Audit service code for SaaS remnants (hardcoded UUIDs, allowlists, prod URLs)

[julietshen]

One-time audit of server/ for the class of pattern that produced the bug in PR #474: code branches on hardcoded org IDs, queue UUIDs, integration IDs, or production URLs that should be deployment config.

Method

Grep / AST scan for:

• Literal UUID strings outside test/seed paths
• if (orgId === '...') / if (queueId === '...') / if (...includes(orgId)) patterns
• Hardcoded production URLs (*.cybertip.org, *.googleapis.com, etc.) outside the integration plugins/config
• Allowlists of any kind in service code

Output

For each finding:

1. Comment on this issue with location + current behavior
2. Convert to env var / config table / org settings as appropriate
3. Add a test that the surface stays config-driven (per the env contract test pattern)

Motivation

PR #474 was a single instance. Likely there are more — Coop was a closed-source SaaS before going OSS, and the assumptions of one tenant don't translate to N self-hosted deployments. Doing this once now is much cheaper than catching them one-by-one in the field.

Related

• Parent: Design (expanded/desired) integration tests #288
• Bug exemplar: fix: Move NCMEC routing of reports to env config #474

[julietshen]

Audit findings — first pass

Scanned server/ for the patterns called out in the issue, plus the Cove → Coop rename remnants raised in conversation (cf. #370 and #166). Branch: julietshen/saas-audit. No code changes yet — this is the inventory; fixes will land as separate PRs once each is scoped.

Priority reflects "would a non-Cove deployment of Coop hit this, and how badly?" — P0 is auth-affecting or feature-breaking, P3 is "hardcoded but arguably fine."

---

P0 — Hardcoded tenant allowlists (exact #474 bug class)

These are functions that gate feature availability on a hardcoded set of org / queue / type IDs. Self-hosted deployments will never have these IDs, so the feature silently behaves differently for them.

P0.1 server/services/signalsService/SignalsService.ts:387-396 — isSignalEnabledForOrg allowlists two Cove-era org IDs (e7c89ce7729 "Local Test Example", 53d45130ba1 "Prod ML Test") for the AGGREGATION signal type. Anyone else calling SignalsService.getSignalsForOrg (line 189) gets AGGREGATION silently filtered out. Self-hosted deployments cannot enable this signal type without source changes.

function isSignalEnabledForOrg(signalId: SignalId, orgId: string) {
  if (signalId.type === 'AGGREGATION') {
    return [
      'e7c89ce7729' /* Local Test Example */,
      '53d45130ba1' /* Prod ML Test */,
    ].includes(orgId);
  }
  return true;
}

Fix shape: drop the gate entirely (release AGGREGATION generally), or convert to an org-settings flag / feature-flag table.

---

P0.2 server/services/ncmecService/ncmecReporting.ts:1182 — const testOrgs = ['4def6a77d6a', 'acc701627cb']; followed by if (testOrgs.includes(reportParams.orgId)) return 'UNSUPPORTED_ORG';. Comment confirms these were Cove demo accounts that should "click Send to NCMEC" but produce no real report. New deployments will never hit this branch, but the dead allowlist is the same shape as the #474 bug.

Fix shape: delete (these orgs no longer exist in the new repo), or replace with a per-org ncmec_dry_run flag in ncmec_org_settings.

---

P0.3 server/services/ncmecService/ncmecReporting.ts:1898 — thread.threadTypeId === 'c01a3f28dfa' switches NCMEC additionalInfo wording between "private message conversation" and "group message conversation". Deployments with any other thread type ID always get the "group" wording.

Fix shape: make this a property on the item type (e.g. schemaFieldRoles could expose a conversationKind: 'private' | 'group'), or surface as a free-text "default additional info" in NCMEC org settings.

---

P1 — Cove-era domain carry-overs (extends #370)

These swap cove for coop mechanically but the domain doesn't exist. Self-hosted Coop has no relationship with getcoop.com / coopapi.com / trycoop.co — those were Cove SaaS infrastructure.

P1.1 server/utils/url.ts:13-19 — defaultBlockedHostnames() returns invented domains. Same as #370 (already filed) — flagging here to keep the audit complete.

P1.2 server/api.ts:295-310 — SAML/SSO bypass for @getcoop.com emails. Login flow allows password login (skipping enforced SAML) when the email domain is getcoop.com. Two problems:

1. Self-hosted operators have no admin with that domain → if they enable SAML they're locked out of password-recovery.
2. Anyone with a @getcoop.com address could in principle bypass SAML on someone else's deployment.

if (
  samlSettings?.saml_enabled &&
  // We allow Coop users to log in with email/password even if SSO is
  // enabled so Coop employees can manage user accounts
  String(email).split('@')[1] !== 'getcoop.com'
) { /* require SAML */ }

The comment ("so Coop employees can manage user accounts") is the Cove support-engineer carve-out, copied wholesale. Security relevant — arguably this is P0 if you weight auth-affecting issues higher; flagging here so reviewers can re-grade.

