fix(workflows): streamline middleware api key auth

Author: PlaneInABottle

apps/sim/app/api/workflows/middleware.test.ts

@@ -147,6 +147,29 @@ describe('validateWorkflowAccess', () => {
     expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
   })
 
+  it('returns 403 when active workflow record lacks workspaceId and skips api key auth', async () => {
+    const request = new NextRequest(`http://localhost:3000/api/workflows/${WORKFLOW_ID}/status`, {
+      headers: { 'x-api-key': 'personal-key' },
+    })
+    mockGetActiveWorkflowRecord.mockResolvedValue(createWorkflow({ workspaceId: null }))
+
+    const result = await validateWorkflowAccess(request, WORKFLOW_ID, {
+      requireDeployment: false,
+      action: 'read',
+    })
+
+    expect(result).toEqual({
+      error: {
+        message:
+          'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
+        status: 403,
+      },
+    })
+    expect(mockAuthenticateApiKeyFromHeader).not.toHaveBeenCalled()
+    expect(mockUpdateApiKeyLastUsed).not.toHaveBeenCalled()
+    expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
+  })
+
   it('returns 404 for authenticated workflow in an archived workspace', async () => {
     mockGetActiveWorkflowRecord.mockResolvedValue(null)
     mockGetWorkflowById.mockResolvedValue(createWorkflow())
@@ -310,6 +333,8 @@ describe('validateWorkflowAccess', () => {
       workspaceId: WORKSPACE_ID,
       keyTypes: ['workspace', 'personal'],
     })
+    expect(mockCheckHybridAuth).not.toHaveBeenCalled()
+    expect(mockUpdateApiKeyLastUsed).toHaveBeenCalledTimes(1)
     expect(mockUpdateApiKeyLastUsed).toHaveBeenCalledWith('key-1')
     expect(mockAuthorizeWorkflowByWorkspacePermission).toHaveBeenCalledWith({
       workflowId: WORKFLOW_ID,
@@ -382,6 +407,8 @@ describe('validateWorkflowAccess', () => {
       workspaceId: WORKSPACE_ID,
       keyTypes: ['workspace', 'personal'],
     })
+    expect(mockCheckHybridAuth).not.toHaveBeenCalled()
+    expect(mockUpdateApiKeyLastUsed).toHaveBeenCalledTimes(1)
     expect(mockUpdateApiKeyLastUsed).toHaveBeenCalledWith('key-1')
     expect(mockAuthorizeWorkflowByWorkspacePermission).toHaveBeenCalledWith({
       workflowId: WORKFLOW_ID,

apps/sim/app/api/workflows/middleware.ts

@@ -27,6 +27,16 @@ export interface WorkflowAccessOptions {
 async function getValidatedWorkflow(workflowId: string): Promise<ValidationResult> {
   const activeWorkflow = await getActiveWorkflowRecord(workflowId)
   if (activeWorkflow) {
+    if (!activeWorkflow.workspaceId) {
+      return {
+        error: {
+          message:
+            'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
+          status: 403,
+        },
+      }
+    }
+
     return { workflow: activeWorkflow }
   }
 
@@ -71,39 +81,20 @@ export async function validateWorkflowAccess(
     const allowInternalSecret = normalizedOptions.allowInternalSecret ?? false
 
     if (!requireDeployment) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
-      if (!auth.success || !auth.userId) {
-        return {
-          error: {
-            message: auth.error || 'Unauthorized',
-            status: 401,
-          },
-        }
-      }
-
       const workflowResult = await getValidatedWorkflow(workflowId)
       if (workflowResult.error || !workflowResult.workflow) {
         return workflowResult
       }
       const workflow = workflowResult.workflow
+      const apiKeyHeader = request.headers.get('x-api-key')
 
-      if (auth.authType === AuthType.API_KEY) {
-        const apiKeyHeader = request.headers.get('x-api-key')
-        if (!apiKeyHeader) {
-          return {
-            error: {
-              message: 'Unauthorized: Invalid API key',
-              status: 401,
-            },
-          }
-        }
-
+      if (apiKeyHeader) {
         const scopedApiKeyResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
           workspaceId: workflow.workspaceId as string,
           keyTypes: ['workspace', 'personal'],
         })
 
-        if (!scopedApiKeyResult.success) {
+        if (!scopedApiKeyResult.success || !scopedApiKeyResult.userId) {
           return {
             error: {
               message: 'Unauthorized: Invalid API key',
@@ -112,7 +103,11 @@ export async function validateWorkflowAccess(
           }
         }
 
-        if (!scopedApiKeyResult.userId) {
+        if (scopedApiKeyResult.keyId) {
+          await updateApiKeyLastUsed(scopedApiKeyResult.keyId)
+        }
+
+        if (!scopedApiKeyResult.workspaceId) {
           return {
             error: {
               message: 'Unauthorized: Invalid API key',
@@ -121,26 +116,40 @@ export async function validateWorkflowAccess(
           }
         }
 
-        if (scopedApiKeyResult.keyId) {
-          await updateApiKeyLastUsed(scopedApiKeyResult.keyId)
+        const auth: AuthResult = {
+          success: true,
+          userId: scopedApiKeyResult.userId,
+          workspaceId: scopedApiKeyResult.workspaceId,
+          userName: scopedApiKeyResult.userName,
+          userEmail: scopedApiKeyResult.userEmail,
+          authType: AuthType.API_KEY,
+          apiKeyType: scopedApiKeyResult.keyType,
         }
 
-        auth.workspaceId = scopedApiKeyResult.workspaceId
-        auth.userId = scopedApiKeyResult.userId
-        auth.userName = scopedApiKeyResult.userName
-        auth.userEmail = scopedApiKeyResult.userEmail
-        auth.apiKeyType = scopedApiKeyResult.keyType
+        const authorization = await authorizeWorkflowByWorkspacePermission({
+          workflowId,
+          userId: scopedApiKeyResult.userId,
+          action,
+          workflow,
+        })
+        if (!authorization.allowed) {
+          return {
+            error: {
+              message: authorization.message || 'Access denied',
+              status: authorization.status,
+            },
+          }
+        }
+
+        return { workflow, auth }
       }
 
-      if (
-        auth.authType === AuthType.API_KEY &&
-        auth.apiKeyType === 'workspace' &&
-        auth.workspaceId !== workflow.workspaceId
-      ) {
+      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      if (!auth.success || !auth.userId) {
         return {
           error: {
-            message: 'Workflow not found',
-            status: 404,
+            message: auth.error || 'Unauthorized',
+            status: 401,
           },
         }
       }