Skip to content

Remediation Plan: Audit Findings (Jan 2026)

Remediation Plan: Audit Findings (Jan 2026)

Goal

Address critical security and correctness issues identified in the codebase audit:

Voice Authorization: Prevent users with non-positive balances from initiating calls.
Strict Domain Enforcement: Stop auto-provisioning seats. If a domain is owned by a Company, users cannot sign up/log in as Individuals or automatically join. They must be explicitly invited (or request access).

Changes Implemented

Voice Authorization

[NEW] twilio_controller_test.rb

Test blocking calls with 0 balance.

[MODIFY] twilio_controller.rb

Add balance check logic to voice action.

Auth: Strict Domain Enforcement

[MODIFY] company_seat.rb

Remove Auto-Provisioning: Delete the lines in fetch_resource_for_passwordless that create a seat if the account exists. It should now only return an existing seat or nil.

[MODIFY] sessions_controller.rb

Enforce Block:
- existing: fetch_resource_for_passwordless (returns Seat or nil).
- New Logic:
  - If Seat found -> Login.
  - If Seat NOT found:
    - Check Account.company.for_allowed_domain(email_domain).exists?
    - If YES (Domain Claimed): Render Error (“Access Restricted: Please contact your company administrator.”).
    - If NO (Domain Free): Proceed to User (Individual) logic.

Verification

Manual Verification

Voice: Set balance 0, call -> Fail.
Auth:
- Register Company Acme (acme.com).
- Incognito window: Try to login employee@acme.com (who has no seat).
- Expect: “Access Restricted” message. No magic link sent.

Post-Launch Phase

[!NOTE] Reimbursement Strategy Create a process to refund or transfer remaining balances from dormant individual accounts to the user or the new company account.

Action: Identify “shadowed” accounts with balance > 0.

Mechanism: Manual support workflow or automated refund to original payment method.