[P0] Security: Fix authorization bypass in reorderCharacters

[Pamacea]

[P0] Security: Fix authorization bypass in reorderCharacters

Severity

• Priority: P0
• Type: Security
• Estimation: 2 hours

Problem

The reorderCharacters Server Action only authenticates the user but does not verify ownership of the characters being reordered. Any authenticated user can reorder any character in the database.

Vulnerable Code

// src/features/characters/methods/update-character.ts:144-163
export async function reorderCharacters(
  updates: Array<{ id: string; order: number }>,
): Promise<Result<Character[]>> {
  return safeAsync(async () => {
    await getAuthenticatedUser(); // Only auth, no ownership check!
    
    const updatedCharacters = await Promise.all(
      updates.map(({ id, order }) =>
        prisma.character.update({
          where: { id },
          data: { order },
        })
      )
    );
    return updatedCharacters;
  }, "reorderCharacters");
}

Impact

• Any authenticated user can modify order of characters belonging to other users
• Data corruption and denial of service
• Multi-tenancy isolation violation

Files Affected

• src/features/characters/methods/update-character.ts:144-163

Steps to Fix

1. Import verifyCharacterPermission helper
2. Before updating, verify each character belongs to the user:

for (const { id } of updates) {
  await verifyCharacterPermission(id, user.id);
}

3. Add unit test for authorization check
4. Add integration test attempting to reorder another user's characters

Acceptance Criteria

• Each character ownership is verified before update
• Unit tests added for authorization bypass prevention
• Integration test verifies rejection of unauthorized requests
• No regression in existing functionality

Notes

Similar vulnerability exists in reorderLorePinLinks and reorderGalleryItems.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com