Accessing business data between accounts

[severinbeauvais]

It was found that some Auth API and Legal API endpoints allow one account (eg, 668) to access a business not affiliated to it as long as it is affiliated to another account (eg, 2288) under the same login (eg, BCREG0020).

We need to determine the business requirements here.

Proposed solution:

1. the API endpoints should require an account id header and validate that the subject business is affiliated to the given account (ie, authorization)
2. various UIs will need to be updated to attach the current account id as a header to the affected API endpoints

The scope of this change is undetermined -- it would require developers to identify the affected API endpoints and UIs and estimate the amount of work required.

cc: @seeker25 @Mihai-QuickSilverDev @NaveenHebbale @davemck513 @OlgaPotiagalova @vysakh-menon-aot @argush3

[Mihai-QuickSilverDev]

@seeker25 Hi Travis, would the above described scenario even be a problem in Prod? Isn't Prod based on an one account - one login predicament?

[argush3]

At one point I think @kialj876 might have tried to lock down some of the endpoints. But I think it might have had some undesired side effects wrt to search maybe? I'm not sure.

[severinbeauvais]

At one point I think @kialj876 might have tried to lock down some of the endpoints. But I think it might have had some undesired side effects wrt to search maybe? I'm not sure.

Good point. If business search (or other APIs / jobs) use a service token to access Legal API endpoints, would they bypass the need to include an Account-Id header? If not, what's the solution here?

PS We might not need to solve this right away, but we should have an idea what's necessary to get there.