fix(webapp): mask 404 as 403 when findResource returns null on authorized routes

ericallam · ericallam · commit 0caa55afa7ab · 2026-04-28T11:26:11.000+01:00
createActionApiRoute now runs findResource before authorization so the
auth scope check can expand to alternate identifiers of the resolved
resource (Sessions are addressable by both friendlyId and externalId).
Side-effect: an authenticated-but-underscoped caller could probe
resource existence by observing 404 vs 403. Mask the 404 as 403 with
the same response shape as the auth-failed branch when the route
declares authorization, so the two cases are indistinguishable to
callers without scopes. Routes without authorization keep returning
404.
diff --git a/apps/webapp/app/services/routeBuilders/apiBuilder.server.ts b/apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
@@ -683,6 +683,26 @@ export function createActionApiRoute<
         : undefined;
 
       if (options.findResource && !resource) {
+        // When the route also declares `authorization`, mask "resource
+        // doesn't exist" as 403 — same shape as the auth-failed branch
+        // below — so an authenticated-but-underscoped caller can't
+        // probe resource existence by observing 404 vs 403. Routes
+        // without an `authorization` block keep returning 404.
+        if (authorization) {
+          return await wrapResponse(
+            request,
+            json(
+              {
+                error: `Unauthorized: missing required scopes`,
+                code: "unauthorized",
+                param: "access_token",
+                type: "authorization",
+              },
+              { status: 403 }
+            ),
+            corsStrategy !== "none"
+          );
+        }
         return await wrapResponse(
           request,
           json({ error: "Resource not found" }, { status: 404 }),
