fix: harden workflow API auth follow-ups

Co-authored-by: GitHub Copilot <github-copilot[bot]@users.noreply.github.com>

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -7,6 +7,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 
 const {
   mockCleanupWebhooksForWorkflow,
+  mockRecordAudit,
   mockDbLimit,
   mockDbOrderBy,
   mockDbFrom,
@@ -23,8 +24,10 @@ const {
   mockUndeployWorkflow,
   mockValidatePublicApiAllowed,
   mockValidateWorkflowAccess,
+  mockValidateWorkflowPermissions,
 } = vi.hoisted(() => ({
   mockCleanupWebhooksForWorkflow: vi.fn(),
+  mockRecordAudit: vi.fn(),
   mockDbLimit: vi.fn(),
   mockDbOrderBy: vi.fn(),
   mockDbFrom: vi.fn(),
@@ -41,14 +44,15 @@ const {
   mockUndeployWorkflow: vi.fn(),
   mockValidatePublicApiAllowed: vi.fn(),
   mockValidateWorkflowAccess: vi.fn(),
+  mockValidateWorkflowPermissions: vi.fn(),
 }))
 
 vi.mock('@sim/logger', () => ({
   createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn() }),
 }))
 
 vi.mock('@/lib/workflows/utils', () => ({
-  validateWorkflowPermissions: vi.fn(),
+  validateWorkflowPermissions: (...args: unknown[]) => mockValidateWorkflowPermissions(...args),
 }))
 
 vi.mock('@/app/api/workflows/middleware', () => ({
@@ -105,7 +109,7 @@ vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
 vi.mock('@/lib/audit/log', () => ({
   AuditAction: {},
   AuditResourceType: {},
-  recordAudit: vi.fn(),
+  recordAudit: (...args: unknown[]) => mockRecordAudit(...args),
 }))
 
 vi.mock('@/ee/access-control/utils/permission-check', () => ({
@@ -142,7 +146,13 @@ describe('Workflow deploy route', () => {
   it('allows API-key auth for deploy using hybrid auth userId', async () => {
     mockValidateWorkflowAccess.mockResolvedValue({
       workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
-      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key User',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
     })
     mockDeployWorkflow.mockResolvedValue({
       success: true,
@@ -164,12 +174,26 @@ describe('Workflow deploy route', () => {
       deployedBy: 'api-user',
       workflowName: 'Test Workflow',
     })
+    expect(mockValidateWorkflowPermissions).not.toHaveBeenCalled()
+    expect(mockRecordAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        actorId: 'api-user',
+        actorName: 'API Key User',
+        actorEmail: 'api@example.com',
+      })
+    )
   })
 
   it('allows API-key auth for undeploy using hybrid auth userId', async () => {
     mockValidateWorkflowAccess.mockResolvedValue({
       workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
-      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key User',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
     })
     mockUndeployWorkflow.mockResolvedValue({ success: true })
 
@@ -183,6 +207,14 @@ describe('Workflow deploy route', () => {
     const data = await response.json()
     expect(data.isDeployed).toBe(false)
     expect(mockUndeployWorkflow).toHaveBeenCalledWith({ workflowId: 'wf-1' })
+    expect(mockValidateWorkflowPermissions).not.toHaveBeenCalled()
+    expect(mockRecordAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        actorId: 'api-user',
+        actorName: 'API Key User',
+        actorEmail: 'api@example.com',
+      })
+    )
   })
 
   it('checks public API restrictions against hybrid auth userId', async () => {

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -21,7 +21,6 @@ import {
   createSchedulesForDeploy,
   validateWorkflowSchedules,
 } from '@/lib/workflows/schedules'
-import { validateWorkflowPermissions } from '@/lib/workflows/utils'
 import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 import type { WorkflowState } from '@/stores/workflows/workflow/types'
@@ -34,21 +33,12 @@ export const runtime = 'nodejs'
 type LifecycleAdminAccessResult = {
   error: { message: string; status: number } | null | undefined
   auth: AuthResult | null | undefined
-  session:
-    | Awaited<ReturnType<typeof validateWorkflowPermissions>>['session']
-    | null
-    | undefined
-  workflow:
-    | Awaited<ReturnType<typeof validateWorkflowPermissions>>['workflow']
-    | Awaited<ReturnType<typeof validateWorkflowAccess>>['workflow']
-    | null
-    | undefined
+  workflow: Awaited<ReturnType<typeof validateWorkflowAccess>>['workflow'] | null | undefined
 }
 
 async function validateLifecycleAdminAccess(
   request: NextRequest,
-  workflowId: string,
-  requestId: string
+  workflowId: string
 ): Promise<LifecycleAdminAccessResult> {
   const hybridAccess = await validateWorkflowAccess(request, workflowId, {
     requireDeployment: false,
@@ -59,35 +49,13 @@ async function validateLifecycleAdminAccess(
     return {
       error: hybridAccess.error,
       auth: hybridAccess.auth,
-      session: null,
       workflow: hybridAccess.workflow,
     }
   }
 
-  if (hybridAccess.auth?.authType === 'session') {
-    const sessionAccess = await validateWorkflowPermissions(workflowId, requestId, 'admin')
-    const auth: AuthResult | null = sessionAccess.session?.user?.id
-      ? {
-          success: true,
-          userId: sessionAccess.session.user.id,
-          userName: sessionAccess.session.user.name,
-          userEmail: sessionAccess.session.user.email,
-          authType: 'session',
-        }
-      : null
-
-    return {
-      error: sessionAccess.error,
-      auth,
-      session: sessionAccess.session,
-      workflow: sessionAccess.workflow,
-    }
-  }
-
   return {
     error: null,
     auth: hybridAccess.auth,
-    session: null,
     workflow: hybridAccess.workflow,
   }
 }
@@ -178,17 +146,12 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
   const { id } = await params
 
   try {
-    const {
-      auth,
-      error,
-      session,
-      workflow: workflowData,
-    } = await validateLifecycleAdminAccess(request, id, requestId)
+    const { auth, error, workflow: workflowData } = await validateLifecycleAdminAccess(request, id)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
 
-    const actorUserId: string | null = session?.user?.id ?? auth?.userId ?? null
+    const actorUserId: string | null = auth?.userId ?? null
     if (!actorUserId) {
       logger.warn(`[${requestId}] Unable to resolve actor user for workflow deployment: ${id}`)
       return createErrorResponse('Unable to determine deploying user', 400)
@@ -329,8 +292,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     recordAudit({
       workspaceId: workflowData?.workspaceId || null,
       actorId: actorUserId,
-      actorName: session?.user?.name,
-      actorEmail: session?.user?.email,
+      actorName: auth?.userName,
+      actorEmail: auth?.userEmail,
       action: AuditAction.WORKFLOW_DEPLOYED,
       resourceType: AuditResourceType.WORKFLOW,
       resourceId: id,
@@ -374,7 +337,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
   const { id } = await params
 
   try {
-    const { auth, error, session } = await validateLifecycleAdminAccess(request, id, requestId)
+    const { auth, error } = await validateLifecycleAdminAccess(request, id)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
@@ -390,7 +353,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       const { validatePublicApiAllowed, PublicApiNotAllowedError } = await import(
         '@/ee/access-control/utils/permission-check'
       )
-      const actorUserId = session?.user?.id ?? auth?.userId
+      const actorUserId = auth?.userId
       try {
         await validatePublicApiAllowed(actorUserId)
       } catch (err) {
@@ -421,17 +384,12 @@ export async function DELETE(
   const { id } = await params
 
   try {
-    const {
-      auth,
-      error,
-      session,
-      workflow: workflowData,
-    } = await validateLifecycleAdminAccess(request, id, requestId)
+    const { auth, error, workflow: workflowData } = await validateLifecycleAdminAccess(request, id)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
 
-    const actorUserId = session?.user?.id ?? auth?.userId ?? null
+    const actorUserId = auth?.userId ?? null
     if (!actorUserId) {
       return createErrorResponse('Unable to determine undeploying user', 400)
     }
@@ -458,8 +416,8 @@ export async function DELETE(
     recordAudit({
       workspaceId: workflowData?.workspaceId || null,
       actorId: actorUserId,
-      actorName: session?.user?.name,
-      actorEmail: session?.user?.email,
+      actorName: auth?.userName,
+      actorEmail: auth?.userEmail,
       action: AuditAction.WORKFLOW_UNDEPLOYED,
       resourceType: AuditResourceType.WORKFLOW,
       resourceId: id,

apps/sim/app/api/workflows/[id]/deployed/route.test.ts

@@ -56,7 +56,6 @@ describe('Workflow deployed-state route', () => {
     expect(mockValidateWorkflowAccess).toHaveBeenCalledWith(req, 'wf-1', {
       requireDeployment: false,
       action: 'read',
-      allowInternalSecret: false,
     })
   })
 })

apps/sim/app/api/workflows/[id]/deployed/route.ts

@@ -34,7 +34,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       const validation = await validateWorkflowAccess(request, id, {
         requireDeployment: false,
         action: 'read',
-        allowInternalSecret: false,
       })
       if (validation.error) {
         const response = createErrorResponse(validation.error.message, validation.error.status)

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -407,6 +407,7 @@ describe('Workflow By ID API Route', () => {
       const response = await DELETE(req, { params })
 
       expect(response.status).toBe(200)
+      expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
     })
 
     it('should prevent deletion of the last workflow in workspace', async () => {
@@ -447,22 +448,11 @@ describe('Workflow By ID API Route', () => {
     })
 
     it.concurrent('should deny deletion for non-admin users', async () => {
-      const mockWorkflow = {
-        id: 'workflow-123',
-        userId: 'other-user',
-        name: 'Test Workflow',
-        workspaceId: 'workspace-456',
-      }
-
-      mockGetSession({ user: { id: 'user-123' } })
-
-      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to admin this workflow',
-        workflow: mockWorkflow,
-        workspacePermission: null,
+      mockValidateWorkflowAccess.mockResolvedValue({
+        error: {
+          message: 'Unauthorized: Access denied to admin this workflow',
+          status: 403,
+        },
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -531,6 +521,7 @@ describe('Workflow By ID API Route', () => {
       expect(response.status).toBe(200)
       const data = await response.json()
       expect(data.workflow.name).toBe('Updated Workflow')
+      expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
     })
 
     it('should allow users with write permission to update workflow', async () => {
@@ -578,24 +569,13 @@ describe('Workflow By ID API Route', () => {
     })
 
     it('should deny update for users with only read permission', async () => {
-      const mockWorkflow = {
-        id: 'workflow-123',
-        userId: 'other-user',
-        name: 'Test Workflow',
-        workspaceId: 'workspace-456',
-      }
-
       const updateData = { name: 'Updated Workflow' }
 
-      mockGetSession({ user: { id: 'user-123' } })
-
-      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to write this workflow',
-        workflow: mockWorkflow,
-        workspacePermission: 'read',
+      mockValidateWorkflowAccess.mockResolvedValue({
+        error: {
+          message: 'Unauthorized: Access denied to write this workflow',
+          status: 403,
+        },
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -764,7 +744,10 @@ describe('Workflow By ID API Route', () => {
 
       const updatedWorkflow = { ...mockWorkflow, folderId: 'folder-2', updatedAt: new Date() }
 
-      mockGetSession({ user: { id: 'user-123' } })
+      mockValidateWorkflowAccess.mockResolvedValue({
+        workflow: mockWorkflow,
+        auth: { success: true, userId: 'user-123', authType: 'session' },
+      })
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
         allowed: true,
@@ -806,7 +789,10 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession({ user: { id: 'user-123' } })
+      mockValidateWorkflowAccess.mockResolvedValue({
+        workflow: mockWorkflow,
+        auth: { success: true, userId: 'user-123', authType: 'session' },
+      })
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
         allowed: true,