Add compact auth check for staff privilege history endpoint

[landonshumway-ia]

This adds an auth check to verify that the staff user caller has the read general permissions for the compact they are
attempting to request information for. This endpoint is gated by a Cognito authorizer that verifies the caller has the
readGeneral scope for any of the compacts. This further narrows that check to ensure the scope is specific to the compact in the path parameter.

Testing List

• yarn test:unit:all should run without errors or warnings
• yarn serve should run without errors or warnings
• yarn build should run without errors or warnings
• For API configuration changes: CDK tests added/updated in backend/compact-connect/tests/unit/test_api.py
• For API endpoint changes: OpenAPI spec updated to show latest endpoint configuration run compact-connect/bin/download_oas30.py
• Code review

Closes #1659

Summary by CodeRabbit

• Bug Fixes

  • Enhanced authorization controls on the staff privilege history endpoint to enforce proper access permissions and prevent unauthorized cross-compact data access.

• Tests

  • Added test coverage to verify unauthorized users receive appropriate access denial responses.

[coderabbitai]

Warning

Review limit reached

@landonshumway-ia, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 minutes and 44 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 738e41cc-f5b9-4978-8d4a-9135f4df72bd

📥 Commits

Reviewing files that changed from the base of the PR and between 3512fb0 and 3a04714.

⛔ Files ignored due to path filters (3)

• backend/compact-connect/lambdas/nodejs/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• backend/cosmetology-app/lambdas/nodejs/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• backend/social-work-app/lambdas/nodejs/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• backend/compact-connect/lambdas/nodejs/package.json
• backend/cosmetology-app/lambdas/nodejs/package.json
• backend/cosmetology-app/stacks/api_lambda_stack/public_lookup_api.py
• backend/social-work-app/lambdas/nodejs/package.json
• backend/social-work-app/lambdas/python/provider-data-v1/tests/function/test_handlers/test_bulk_upload.py

📝 Walkthrough

Walkthrough

The staff privilege-history endpoint lacked compact-level authorization, enabling cross-compact IDOR. This fix adds @authorize_compact(action=CCPermissionsAction.READ_GENERAL) to _get_privilege_history_staff, threads the Lambda context through the routing call to satisfy the decorator signature, and adds a test asserting a 403 when a staff user accesses a different compact.

Changes

Staff privilege-history compact authorization

Layer / File(s)	Summary
Authorization decorator and routing wiring handlers/privilege_history.py	Imports CCPermissionsAction and authorize_compact; applies @authorize_compact(action=CCPermissionsAction.READ_GENERAL) to _get_privilege_history_staff; updates function signature to accept _context: LambdaContext; passes context in the routing call.
Test fixture scope claim and cross-compact 403 test tests/function/test_handlers/test_privilege_history.py	Adds scope claim to the staff request event fixture; adds test_staff_privilege_history_returns_unauthorized_if_user_not_in_same_compact which overrides the path compact parameter and asserts a 403 response.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐇 Hop, hop, the compact gate is shut tight,
No sneaky staff shall cross without right!
@authorize_compact now guards the door,
Cross-compact IDOR? Not anymore.
The rabbit stamps 403 with delight. ✅

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding compact authorization check to the staff privilege history endpoint.
Description check	✅ Passed	The description covers objectives, testing requirements, and references the linked issue #1659, but lacks explicit detail on implementation approach in the Requirements/Description sections.
Linked Issues check	✅ Passed	The code changes implement the suggested fix from issue #1659: adding @authorize_compact decorator with CCPermissionsAction.READ_GENERAL to _get_privilege_history_staff, binding the path {compact} to held scope.
Out of Scope Changes check	✅ Passed	All changes directly address the IDOR vulnerability in issue #1659: decorator addition, function signature update for context parameter, imports, and corresponding test coverage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_privilege_history.py (1)

129-139: 💤 Low value

Test method name could more precisely reflect the 403 response.

The test asserts 403 (access denied/forbidden) but the name uses "unauthorized" which typically refers to 401. Consider renaming to test_staff_privilege_history_returns_forbidden_if_user_not_in_same_compact for semantic precision. This is purely a naming nitpick—the test logic correctly validates the IDOR fix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_privilege_history.py`
around lines 129 - 139, The test method name
`test_staff_privilege_history_returns_unauthorized_if_user_not_in_same_compact`
uses "unauthorized" which typically corresponds to HTTP 401, but the test
validates a 403 status code which is "forbidden". Rename the test method to
`test_staff_privilege_history_returns_forbidden_if_user_not_in_same_compact` to
accurately reflect the HTTP status code being asserted in the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_privilege_history.py`:
- Around line 129-139: The test method name
`test_staff_privilege_history_returns_unauthorized_if_user_not_in_same_compact`
uses "unauthorized" which typically corresponds to HTTP 401, but the test
validates a 403 status code which is "forbidden". Rename the test method to
`test_staff_privilege_history_returns_forbidden_if_user_not_in_same_compact` to
accurately reflect the HTTP status code being asserted in the test.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9cf38d30-c419-443e-82d7-1bb6adcf29ec

📥 Commits

Reviewing files that changed from the base of the PR and between 82944da and 3512fb0.

📒 Files selected for processing (2)

• backend/compact-connect/lambdas/python/provider-data-v1/handlers/privilege_history.py
• backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_privilege_history.py

[landonshumway-ia]

@jlkravitz This is now ready for your review. Thanks

[jlkravitz]

@isabeleliassen This is good to merge!