QA security gap: no dynamic authz/IDOR test for no-REST Next.js server actions #7
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The gap
For a Next.js app built on server actions + RLS with no REST endpoints, no QA domain runs a
dynamic, adversarial authorization test — i.e. forging a call to a server action with another
tenant's IDs to prove the permission check actually holds (a real IDOR attack, not just reading the
code that is supposed to prevent it).
Coverage for such an app today:
qa-code→ Static Security Reviewerqa-security-browserqa-security-apiSo
qa-security-apicleanly no-ops, andqa-security-browserexercises actions only as a logged-inuser would — neither forges a tampered cross-tenant request. The authz/IDOR invariants rest on static
review + RLS as defence-in-depth. Decent, but no automated attacker ever proves the rules.
Where it surfaced
Dogfooding outwrit #6 (append-only audit trail + admin viewer; Next.js server actions + RLS, no
REST).
/qa-codecaught the static security bugs (incl. CR-1 TRUNCATE wipe), but two access-rulefindings were deferred precisely because they are this class:
audit-injection vector. (outwrit sibling issue.)
is_org_admincheck.Neither would be caught by a dynamic regression test under the current domain model.
Candidate fix (not committed)
Let
qa-security-browseruse its already-authenticated browser session to fire directserver-action POSTs with tampered payloads/IDs — server actions are same-origin POST endpoints, so
the browser context can reach them without going through the UI. That closes the IDOR/authz hole for
no-REST Next.js apps without inventing a new domain.
Scope / severity
Known-limitation, not a blocker. Narrow but real, and specific to the no-REST server-actions stack
(increasingly common). Decide: extend
qa-security-browser, or document it as an accepted limit andlean on static review + RLS. Related to #6 (qa-design).