refactor: inline workflow access wrappers

Call validateWorkflowAccess directly in workflow deployment lifecycle routes and clean up the related test helper formatting raised in review.

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -4,7 +4,6 @@ import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { getAuditActorMetadata } from '@/lib/audit/actor-metadata'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import type { AuthResult } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import {
@@ -32,36 +31,6 @@ const logger = createLogger('WorkflowDeployAPI')
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
-type LifecycleAdminAccessResult = {
-  error: { message: string; status: number } | null | undefined
-  auth: AuthResult | null | undefined
-  workflow: Awaited<ReturnType<typeof validateWorkflowAccess>>['workflow'] | null | undefined
-}
-
-async function validateLifecycleAdminAccess(
-  request: NextRequest,
-  workflowId: string
-): Promise<LifecycleAdminAccessResult> {
-  const hybridAccess = await validateWorkflowAccess(request, workflowId, {
-    requireDeployment: false,
-    action: 'admin',
-  })
-
-  if (hybridAccess.error) {
-    return {
-      error: hybridAccess.error,
-      auth: hybridAccess.auth,
-      workflow: hybridAccess.workflow,
-    }
-  }
-
-  return {
-    error: null,
-    auth: hybridAccess.auth,
-    workflow: hybridAccess.workflow,
-  }
-}
-
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = generateRequestId()
   const { id } = await params
@@ -148,11 +117,17 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
   const { id } = await params
 
   try {
-    const { auth, error, workflow: workflowData } = await validateLifecycleAdminAccess(request, id)
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
+    const auth = access.auth
+    const workflowData = access.workflow
+
     const actorUserId: string | null = auth?.userId ?? null
     if (!actorUserId) {
       logger.warn(`[${requestId}] Unable to resolve actor user for workflow deployment: ${id}`)
@@ -353,11 +328,16 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
   const { id } = await params
 
   try {
-    const { auth, error } = await validateLifecycleAdminAccess(request, id)
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
+    const auth = access.auth
+
     const body = await request.json()
     const { isPublicApi } = body
 
@@ -400,11 +380,17 @@ export async function DELETE(
   const { id } = await params
 
   try {
-    const { auth, error, workflow: workflowData } = await validateLifecycleAdminAccess(request, id)
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
+    const auth = access.auth
+    const workflowData = access.workflow
+
     const actorUserId = auth?.userId ?? null
     if (!actorUserId) {
       return createErrorResponse('Unable to determine undeploying user', 400)

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.ts

@@ -12,23 +12,6 @@ import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/
 
 const logger = createLogger('RevertToDeploymentVersionAPI')
 
-async function validateDeploymentVersionAdminAccess(request: NextRequest, workflowId: string) {
-  const access = await validateWorkflowAccess(request, workflowId, {
-    requireDeployment: false,
-    action: 'admin',
-  })
-
-  if (access.error) {
-    return access
-  }
-
-  return {
-    error: null,
-    auth: access.auth,
-    workflow: access.workflow,
-  }
-}
-
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
@@ -40,18 +23,22 @@ export async function POST(
   const { id, version } = await params
 
   try {
-    const {
-      auth,
-      error,
-      workflow: workflowRecord,
-    } = await validateDeploymentVersionAdminAccess(request, id)
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
+    const auth = access.auth
+    const workflowRecord = access.workflow
+
     const actorUserId = auth?.userId
     if (!actorUserId) {
-      logger.warn(`[${requestId}] Unable to resolve actor user for workflow deployment revert: ${id}`)
+      logger.warn(
+        `[${requestId}] Unable to resolve actor user for workflow deployment revert: ${id}`
+      )
       return createErrorResponse('Unable to determine reverting user', 400)
     }
 

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -20,27 +20,6 @@ import type { BlockState } from '@/stores/workflows/workflow/types'
 
 const logger = createLogger('WorkflowDeploymentVersionAPI')
 
-async function validateDeploymentVersionLifecycleAccess(
-  request: NextRequest,
-  workflowId: string,
-  action: 'read' | 'write' | 'admin'
-) {
-  const access = await validateWorkflowAccess(request, workflowId, {
-    requireDeployment: false,
-    action,
-  })
-
-  if (access.error) {
-    return access
-  }
-
-  return {
-    error: null,
-    auth: access.auth,
-    workflow: access.workflow,
-  }
-}
-
 const patchBodySchema = z
   .object({
     name: z
@@ -75,7 +54,10 @@ export async function GET(
   const { id, version } = await params
 
   try {
-    const access = await validateDeploymentVersionLifecycleAccess(request, id, 'read')
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: 'read',
+    })
     if (access.error) {
       return createErrorResponse(access.error.message, access.error.status)
     }
@@ -129,15 +111,17 @@ export async function PATCH(
 
     // Activation requires admin permission, other updates require write
     const requiredPermission = isActive ? 'admin' : 'write'
-    const {
-      auth,
-      error,
-      workflow: workflowData,
-    } = await validateDeploymentVersionLifecycleAccess(request, id, requiredPermission)
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: requiredPermission,
+    })
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
+    const auth = access.auth
+    const workflowData = access.workflow
+
     const versionNum = Number(version)
     if (!Number.isFinite(versionNum)) {
       return createErrorResponse('Invalid version', 400)

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -40,6 +40,7 @@ function mockGetSession(session: { user: { id: string } } | null) {
   } else {
     mockCheckHybridAuth.mockResolvedValue({ success: false })
     mockCheckSessionOrInternalAuth.mockResolvedValue({ success: false })
+
     mockValidateWorkflowAccess.mockResolvedValue({
       error: { message: 'Unauthorized', status: 401 },
     })