You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR fixes a bug where sharing a secret from an org to a non-org user was encountering an error due to the spread order overwriting the audit log org Id
Screenshots
N/A
Steps to verify the change
BEFORE PULLING PR - share a secret from an org, open the link in incognito, see error
pull changes, refresh, no error
Type
Fix
Feature
Improvement
Breaking
Docs
Chore
Checklist
Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
This PR fixes a one-line bug in the POST /:id/access (access shared secret) route where the spread order of the createAuditLog call caused orgId: sharedSecret.orgId to be silently overwritten by ...req.auditLogInfo — which carries orgId: undefined for unauthenticated (non-org) users — resulting in an error when a shared secret scoped to an org was opened in an anonymous session.
The core fix is correct: placing orgId: sharedSecret.orgIdafter...req.auditLogInfo ensures the explicit value wins the spread merge.
Two other createAuditLog calls in the same file (CREATE_SHARED_SECRET at line 299 and DELETE_SHARED_SECRET at line 350) still use the pre-fix ordering (orgId before the spread). These are not currently buggy because those routes require authentication, but they are inconsistent with the fixed pattern and could mask future regressions.
Confidence Score: 4/5
Safe to merge — the fix is minimal, correct, and well-scoped to the reported bug.
The change is a single two-line reorder that directly addresses the root cause (spread overwriting an explicit property). No logic is added or removed. The only concern is that two sibling audit log calls in the same file retain the old ordering, but they do not trigger the bug today since their routes require authentication.
Attention should be paid to the createSharedSecret and deleteSharedSecret audit log calls (lines 299 and 350) for ordering consistency.
Fixes spread ordering in the accessSharedSecret audit log call so orgId: sharedSecret.orgId is not overwritten by ...req.auditLogInfo; two other audit log calls in this file (CREATE and DELETE routes) still use the old ordering pattern, though they are not buggy in practice since those routes require authentication.
Comments Outside Diff (1)
backend/src/server/routes/v1/secret-sharing-router.ts, line 299-301 (link)
Inconsistent spread ordering — same root cause as the fixed bug
The CREATE_SHARED_SECRET (line 299) and DELETE_SHARED_SECRET (line 350) audit log calls still put orgIdbefore...req.auditLogInfo, which is the same ordering that this PR is fixing in the /access route.
In practice this doesn't cause a bug today because both routes are protected by verifyAuth, so req.auditLogInfo.orgId will match req.permission.orgId. However, for consistency and to guard against future regressions, the safer pattern used in the fix (explicit orgId placed after the spread) should be applied everywhere in this file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
This PR fixes a bug where sharing a secret from an org to a non-org user was encountering an error due to the spread order overwriting the audit log org Id
Screenshots
N/A
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).