Fix shape: delete the carve-out, or replace with an explicit per-deployment SAML_BYPASS_DOMAINS env var (empty by default).

P1.3 .env.githubci:75 — CI default UI_URL=https://getcoop.com. Cosmetic but contributes to the impression that the domain matters.

---

P2 — Hardcoded NCMEC endpoint URLs (post-#474)

P2.1 server/services/ncmecService/ncmecReporting.ts:1971-1972 — isTest ? 'https://exttest.cybertip.org/…' : 'https://report.cybertip.org/…'. The switch is config-driven via NCMEC_ENV post-#474, but the URLs themselves are inlined string literals. Means there's no way to point at a mock NCMEC server in integration tests (#341 will care about this).

Fix shape: lift to NCMEC_SANDBOX_URL / NCMEC_PRODUCTION_URL env vars with the current values as defaults.

P2.2 server/services/ncmecService/ncmecReporting.ts:1958 — stale TODO comment ("update this to https://report.cybertip.org/ispws when we want to submit real reports"). Post-#474 this is obsolete and should be removed.

---

P3 — Other hardcoded third-party API endpoints (no override path)

These aren't tenant gates; they're prod URLs with no constructor / env override. Lower priority but the right shape for an audit.

P3.1 server/services/signalsService/signals/third_party_signals/google/content_safety/googleContentSafetyLib.ts:42 — baseUrl = 'https://contentsafety.googleapis.com/v1beta1/images:classify', private, no override.

P3.2 server/services/signalsService/signals/third_party_signals/open_ai/whisper/OpenAiWhisperTranscriptionSignal.ts:216 — url: 'https://api.openai.com/v1/audio/transcriptions'. Blocks Azure OpenAI / OpenAI-compatible providers (Together, vLLM, etc.).

P3.3 server/services/signalsService/signals/third_party_signals/open_ai/moderation/openAIModerationUtils.ts:140 — url: 'https://api.openai.com/v1/moderations'. Same.

Fix shape: standardize on an OPENAI_BASE_URL / GOOGLE_CONTENT_SAFETY_BASE_URL env, defaulting to the current values.

---

Not findings (false positives — flag for the magic-UUID lint in #484)

The audit caught these but they're legitimate; #484's lint will need to allowlist patterns like these:

• server/utils/sql.ts:36 — SUBQUERY_ALIAS = 'dc2d41a9-...' is a randomly-chosen opaque alias string, not a tenant ID.
• server/services/signalAuthService/signalAuthService.ts:127-172 — integrationId === Integration.OPEN_AI etc. branches on a TypeScript enum, not a tenant ID. Legitimate dispatch.
• server/services/hmaService/index.ts:106-109 — NCMEC environment URLs appear as user-selectable choices in a config schema, not as routing code.
• Various process.env.NODE_ENV === 'production' checks for cookie secure flag, GraphQL introspection, dev-only fallback returns. Legitimate environment gates.

---

Suggested next steps

1. P1.2 (SAML bypass) is the highest leverage for security — auth-affecting and could lock self-hosted operators out. Worth a security-labeled issue and a one-line PR; consider promoting to P0.
2. P0.1 (AGGREGATION signal gate) is a quick win and visible: deleting the gate makes a feature available everywhere.
3. P0.2 (NCMEC testOrgs) is dead code in the new repo; delete it.
4. P0.3, P2.1, P2.2, P3.1–P3.3 can be a single "lift hardcoded URLs and tenant-specific behavior to config" PR if scoped tightly.
5. The findings here are concrete test cases for the env-contract test in Add env contract test: default deploy uses sandbox/test endpoints for all external integrations #483 — once that exists, each of these locations should be asserted on.
6. The pattern of "Cove employee-only paths" (P1.2) suggests one more class to grep for: any conditional that depends on the user's email domain or a hardcoded org name string. None other surfaced in this pass, but worth keeping in mind.

---

🤖 Generated with Claude Code

[julietshen]

Related - the queue job timeout time (10 minutes) is a hardcoded constant in service code that should be configurable per deployment. Flagging as an additional P3

coop/server/services/manualReviewToolService/modules/QueueOperations.ts

Line 1486 in 424f7a5

lockDuration: 600000,