Skip to content

fix(api): enforce ownership check on AI generation endpoint#1749

Open
MinitJain wants to merge 2 commits into
CapSoftware:mainfrom
MinitJain:fix/video-ai-idor-ownership-check
Open

fix(api): enforce ownership check on AI generation endpoint#1749
MinitJain wants to merge 2 commits into
CapSoftware:mainfrom
MinitJain:fix/video-ai-idor-ownership-check

Conversation

@MinitJain
Copy link
Copy Markdown
Contributor

@MinitJain MinitJain commented Apr 22, 2026
edited
Loading

Summary

  • GET /api/video/ai authenticated the caller but never verified they own the target video
  • Any authenticated user could pass ?videoId=<any_video_id> and trigger AI generation billed to the video owner's account
  • Added eq(videos.ownerId, user.id) to the DB query — non-owners get a 404 (same as "not found"), so the existence of other users' videos is not leaked

Security Impact

This is an IDOR (Insecure Direct Object Reference). An attacker with a free account could exhaust another user's paid AI generation quota by repeatedly triggering generation on their videos.

Test plan

  • Owner can trigger AI generation on their own video (existing behavior unchanged)
  • Authenticated non-owner gets 404 when passing another user's video ID
  • Unauthenticated request still gets 401

@brin-security-scanner brin-security-scanner Bot added contributor:verified Contributor passed trust analysis. pr:verified PR passed security analysis. labels May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contributor:verified Contributor passed trust analysis. pr:verified PR passed security analysis.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MinitJain