fix(security): close Critical IDOR/authz gaps (C-1/C-2)

C-1: messaging endpoints now enforce channel participation (public channels open; private require channel_members). authorUserId is forced to the authenticated user (no more author spoofing); edit/ delete require message-author ownership; history read gated too. C-2: PUT /commands body strictly validated + size-capped via SyncCommandsDto (kills catalog poisoning / DoS). Optional FABRIC_BACKEND_GUILD_COMMANDS_SYNC_KEY restricts the write to the plugin when set; never weaker than before when unset. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 17:47:08 +01:00
parent 3e96de730a
commit e45ad91340
4 changed files with 181 additions and 14 deletions
--- a/src/messaging/messaging.module.ts
+++ b/src/messaging/messaging.module.ts
@@ -2,12 +2,13 @@ import { Module } from '@nestjs/common';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { MessagingController } from './messaging.controller.js';
 import { Channel } from '../entities/channel.entity.js';
+import { ChannelMember } from '../entities/channel-member.entity.js';
 import { Message } from '../entities/message.entity.js';
 import { IdempotencyRecord } from '../entities/idempotency-record.entity.js';
 import { WakeMapping } from '../entities/wake-mapping.entity.js';

@Module({
-  imports: [TypeOrmModule.forFeature([Channel, Message, IdempotencyRecord, WakeMapping])],
+  imports: [TypeOrmModule.forFeature([Channel, ChannelMember, Message, IdempotencyRecord, WakeMapping])],
  controllers: [MessagingController],
 })
 export class MessagingModule {}