fix(vault-migration): enforce org ownership before updating namespace config

[syedmazharaliraza]

Fixes #5941

Context

This fixes a cross-org authorization gap in Vault namespace config updates.

Before this change, updateVaultExternalMigration updated configs by raw id and did not verify that the target config belonged to the actor's organization. If an org admin knew another org's config UUID, they could attempt to mutate it. Missing IDs could also flow into invalid response states.

Now, the update flow first loads the config by id, returns 404 when not found, and returns 403 if config.orgId !== actor.orgId before performing the update.

Related issue: High - Cross-org update authorization gap on Vault namespace configs.

Screenshots

N/A (no UI changes).

Steps to verify the change

1. Create or identify a Vault external migration config in orgA and note its id.
2. As an admin in orgB, call PUT /api/v3/external-migration/vault/configs/:id using the orgA config id.
3. Confirm the API returns 403 with message: Config does not belong to this organization.
4. Call the same endpoint with a non-existent id.
5. Confirm the API returns 404 with message: Vault migration config not found.
6. As an admin in the owning org (orgA), call the same endpoint with a valid payload.
7. Confirm the API returns 200 and the config is updated.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR closes a cross-org authorization gap in updateVaultExternalMigration by loading the target config before updating it, throwing 404 if it doesn't exist and 403 if its orgId doesn't match the actor's org. The fix is minimal, correct, and consistent with the rest of the service's permission patterns.

Confidence Score: 5/5

Safe to merge — the authorization fix is correct and the single P2 finding is a minor hardening suggestion that does not block merge.

All findings are P2. The core security fix (ownership check before update) is properly implemented using the existing DAL's findById which returns the orgId field. No logic errors, no data loss risk, no breaking changes.

No files require special attention.

Important Files Changed

Filename	Overview
backend/src/services/external-migration/external-migration-service.ts	Adds ownership check before updating Vault migration config: 404 if not found, 403 if orgId doesn't match actor's org. Minor info-disclosure concern: returning 403 (vs 404) reveals that a config with the given UUID exists to actors from other orgs.

_{Reviews (1): Last reviewed commit: "fix(vault-migration): enforce org owners..." | Re-trigger Greptile}