[management] fixed ischild check

[crn4]

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

bug fix

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• Chores

  • Bumped a management integrations dependency to a newer version.

• Bug Fixes

  • Tightened account-impersonation handling so account switching is applied only when the child account is validated.

• Tests

  • Renamed and updated tests to reflect public-version behavior and adjusted expectations around impersonation handling.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updated a dependency and hardened impersonation handling in auth middleware: when an account impersonation parameter is present, middleware calls integrations.IsValidChildAccount(...) and only updates AccountId and IsChild if that validation succeeds; tests and go.mod updated accordingly.

Changes

Cohort / File(s)	Summary
Dependency go.mod	Bumped github.com/netbirdio/management-integrations/integrations to v0.0.0-20260210160626-df4b180c7b25.
Auth Middleware management/server/http/middleware/auth_middleware.go	Imported integrations; when an impersonation/account param is present, call integrations.IsValidChildAccount(ctx, userId, parentAccount, targetAccount) and only set AccountId = targetAccount and IsChild = true if validation returns true (applies to both JWT and PAT flows).
Auth Middleware Tests management/server/http/middleware/auth_middleware_test.go	Adjusted/renamed child-related test cases to reflect public-version behavior: account param is ignored in these cases — expect AccountId to remain the original parent account and removed IsChild assertions.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant Middleware as AuthMiddleware
  participant Integrations as IntegrationsService

  Client->>Middleware: HTTP request (token + optional account param)
  Middleware->>Middleware: parse token -> userAuth (userId, AccountId)
  alt account param present
    Middleware->>Integrations: IsValidChildAccount(ctx, userId, parentAccount, targetAccount)
    Integrations-->>Middleware: true / false
    alt true
      Middleware->>Middleware: set AccountId = targetAccount\nset IsChild = true
    else false
      Middleware->>Middleware: keep AccountId = parentAccount\nIsChild = false
    end
  end
  Middleware->>Client: continue request with resolved auth context

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [management] update management integrations #4895 — Also updates the same management-integrations/integrations dependency line.

Poem

🐰 I sniffed a param along the trail,
I asked the Integrations — "Is this their tail?"
If they nod yes, I don a child-sized hat,
If they frown no, I hop back where parent sat.
A careful hop, a cautious cheer, carrot cake near.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description follows the template structure but critically lacks detail in the 'Describe your changes' section, which is blank. While the checklist is marked as a bug fix, there is no explanation of what bug was fixed, how it was fixed, or why the changes address the issue.	Fill in the 'Describe your changes' section with a clear explanation of the bug, the fix applied, and reference the issue ticket in the 'Issue ticket number and link' field.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[management] fixed ischild check' is partially related to the changeset—it refers to a real aspect of the changes (IsChild field handling in auth middleware) but lacks specificity about the core fix involving impersonation validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ischild

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

management/server/http/middleware/auth_middleware.go (1)

133-136: ⚠️ Potential issue | 🔴 Critical

JWT impersonation path lacks the same IsValidChildAccount validation.

The PAT path (lines 210–214) now properly validates the impersonated account via integrations.IsValidChildAccount, but the JWT path here still unconditionally trusts the account query parameter. This means any JWT-authenticated user can impersonate any account by passing ?account=<target>, bypassing the child-account check entirely.

If the fix was intentional only for PAT, please confirm. Otherwise this is a security gap that should be addressed.

🔒 Proposed fix

 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		userAuth.AccountId = impersonate[0]
-		userAuth.IsChild = ok
+		if integrations.IsValidChildAccount(ctx, userAuth.AccountId, impersonate[0]) {
+			userAuth.AccountId = impersonate[0]
+			userAuth.IsChild = true
+		}
 	}

🧹 Nitpick comments (1)

management/server/http/middleware/auth_middleware.go (1)

210-215: Silent no-op when IsValidChildAccount returns false — consider returning an error or logging.

If a caller passes ?account=<invalid>, the request proceeds silently with the original account context. This could be confusing to API consumers who believe they are operating on a child account but are actually operating on their own. Returning an authorization error (or at minimum logging a warning) would make failures observable.

Proposed approach

 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
 		if integrations.IsValidChildAccount(r.Context(), userAuth.AccountId, impersonate[0]) {
 			userAuth.AccountId = impersonate[0]
 			userAuth.IsChild = true
+		} else {
+			return r, status.Errorf(status.Forbidden, "account %s is not a valid child account", impersonate[0])
 		}
 	}

[Copilot]

Pull request overview

Fixes child-account impersonation handling in the management HTTP auth middleware by validating the requested child account instead of blindly marking requests as “child” when the account query param is present.

Changes:

• Add a child-account validation check (integrations.IsValidChildAccount) before allowing PAT-based account impersonation.
• Update management-integrations/integrations dependency version to pick up the new validation helper.
• Update module sums accordingly.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
management/server/http/middleware/auth_middleware.go	Gate PAT account impersonation on a child-account validity check.
go.mod	Bump github.com/netbirdio/management-integrations/integrations to a newer pseudo-version.
go.sum	Add checksums for the updated integrations dependency and related transitive updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When the account query param is present but not a valid child account, the request silently proceeds with the parent account. This can lead clients to unintentionally operate on the wrong account; consider returning a PermissionDenied/InvalidArgument error when impersonation is requested but validation fails. Also note checkJWTFromRequest still sets IsChild based only on query presence; it should likely use the same validation to avoid inconsistent/unsafe behavior.

Suggested change

	if integrations.IsValidChildAccount(r.Context(), userAuth.AccountId, impersonate[0]) {
	userAuth.AccountId = impersonate[0]
	userAuth.IsChild = true
	}
	if !integrations.IsValidChildAccount(r.Context(), userAuth.AccountId, impersonate[0]) {
	return r, status.Errorf(status.PermissionDenied, "impersonation requested for non-child account")
	}
	userAuth.AccountId = impersonate[0]
	userAuth.IsChild = true

[Copilot]

This change introduces a hard dependency on integrations.IsValidChildAccount, which makes existing middleware unit tests non-deterministic (and will break TestAuthMiddleware_Handler_Child’s PAT child case unless the validator can be controlled). Consider injecting a child-account validation function into AuthMiddleware (defaulting to integrations.IsValidChildAccount) so tests can mock it, and add a negative test for invalid child impersonation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud