Bugfix/TTS Invalid WorkspaceId

[HenryHengZJ]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug in the Text-to-Speech (TTS) generation endpoint where requests could fail if the workspaceId was not present in the user's active session, particularly when accessed via the whitelist API. The changes introduce a robust fallback mechanism to derive the correct workspaceId directly from the chatflow, ensuring that TTS functionality remains stable and accessible across all integration points.

Highlights

• Bugfix: Invalid WorkspaceId for TTS: Implemented a fallback mechanism to correctly determine the workspaceId within the generateTextToSpeech function when req.user.activeWorkspaceId is not available, specifically addressing issues with whitelist API calls.
• Improved WorkspaceId Retrieval Logic: Modified the logic to first check for req.user.activeWorkspaceId and, if absent, fetch the chatflow without a workspaceId to then extract it from the chatflow object itself.
• Refactored Chatflow Fetching: Optimized the chatflow fetching process to avoid redundant database calls, ensuring the chatflow is fetched only once and used consistently.

Changelog

• packages/server/src/controllers/text-to-speech/index.ts
  • Introduced conditional logic to retrieve workspaceId from the chatflow object if req.user.activeWorkspaceId is not set.
  • Updated the error message for a missing workspace to be more generic, removing the specific workspaceId from the message.
  • Refactored the chatflow fetching to prevent duplicate database calls and ensure the correct chatflow instance is used after workspaceId determination.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a bug concerning invalid workspaceId in the Text-to-Speech controller by implementing a fallback mechanism. However, the current implementation introduces a significant security risk (Broken Access Control/IDOR) by allowing chatflows to be fetched without proper workspace-level authorization checks when the user's active workspaceId is not present. This could lead to unauthorized access to TTS configurations. Additionally, the logic, while sound, can be simplified for better readability and maintainability.

[gemini-code-assist]

The introduced fallback mechanism allows fetching a chatflow by its ID without verifying workspace ownership if req.user.activeWorkspaceId is not set. This bypasses the authorization check, allowing any user (or even unauthenticated users if the route is not protected) to access and use the Text-to-Speech configuration of any chatflow if they know its UUID. This is a Broken Access Control (IDOR) vulnerability. To remediate this, ensure that all access to chatflows is properly authorized. If public access or access via a 'whitelist API' is intended, it should be explicitly verified (e.g., by checking if the chatflow is marked as public or by validating an API key) rather than falling back to an unrestricted query. Additionally, the logic to determine the workspaceId and fetch the chatflow can be simplified for better readability and maintainability.

References

1. When implementing authorization checks, differentiate between internal and external API endpoints. Internal endpoints might have different authentication flows (e.g., cookie-based JWT for UI) compared to external API endpoints (e.g., API key authentication). Ensure that the correct authentication middleware populates req.user or equivalent for each endpoint type to avoid unintended authorization failures.
2. To improve readability and group validation logic, combine multiple preliminary checks into a single conditional block instead of using multiple early returns.
3. Prioritize code readability and understandability over conciseness. A series of simple, chained operations can be preferable to a single, more complex one (e.g., a complex regex with a replacer function) if it improves understandability and reduces the potential for future errors.

[HenryHengZJ]

What abortChatMessage does:

• Takes chatId and chatflowid from the request.
• Builds id = ${chatflowid}_${chatId} and either publishes an abort event (queue mode) or calls abortControllerPool.abort(id) (non-queue).

It does not read or write DB, return chat content, or change auth/ownership.

Prediction is whitelisted so public chatflows can run without auth; the client already has chatflowid and chatId.
The same client needs to call abort when the user stops or leaves (e.g. Stop button, page close).

If abort isn’t public, the embed would need an API key just for abort, which is inconsistent and often not available.

Scope is the same: anyone who can start a prediction for a public flow (with those ids) can abort that same run. The only extra power from making abort public is “stop this run,” not read data or escalate privileges.