feat(api): Add org membership check to repository token regeneration

The RegenerateRepositoryToken and RegenerateRepositoryUploadToken
mutations only checked that a repo was viewable, which includes all
public repos. Any authenticated user could rotate tokens for public
repos they don't belong to. Add current_user_part_of_org check to
both mutations and expose UnauthorizedError in their GraphQL schemas.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: michelletran-sentry

apps/codecov-api/core/commands/repository/interactors/regenerate_repository_token.py

@@ -1,16 +1,21 @@
 from asgiref.sync import sync_to_async
 
 from codecov.commands.base import BaseInteractor
+from codecov.commands.exceptions import Unauthorized
+from codecov_auth.helpers import current_user_part_of_org
 from codecov_auth.models import RepositoryToken
 
 
 class RegenerateRepositoryTokenInteractor(BaseInteractor):
     @sync_to_async
     def execute(self, repo_name: str, owner_username: str, token_type: str):
-        _owner, repo = self.resolve_owner_and_repo(
+        owner, repo = self.resolve_owner_and_repo(
             owner_username, repo_name, only_viewable=True, only_active=True
         )
 
+        if not current_user_part_of_org(self.current_owner, owner):
+            raise Unauthorized()
+
         token, created = RepositoryToken.objects.get_or_create(
             repository_id=repo.repoid, token_type=token_type
         )

apps/codecov-api/core/commands/repository/interactors/regenerate_repository_upload_token.py

@@ -3,15 +3,20 @@
 from asgiref.sync import sync_to_async
 
 from codecov.commands.base import BaseInteractor
+from codecov.commands.exceptions import Unauthorized
+from codecov_auth.helpers import current_user_part_of_org
 
 
 class RegenerateRepositoryUploadTokenInteractor(BaseInteractor):
     @sync_to_async
     def execute(self, repo_name: str, owner_username: str) -> uuid.UUID:
-        _owner, repo = self.resolve_owner_and_repo(
+        owner, repo = self.resolve_owner_and_repo(
             owner_username, repo_name, only_viewable=True
         )
 
+        if not current_user_part_of_org(self.current_owner, owner):
+            raise Unauthorized()
+
         repo.upload_token = uuid.uuid4()
         repo.save()
         return repo.upload_token

apps/codecov-api/graphql_api/tests/mutation/test_regenerate_repository_token.py

@@ -25,7 +25,9 @@
 class RegeneratRepositoryTokenTests(GraphQLTestHelper, TestCase):
     def setUp(self):
         self.org = OwnerFactory(username="codecov")
-        self.repo = RepositoryFactory(author=self.org, name="gazebo", active=True)
+        self.repo = RepositoryFactory(
+            author=self.org, name="gazebo", active=True, private=False
+        )
 
     def test_when_unauthenticated(self):
         data = self.gql_request(
@@ -43,14 +45,35 @@ def test_when_unauthenticated(self):
             == "UnauthenticatedError"
         )
 
+    def test_when_unauthorized_user_not_part_of_org(self):
+        random_user = OwnerFactory()
+        data = self.gql_request(
+            query,
+            owner=random_user,
+            variables={
+                "input": {
+                    "repoName": "gazebo",
+                    "owner": "codecov",
+                    "tokenType": "PROFILING",
+                }
+            },
+        )
+        assert (
+            data["regenerateRepositoryToken"]["error"]["__typename"]
+            == "UnauthorizedError"
+        )
+
     def test_when_validation_error_repo_not_viewable(self):
+        private_repo = RepositoryFactory(
+            author=self.org, name="private-repo", active=True, private=True
+        )
         random_user = OwnerFactory(organizations=[self.org.ownerid])
         data = self.gql_request(
             query,
             owner=random_user,
             variables={
                 "input": {
-                    "repoName": "gazebo",
+                    "repoName": "private-repo",
                     "owner": "codecov",
                     "tokenType": "PROFILING",
                 }

apps/codecov-api/graphql_api/tests/mutation/test_regenerate_repository_upload_token.py

@@ -21,9 +21,21 @@
 class RegenerateRepositoryUploadTokenTests(GraphQLTestHelper, TestCase):
     def setUp(self):
         self.org = OwnerFactory(username="codecov")
-        self.repo = RepositoryFactory(author=self.org, name="gazebo")
+        self.repo = RepositoryFactory(author=self.org, name="gazebo", private=False)
         self.old_repo_token = self.repo.upload_token
 
+    def test_when_unauthorized_user_not_part_of_org(self):
+        random_user = OwnerFactory()
+        data = self.gql_request(
+            query,
+            owner=random_user,
+            variables={"input": {"repoName": "gazebo", "owner": "codecov"}},
+        )
+        assert (
+            data["regenerateRepositoryUploadToken"]["error"]["__typename"]
+            == "UnauthorizedError"
+        )
+
     def test_when_authenticated_updates_token(self):
         user = OwnerFactory(
             organizations=[self.org.ownerid], permission=[self.repo.repoid]

apps/codecov-api/graphql_api/types/mutation/regenerate_repository_token/regenerate_repository_token.graphql

@@ -1,4 +1,4 @@
-union RegenerateRepositoryTokenError = UnauthenticatedError | ValidationError
+union RegenerateRepositoryTokenError = UnauthenticatedError | UnauthorizedError | ValidationError
 
 type RegenerateRepositoryTokenPayload {
     token: String

apps/codecov-api/graphql_api/types/mutation/regenerate_repository_upload_token/regenerate_repository_upload_token.graphql

@@ -1,6 +1,6 @@
-union RegenerateRepositoryUploadTokenError = ValidationError
+union RegenerateRepositoryUploadTokenError = UnauthorizedError | ValidationError
 
 type RegenerateRepositoryUploadTokenPayload {
   token: String
-  error: ValidationError
+  error: RegenerateRepositoryUploadTokenError
 }