Skip to content

Commit 877e84a

Browse files
icecrasher321icecrasher321
committed
address bugbot comments
1 parent 7086b63 commit 877e84a

File tree

14 files changed

+168
-23
lines changed

14 files changed

+168
-23
lines changed

apps/sim/app/api/auth/oauth/utils.ts

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,16 +27,17 @@ interface AccountInsertData {
2727

2828
/**
2929
* Resolves a credential ID to its underlying account ID.
30-
* If `credentialId` matches a `credential` row, returns its `accountId`.
30+
* If `credentialId` matches a `credential` row, returns its `accountId` and `workspaceId`.
3131
* Otherwise assumes `credentialId` is already a raw `account.id` (legacy).
3232
*/
3333
export async function resolveOAuthAccountId(
3434
credentialId: string
35-
): Promise<{ accountId: string; usedCredentialTable: boolean } | null> {
35+
): Promise<{ accountId: string; workspaceId?: string; usedCredentialTable: boolean } | null> {
3636
const [credentialRow] = await db
3737
.select({
3838
type: credential.type,
3939
accountId: credential.accountId,
40+
workspaceId: credential.workspaceId,
4041
})
4142
.from(credential)
4243
.where(eq(credential.id, credentialId))
@@ -46,7 +47,11 @@ export async function resolveOAuthAccountId(
4647
if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
4748
return null
4849
}
49-
return { accountId: credentialRow.accountId, usedCredentialTable: true }
50+
return {
51+
accountId: credentialRow.accountId,
52+
workspaceId: credentialRow.workspaceId,
53+
usedCredentialTable: true,
54+
}
5055
}
5156

5257
return { accountId: credentialId, usedCredentialTable: false }

apps/sim/app/api/auth/oauth/wealthbox/item/route.ts

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,18 @@ export async function GET(request: NextRequest) {
6262
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
6363
}
6464

65+
if (resolved.workspaceId) {
66+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
67+
const perm = await getUserEntityPermissions(
68+
session.user.id,
69+
'workspace',
70+
resolved.workspaceId
71+
)
72+
if (perm === null) {
73+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
74+
}
75+
}
76+
6577
const credentials = await db
6678
.select()
6779
.from(account)
@@ -73,19 +85,11 @@ export async function GET(request: NextRequest) {
7385
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
7486
}
7587

76-
const credential = credentials[0]
77-
78-
if (credential.userId !== session.user.id) {
79-
logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
80-
credentialUserId: credential.userId,
81-
requestUserId: session.user.id,
82-
})
83-
return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
84-
}
88+
const accountRow = credentials[0]
8589

8690
const accessToken = await refreshAccessTokenIfNeeded(
8791
resolved.accountId,
88-
session.user.id,
92+
accountRow.userId,
8993
requestId
9094
)
9195

apps/sim/app/api/auth/oauth/wealthbox/items/route.ts

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,18 @@ export async function GET(request: NextRequest) {
5252
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
5353
}
5454

55+
if (resolved.workspaceId) {
56+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
57+
const perm = await getUserEntityPermissions(
58+
session.user.id,
59+
'workspace',
60+
resolved.workspaceId
61+
)
62+
if (perm === null) {
63+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
64+
}
65+
}
66+
5567
const credentials = await db
5668
.select()
5769
.from(account)
@@ -63,19 +75,11 @@ export async function GET(request: NextRequest) {
6375
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
6476
}
6577

66-
const credential = credentials[0]
67-
68-
if (credential.userId !== session.user.id) {
69-
logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
70-
credentialUserId: credential.userId,
71-
requestUserId: session.user.id,
72-
})
73-
return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
74-
}
78+
const accountRow = credentials[0]
7579

7680
const accessToken = await refreshAccessTokenIfNeeded(
7781
resolved.accountId,
78-
session.user.id,
82+
accountRow.userId,
7983
requestId
8084
)
8185

apps/sim/app/api/tools/gmail/label/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,18 @@ export async function GET(request: NextRequest) {
4646
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
4747
}
4848

49+
if (resolved.workspaceId) {
50+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
51+
const perm = await getUserEntityPermissions(
52+
session.user.id,
53+
'workspace',
54+
resolved.workspaceId
55+
)
56+
if (perm === null) {
57+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
58+
}
59+
}
60+
4961
const credentials = await db
5062
.select()
5163
.from(account)

apps/sim/app/api/tools/gmail/labels/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,18 @@ export async function GET(request: NextRequest) {
5050
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
5151
}
5252

53+
if (resolved.workspaceId) {
54+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
55+
const perm = await getUserEntityPermissions(
56+
session.user.id,
57+
'workspace',
58+
resolved.workspaceId
59+
)
60+
if (perm === null) {
61+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
62+
}
63+
}
64+
5365
const credentials = await db
5466
.select()
5567
.from(account)

apps/sim/app/api/tools/microsoft_planner/tasks/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,18 @@ export async function GET(request: NextRequest) {
4747
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
4848
}
4949

50+
if (resolved.workspaceId) {
51+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
52+
const perm = await getUserEntityPermissions(
53+
session.user.id,
54+
'workspace',
55+
resolved.workspaceId
56+
)
57+
if (perm === null) {
58+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
59+
}
60+
}
61+
5062
const credentials = await db
5163
.select()
5264
.from(account)

apps/sim/app/api/tools/onedrive/files/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,18 @@ export async function GET(request: NextRequest) {
5050
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
5151
}
5252

53+
if (resolved.workspaceId) {
54+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
55+
const perm = await getUserEntityPermissions(
56+
session.user.id,
57+
'workspace',
58+
resolved.workspaceId
59+
)
60+
if (perm === null) {
61+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
62+
}
63+
}
64+
5365
const credentials = await db
5466
.select()
5567
.from(account)

apps/sim/app/api/tools/onedrive/folder/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,18 @@ export async function GET(request: NextRequest) {
3939
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
4040
}
4141

42+
if (resolved.workspaceId) {
43+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
44+
const perm = await getUserEntityPermissions(
45+
session.user.id,
46+
'workspace',
47+
resolved.workspaceId
48+
)
49+
if (perm === null) {
50+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
51+
}
52+
}
53+
4254
const credentials = await db
4355
.select()
4456
.from(account)

apps/sim/app/api/tools/onedrive/folders/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,18 @@ export async function GET(request: NextRequest) {
4545
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
4646
}
4747

48+
if (resolved.workspaceId) {
49+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
50+
const perm = await getUserEntityPermissions(
51+
session.user.id,
52+
'workspace',
53+
resolved.workspaceId
54+
)
55+
if (perm === null) {
56+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
57+
}
58+
}
59+
4860
const credentials = await db
4961
.select()
5062
.from(account)

apps/sim/app/api/tools/outlook/folders/route.ts

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,18 @@ export async function GET(request: Request) {
4949
return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
5050
}
5151

52+
if (resolved.workspaceId) {
53+
const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
54+
const perm = await getUserEntityPermissions(
55+
session!.user!.id,
56+
'workspace',
57+
resolved.workspaceId
58+
)
59+
if (perm === null) {
60+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
61+
}
62+
}
63+
5264
const creds = await db
5365
.select()
5466
.from(account)

0 commit comments

Comments
 (0)