Add E2E test for GET /api/apps/:app_id authorization

[jalexw]

Summary

Adds comprehensive E2E test coverage for the authorization guard in GET /api/apps/:app_id that prevents non-organization-members from accessing private apps.

Changes

• New test file: tests/e2e-auth-tests/cypress/e2e/apps/NonOrgMemberCannotGetApp.cy.ts

  • Tests that a signed-in user who is not a member of an app's owner organization receives a 403 response when attempting to GET a private app
  • Verifies the response includes success: false and an "not authorized" message
  • Confirms the response does not leak the app payload
  • Documents the specific authorization branch being tested in auth-server/src/app/api/apps/[app_id]/GET_app_handler.ts (lines 111-132)

• Version bump: tests/e2e-auth-tests/package.json from 0.4.7 to 0.4.8

Implementation Details

The test follows the established E2E pattern:

1. Creates a superuser and logs in
2. Creates a test organization and a private app within it
3. Logs out and creates a separate regular user account
4. Attempts to GET the private app as the non-member user
5. Asserts the expected 403 response with appropriate error messaging

This closes a gap in authorization testing—the GET-private-app guard previously had no E2E coverage, despite being critical to prevent arbitrary signed-in users from reading metadata for any organization's private apps by guessing app IDs.

https://claude.ai/code/session_017p6LFMRm9dRHzZcyJXVpdv