only in UI conditional rendering.

---

## §2 SpiceDB / AuthZed

- **LookupResources unbounded with wildcard schemas**: `LookupResources` on schemas with wildcard relations (`user:*`) fans out across all matching resources — unbounded latency or OOM. Flag `client.lookupResources()` calls without `optionalLimit` on relations that include wildcard grants. Check `.zed` files for `user:*` or `#viewer@user:*`.

- **Intersection operator latency on critical paths**: The intersection operator (`&`) in SpiceDB cannot short-circuit — both sides are always fully evaluated, doubling cost on expensive relations. Flag `.zed` files with `permission <name> = <relation1> & <relation2>` on permissions checked in hot request paths.

---

## §3 Security Operations

- **Re-authentication missing for sensitive operations**: Endpoints for email change, password change, MFA modification, or account deletion that accept the operation with only a valid session — no current-password confirmation. A stolen session or CSRF grants full account takeover. Flag `PATCH /user/email`, `PATCH /user/password`, `DELETE /user`, `POST /user/mfa/disable` handlers where the only auth check is session validity.

- **Security event logging absent**: Authentication failures, authorization denials, and rate-limit triggers are not logged. Without these, incident detection is impossible. Distinct from business audit trails (which log successful mutations). Flag login failure paths that return 401 without logging, authorization middleware returning 403 without logging, rate-limit triggers without logging.

---

## §4 Next.js / React Server Components

- **Secrets as string literals in Server Functions**: Server Function source code can be exposed via React Flight protocol vulnerabilities. Secrets accessed via `process.env` are safe (only the reference is in source); literal strings would be exposed. Flag secret patterns (`sk-*`, `pk-*`, connection strings, long hex/base64) in `'use server'` files. Safe: `process.env.SECRET_NAME`.

- **Server Action closure captures server-side variables**: React serializes Server Action closures to the client. Variables captured in the closure (database records, user objects, internal IDs) are visible in the client bundle. Flag `'use server'` functions inside parent functions that close over `const user = await db.query(...)` or similar.

- **Server-to-Client Component prop serialization**: Props crossing the Server → Client Component boundary are serialized and sent to the browser. Passing a full user record as a prop exposes it, even if the Client Component never renders those fields. Flag Server Components passing `user`, `session`, `account`, or query results as props to `'use client'` components. Safe: pass only needed fields.

- **NEXT_PUBLIC_ prefix on sensitive environment variables**: Next.js bundles any `NEXT_PUBLIC_`-prefixed env var into client JS. Without the prefix, env vars are server-only. Flag `.env*` files or `next.config.*` with `NEXT_PUBLIC_` prefix on database URLs, API keys, signing secrets, internal service URLs, auth credentials.

- **ISR/static generation caches sensitive data**: ISR and static generation cache page output as public static files served without auth. Flag `getStaticProps` or ISR-configured pages (`revalidate: N`) that call authenticated APIs or query user/tenant-specific data. Safe: only cache public, non-sensitive content.

---

## Severity Calibration

| Finding | Severity | Rationale |
|---|---|---|
| SSO session missing org context | CRITICAL | Silent authorization bypass |
| Re-auth missing for sensitive ops | CRITICAL | Session hijack → account takeover |
| Secrets in Server Functions | CRITICAL | Secret exposure via React Flight |
| SSO auto-provisioning bypasses hooks | MAJOR | Membership gating circumvented |
| Triple onboarding duplicates | MAJOR | Conflicting permissions |
| LookupResources unbounded | MAJOR | DoS on SpiceDB |
| Security event logging absent | MAJOR | Incident detection impossible |
| Closure captures server vars | MAJOR | Data serialized to client |
| RSC prop serialization | MAJOR | User data in client bundle |
| NEXT_PUBLIC_ on secrets | MAJOR | Secrets in client JS |
| ISR caches sensitive data | MAJOR | Auth data served publicly |
| Social providers not per-tenant enforceable | MINOR | UI-only gating, bypassable |
| Intersection operator on hot paths | MINOR | Performance, not direct vuln |