Fix broken authz check for GET /api/orders/:id

[fuzziecoder]

Motivation

• The orders detail endpoint relied only on the presence of an Authorization header, allowing malformed or fake headers to access orders across users and exposing sensitive data.
• Requests must validate bearer tokens and enforce that only admins or the owner of an order can read its details.

Description

• Added bearer token parsing and user resolution helpers (parseBearerToken, getUserFromAuthHeader) in backend/server.js and wired them into the GET /api/orders/:id route to validate tokens and identify the requesting user.
• Enforced authorization rules in GET /api/orders/:id so requests without a valid demo token return 401 Unauthorized, non-admin users requesting others' orders return 403 Forbidden, and admins retain full access.
• Added database.getUserById in backend/db.js to safely resolve a demo token owner without exposing password data.
• Kept existing behavior for listing orders and order creation untouched while using the new user-resolution helper for order-level access control.

Testing

• Performed static syntax checks with node --check backend/server.js and node --check backend/db.js, both succeeded.
• Ran automated smoke tests by starting the backend and exercising the API with curl to log in and call GET /api/orders/:id, which confirmed: admin access 200, owner access 200, malformed header 401, unknown/fake token 401, and non-owner user access 403 (all checks passed).

---

Codex Task

---

Summary by CodeRabbit

• New Features
  • Bearer token-based authentication now required for order API endpoints
  • Authorization checks implemented to restrict order access to authenticated users and administrators

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
brocode-spot-update-app	Ready	Preview, Comment	Feb 24, 2026 8:18am

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b16f8e4 and 0e2194c.

📒 Files selected for processing (2)

• backend/db.js
• backend/server.js

---

📝 Walkthrough

Walkthrough

The changes add bearer token authentication and authorization checks to the GET /api/orders/{orderId} endpoint. A new getUserById() database method supports token-based user lookup, while helper functions parse tokens and retrieve user information for access control decisions.

Changes

Cohort / File(s)	Summary
Database User Lookup backend/db.js	Added getUserById(userId) method that queries state.users by ID and returns a user object with id, username, name, and role fields, or null if not found.
API Authentication & Authorization backend/server.js	Introduced parseBearerToken() and getUserFromAuthHeader() helper functions for token extraction and validation. Modified GET /api/orders/{orderId} to authenticate via bearer token, verify user identity, and enforce authorization (admins or order owner only) with appropriate 401/403 responses.

Sequence Diagram

sequenceDiagram
    actor Client
    participant Server
    participant Database
    
    Client->>Server: GET /api/orders/{orderId}<br/>Authorization: Bearer demo-token-123
    
    Server->>Server: parseBearerToken(authHeader)<br/>Extract token
    Server->>Server: getUserFromAuthHeader(authHeader)<br/>Parse user ID from token
    
    Server->>Database: getUserById(userId)
    Database-->>Server: User object {id, username, name, role}
    
    alt User not found
        Server-->>Client: 401 Unauthorized
    else User found & Authorized
        Server->>Database: Fetch order data
        Database-->>Server: Order object
        Server-->>Client: 200 OK + Order
    else User not authorized
        Server-->>Client: 403 Forbidden
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add GET /api/orders/:id endpoint #34: Adds the protected GET /api/orders/:id endpoint that this PR further enhances with token-based authentication and authorization logic.
• Fix backend startup crash and improve order-by-id retrieval #46: Extends backend/db.js with user lookup helpers and modifies backend/server.js for authentication on the same endpoint.

Suggested labels

apertre3.0, medium

Poem

🐰 A token hops into the door,
We parse it, check it, then explore.
Is it admin? Is it theirs?
Access granted—or we don't care!
Security's no longer bare! 🔐

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/fix-major-issue-in-backend

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 CORS Access-Control-Allow-Headers missing Authorization causes browser requests to be blocked

The new GET /api/orders/:id authorization logic requires an Authorization: Bearer <token> header (backend/server.js:211), but the CORS response headers at backend/server.js:92 only allow Content-Type. Since the frontend runs on port 3000 and the backend on port 4000 (cross-origin), browsers will send a preflight OPTIONS request before any request that includes Authorization. The preflight response will not list Authorization in Access-Control-Allow-Headers, so the browser will block the actual request — the endpoint will be completely unusable from any browser client.

Root Cause and Impact

The sendJson helper sets CORS headers for every response, including the OPTIONS preflight handler at backend/server.js:127-129:

'Access-Control-Allow-Headers': 'Content-Type',

The Authorization header is not a CORS-safelisted header, so any cross-origin request including it triggers a preflight check. The browser checks the Access-Control-Allow-Headers in the preflight response and, not finding Authorization, blocks the request entirely. The user sees a CORS error and gets no data — the new authz check effectively makes the order detail endpoint inaccessible from the browser.

Impact: Every browser-based call to GET /api/orders/:id with a Bearer token will fail with a CORS error, making the endpoint completely broken for the frontend application.

(Refers to line 92)

---

Was this helpful? React with 👍 or 👎 to provide feedback.