fix(workflows): support app auth on deployment routes

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.test.ts

@@ -0,0 +1,119 @@
+/**
+ * @vitest-environment node
+ */
+
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const mockValidateWorkflowAccess = vi.fn()
+const mockDbSelect = vi.fn()
+const mockDbFrom = vi.fn()
+const mockDbWhere = vi.fn()
+const mockDbLimit = vi.fn()
+const mockDbUpdate = vi.fn()
+const mockDbSet = vi.fn()
+const mockDbWhereUpdate = vi.fn()
+const mockSaveWorkflowToNormalizedTables = vi.fn()
+const mockSyncMcpToolsForWorkflow = vi.fn()
+const mockFetch = vi.fn()
+
+vi.stubGlobal('fetch', mockFetch)
+
+vi.mock('@sim/logger', () => ({
+  createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn() }),
+}))
+
+vi.mock('@/app/api/workflows/middleware', () => ({
+  validateWorkflowAccess: (...args: unknown[]) => mockValidateWorkflowAccess(...args),
+}))
+
+vi.mock('@/lib/core/utils/request', () => ({
+  generateRequestId: () => 'req-123',
+}))
+
+vi.mock('@/lib/core/config/env', () => ({
+  env: { INTERNAL_API_SECRET: 'internal-secret', SOCKET_SERVER_URL: 'http://localhost:3002' },
+}))
+
+vi.mock('@sim/db', () => ({
+  db: {
+    select: mockDbSelect,
+    update: mockDbUpdate,
+  },
+  workflow: { id: 'id' },
+  workflowDeploymentVersion: {
+    state: 'state',
+    workflowId: 'workflowId',
+    isActive: 'isActive',
+    version: 'version',
+  },
+}))
+
+vi.mock('drizzle-orm', () => ({
+  and: vi.fn(),
+  eq: vi.fn(),
+}))
+
+vi.mock('@/lib/workflows/persistence/utils', () => ({
+  saveWorkflowToNormalizedTables: (...args: unknown[]) => mockSaveWorkflowToNormalizedTables(...args),
+}))
+
+vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
+  syncMcpToolsForWorkflow: (...args: unknown[]) => mockSyncMcpToolsForWorkflow(...args),
+}))
+
+vi.mock('@/lib/audit/log', () => ({
+  AuditAction: { WORKFLOW_DEPLOYMENT_REVERTED: 'WORKFLOW_DEPLOYMENT_REVERTED' },
+  AuditResourceType: { WORKFLOW: 'WORKFLOW' },
+  recordAudit: vi.fn(),
+}))
+
+import { POST } from '@/app/api/workflows/[id]/deployments/[version]/revert/route'
+
+describe('Workflow deployment version revert route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockDbSelect.mockReturnValue({ from: mockDbFrom })
+    mockDbFrom.mockReturnValue({ where: mockDbWhere })
+    mockDbWhere.mockReturnValue({ limit: mockDbLimit })
+    mockDbLimit.mockResolvedValue([
+      {
+        state: {
+          blocks: { 'block-1': { id: 'block-1', type: 'start_trigger', name: 'Start' } },
+          edges: [],
+          loops: {},
+          parallels: {},
+        },
+      },
+    ])
+    mockDbUpdate.mockReturnValue({ set: mockDbSet })
+    mockDbSet.mockReturnValue({ where: mockDbWhereUpdate })
+    mockDbWhereUpdate.mockResolvedValue(undefined)
+    mockSaveWorkflowToNormalizedTables.mockResolvedValue({ success: true })
+    mockFetch.mockResolvedValue({ ok: true })
+  })
+
+  it('allows API-key auth for revert using hybrid auth userId', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+    })
+
+    const req = new NextRequest(
+      'http://localhost:3000/api/workflows/wf-1/deployments/3/revert',
+      {
+        method: 'POST',
+        headers: { 'x-api-key': 'test-key' },
+      }
+    )
+    const response = await POST(req, { params: Promise.resolve({ id: 'wf-1', version: '3' }) })
+
+    expect(response.status).toBe(200)
+    expect(mockValidateWorkflowAccess).toHaveBeenCalledWith(req, 'wf-1', {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    expect(mockSaveWorkflowToNormalizedTables).toHaveBeenCalled()
+    expect(mockSyncMcpToolsForWorkflow).toHaveBeenCalled()
+  })
+})

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.ts

@@ -7,11 +7,28 @@ import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import { saveWorkflowToNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { validateWorkflowPermissions } from '@/lib/workflows/utils'
+import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
 const logger = createLogger('RevertToDeploymentVersionAPI')
 
+async function validateDeploymentVersionAdminAccess(request: NextRequest, workflowId: string) {
+  const access = await validateWorkflowAccess(request, workflowId, {
+    requireDeployment: false,
+    action: 'admin',
+  })
+
+  if (access.error) {
+    return access
+  }
+
+  return {
+    error: null,
+    auth: access.auth,
+    workflow: access.workflow,
+  }
+}
+
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
@@ -24,14 +41,20 @@ export async function POST(
 
   try {
     const {
+      auth,
       error,
-      session,
       workflow: workflowRecord,
-    } = await validateWorkflowPermissions(id, requestId, 'admin')
+    } = await validateDeploymentVersionAdminAccess(request, id)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
 
+    const actorUserId = auth?.userId
+    if (!actorUserId) {
+      logger.warn(`[${requestId}] Unable to resolve actor user for workflow deployment revert: ${id}`)
+      return createErrorResponse('Unable to determine reverting user', 400)
+    }
+
     const versionSelector = version === 'active' ? null : Number(version)
     if (version !== 'active' && !Number.isFinite(versionSelector)) {
       return createErrorResponse('Invalid version', 400)
@@ -114,12 +137,12 @@ export async function POST(
 
     recordAudit({
       workspaceId: workflowRecord?.workspaceId ?? null,
-      actorId: session!.user.id,
+      actorId: actorUserId,
       action: AuditAction.WORKFLOW_DEPLOYMENT_REVERTED,
       resourceType: AuditResourceType.WORKFLOW,
       resourceId: id,
-      actorName: session!.user.name ?? undefined,
-      actorEmail: session!.user.email ?? undefined,
+      actorName: auth?.userName ?? undefined,
+      actorEmail: auth?.userEmail ?? undefined,
       resourceName: workflowRecord?.name ?? undefined,
       description: `Reverted workflow to deployment version ${version}`,
       request,

apps/sim/app/api/workflows/[id]/deployments/[version]/route.test.ts

@@ -0,0 +1,124 @@
+/**
+ * @vitest-environment node
+ */
+
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const mockValidateWorkflowAccess = vi.fn()
+const mockDbSelect = vi.fn()
+const mockDbFrom = vi.fn()
+const mockDbWhere = vi.fn()
+const mockDbLimit = vi.fn()
+const mockSaveTriggerWebhooksForDeploy = vi.fn()
+const mockCreateSchedulesForDeploy = vi.fn()
+const mockActivateWorkflowVersion = vi.fn()
+const mockSyncMcpToolsForWorkflow = vi.fn()
+
+vi.mock('@sim/logger', () => ({
+  createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn() }),
+}))
+
+vi.mock('@/app/api/workflows/middleware', () => ({
+  validateWorkflowAccess: (...args: unknown[]) => mockValidateWorkflowAccess(...args),
+}))
+
+vi.mock('@/lib/core/utils/request', () => ({
+  generateRequestId: () => 'req-123',
+}))
+
+vi.mock('@sim/db', () => ({
+  db: {
+    select: mockDbSelect,
+    update: vi.fn(() => ({ set: vi.fn(() => ({ where: vi.fn(() => ({ returning: vi.fn() })) })) }),
+  },
+  workflowDeploymentVersion: {
+    id: 'id',
+    state: 'state',
+    workflowId: 'workflowId',
+    version: 'version',
+    isActive: 'isActive',
+    name: 'name',
+    description: 'description',
+  },
+}))
+
+vi.mock('drizzle-orm', () => ({
+  and: vi.fn(),
+  eq: vi.fn(),
+}))
+
+vi.mock('@/lib/webhooks/deploy', () => ({
+  restorePreviousVersionWebhooks: vi.fn(),
+  saveTriggerWebhooksForDeploy: (...args: unknown[]) => mockSaveTriggerWebhooksForDeploy(...args),
+}))
+
+vi.mock('@/lib/workflows/persistence/utils', () => ({
+  activateWorkflowVersion: (...args: unknown[]) => mockActivateWorkflowVersion(...args),
+}))
+
+vi.mock('@/lib/workflows/schedules', () => ({
+  cleanupDeploymentVersion: vi.fn(),
+  createSchedulesForDeploy: (...args: unknown[]) => mockCreateSchedulesForDeploy(...args),
+  validateWorkflowSchedules: vi.fn(() => ({ isValid: true })),
+}))
+
+vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
+  syncMcpToolsForWorkflow: (...args: unknown[]) => mockSyncMcpToolsForWorkflow(...args),
+}))
+
+vi.mock('@/lib/audit/log', () => ({
+  AuditAction: { WORKFLOW_DEPLOYMENT_ACTIVATED: 'WORKFLOW_DEPLOYMENT_ACTIVATED' },
+  AuditResourceType: { WORKFLOW: 'WORKFLOW' },
+  recordAudit: vi.fn(),
+}))
+
+import { PATCH } from '@/app/api/workflows/[id]/deployments/[version]/route'
+
+describe('Workflow deployment version route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockDbSelect.mockReturnValue({ from: mockDbFrom })
+    mockDbFrom.mockReturnValue({ where: mockDbWhere })
+    mockDbWhere.mockReturnValue({ limit: mockDbLimit })
+    mockDbLimit
+      .mockResolvedValueOnce([
+        {
+          id: 'dep-3',
+          state: {
+            blocks: { 'block-1': { id: 'block-1', type: 'start_trigger', name: 'Start' } },
+          },
+        },
+      ])
+      .mockResolvedValueOnce([{ id: 'dep-2' }])
+    mockSaveTriggerWebhooksForDeploy.mockResolvedValue({ success: true, warnings: [] })
+    mockCreateSchedulesForDeploy.mockResolvedValue({ success: true })
+    mockActivateWorkflowVersion.mockResolvedValue({
+      success: true,
+      deployedAt: '2024-01-17T12:00:00.000Z',
+    })
+  })
+
+  it('allows API-key auth for activation using hybrid auth userId', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+    })
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deployments/3', {
+      method: 'PATCH',
+      headers: { 'content-type': 'application/json', 'x-api-key': 'test-key' },
+      body: JSON.stringify({ isActive: true }),
+    })
+    const response = await PATCH(req, { params: Promise.resolve({ id: 'wf-1', version: '3' }) })
+
+    expect(response.status).toBe(200)
+    expect(mockValidateWorkflowAccess).toHaveBeenCalledWith(req, 'wf-1', {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    expect(mockSaveTriggerWebhooksForDeploy).toHaveBeenCalledWith(
+      expect.objectContaining({ userId: 'api-user' })
+    )
+  })
+})

