fix: prevent unauthorized live queries (#1291)

realSpok · Nicolas Moreau · web-flow · commit fa1a56ee668b · 2025-04-28T15:36:12.000+02:00
Co-authored-by: Nicolas Moreau &lt;nicolas.moreau76@gmail.com&gt;
diff --git a/packages/agent/src/services/authorization/authorization.ts b/packages/agent/src/services/authorization/authorization.ts
@@ -52,11 +52,11 @@ export default class AuthorizationService {
     });
 
     if (
-      context.request?.body &&
+      context.request?.query &&
       CollectionActionEvent.Browse === event &&
-      (context.request.body as { segmentQuery?: string }).segmentQuery
+      (context.request.query as { segmentQuery?: string }).segmentQuery
     ) {
-      const { segmentQuery, connectionName } = context.request.body as {
+      const { segmentQuery, connectionName } = context.request.query as {
         segmentQuery?: string;
         connectionName?: string;
       };
diff --git a/packages/agent/test/services/authorization/authorization.test.ts b/packages/agent/test/services/authorization/authorization.test.ts
@@ -89,7 +89,7 @@ describe('AuthorizationService', () => {
 
         const context = {
           request: {
-            body: {
+            query: {
               segmentQuery: `SELECT id FROM books where type = 'comics'`,
               connectionName: 'library',
             },
@@ -134,7 +134,7 @@ describe('AuthorizationService', () => {
 
           const context = {
             request: {
-              body: {
+              query: {
                 segmentQuery: `DROP TABLE books;`,
                 connectionName: 'library',
               },