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -13,12 +13,33 @@ import {
   createSchedulesForDeploy,
   validateWorkflowSchedules,
 } from '@/lib/workflows/schedules'
-import { validateWorkflowPermissions } from '@/lib/workflows/utils'
+import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 import type { BlockState } from '@/stores/workflows/workflow/types'
 
 const logger = createLogger('WorkflowDeploymentVersionAPI')
 
+async function validateDeploymentVersionLifecycleAccess(
+  request: NextRequest,
+  workflowId: string,
+  action: 'read' | 'write' | 'admin'
+) {
+  const access = await validateWorkflowAccess(request, workflowId, {
+    requireDeployment: false,
+    action,
+  })
+
+  if (access.error) {
+    return access
+  }
+
+  return {
+    error: null,
+    auth: access.auth,
+    workflow: access.workflow,
+  }
+}
+
 const patchBodySchema = z
   .object({
     name: z
@@ -53,9 +74,9 @@ export async function GET(
   const { id, version } = await params
 
   try {
-    const { error } = await validateWorkflowPermissions(id, requestId, 'read')
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateDeploymentVersionLifecycleAccess(request, id, 'read')
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
     const versionNum = Number(version)
@@ -108,10 +129,10 @@ export async function PATCH(
     // Activation requires admin permission, other updates require write
     const requiredPermission = isActive ? 'admin' : 'write'
     const {
+      auth,
       error,
-      session,
       workflow: workflowData,
-    } = await validateWorkflowPermissions(id, requestId, requiredPermission)
+    } = await validateDeploymentVersionLifecycleAccess(request, id, requiredPermission)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
@@ -123,7 +144,7 @@ export async function PATCH(
 
     // Handle activation
     if (isActive) {
-      const actorUserId = session?.user?.id
+      const actorUserId = auth?.userId
       if (!actorUserId) {
         logger.warn(`[${requestId}] Unable to resolve actor user for deployment activation: ${id}`)
         return createErrorResponse('Unable to determine activating user', 400)
@@ -301,8 +322,8 @@ export async function PATCH(
       recordAudit({
         workspaceId: workflowData?.workspaceId,
         actorId: actorUserId,
-        actorName: session?.user?.name,
-        actorEmail: session?.user?.email,
+        actorName: auth?.userName,
+        actorEmail: auth?.userEmail,
         action: AuditAction.WORKFLOW_DEPLOYMENT_ACTIVATED,
         resourceType: AuditResourceType.WORKFLOW,
         resourceId: id,