fix(selectors): use sanitized IDs in URLs, convert SharePoint routes to POST+authorizeCredentialUse

- Use planIdValidation.sanitized in MS Planner tasks fetch URL
- Convert sharepoint/lists and sharepoint/sites from GET+getSession to POST+authorizeCredentialUse
- Update registry entries to match POST pattern

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/tools/microsoft_planner/tasks/route.ts

@@ -54,11 +54,14 @@ export async function POST(request: Request) {
       )
     }
 
-    const response = await fetch(`https://graph.microsoft.com/v1.0/planner/plans/${planId}/tasks`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-      },
-    })
+    const response = await fetch(
+      `https://graph.microsoft.com/v1.0/planner/plans/${planIdValidation.sanitized}/tasks`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      }
+    )
 
     if (!response.ok) {
       const errorText = await response.text()

apps/sim/app/api/tools/sharepoint/lists/route.ts

@@ -1,12 +1,8 @@
-import { randomUUID } from 'crypto'
-import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import { validateAlphanumericId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -22,27 +18,20 @@ interface SharePointList {
   }
 }
 
-/**
- * Get SharePoint lists for a given site from Microsoft Graph API
- */
-export async function GET(request: NextRequest) {
-  const requestId = randomUUID().slice(0, 8)
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
 
   try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
-    }
-
-    const { searchParams } = new URL(request.url)
-    const credentialId = searchParams.get('credentialId')
-    const siteId = searchParams.get('siteId')
+    const body = await request.json()
+    const { credential, workflowId, siteId } = body
 
-    if (!credentialId) {
-      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
+    if (!credential) {
+      logger.error(`[${requestId}] Missing credential in request`)
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
     }
 
     if (!siteId) {
+      logger.error(`[${requestId}] Missing siteId in request`)
       return NextResponse.json({ error: 'Site ID is required' }, { status: 400 })
     }
 
@@ -51,47 +40,25 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Invalid site ID format' }, { status: 400 })
     }
 
-    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
-    if (!credentialIdValidation.isValid) {
-      logger.warn(`[${requestId}] Invalid credential ID`, { error: credentialIdValidation.error })
-      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
-    }
-
-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    if (resolved.workspaceId) {
-      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
-      const perm = await getUserEntityPermissions(
-        session.user.id,
-        'workspace',
-        resolved.workspaceId
-      )
-      if (perm === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
-    const credentials = await db
-      .select()
-      .from(account)
-      .where(eq(account.id, resolved.accountId))
-      .limit(1)
-    if (!credentials.length) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const accountRow = credentials[0]
-
     const accessToken = await refreshAccessTokenIfNeeded(
-      resolved.accountId,
-      accountRow.userId,
+      credential,
+      authz.credentialOwnerUserId,
       requestId
     )
     if (!accessToken) {
-      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
+      logger.error(`[${requestId}] Failed to obtain valid access token`)
+      return NextResponse.json(
+        { error: 'Failed to obtain valid access token', authRequired: true },
+        { status: 401 }
+      )
     }
 
     const url = `https://graph.microsoft.com/v1.0/sites/${siteId}/lists?$select=id,displayName,description,webUrl&$expand=list($select=hidden)&$top=100`

apps/sim/app/api/tools/sharepoint/sites/route.ts

@@ -1,79 +1,45 @@
-import { randomUUID } from 'crypto'
-import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import { validateAlphanumericId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { SharepointSite } from '@/tools/sharepoint/types'
 
 export const dynamic = 'force-dynamic'
 
 const logger = createLogger('SharePointSitesAPI')
 
-/**
- * Get SharePoint sites from Microsoft Graph API
- */
-export async function GET(request: NextRequest) {
-  const requestId = randomUUID().slice(0, 8)
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
 
   try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
-    }
-
-    const { searchParams } = new URL(request.url)
-    const credentialId = searchParams.get('credentialId')
-    const query = searchParams.get('query') || ''
-
-    if (!credentialId) {
-      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
-    }
+    const body = await request.json()
+    const { credential, workflowId, query } = body
 
-    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
-    if (!credentialIdValidation.isValid) {
-      logger.warn(`[${requestId}] Invalid credential ID`, { error: credentialIdValidation.error })
-      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    if (!credential) {
+      logger.error(`[${requestId}] Missing credential in request`)
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
     }
 
-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    if (resolved.workspaceId) {
-      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
-      const perm = await getUserEntityPermissions(
-        session.user.id,
-        'workspace',
-        resolved.workspaceId
-      )
-      if (perm === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
-    const credentials = await db
-      .select()
-      .from(account)
-      .where(eq(account.id, resolved.accountId))
-      .limit(1)
-    if (!credentials.length) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const accountRow = credentials[0]
-
     const accessToken = await refreshAccessTokenIfNeeded(
-      resolved.accountId,
-      accountRow.userId,
+      credential,
+      authz.credentialOwnerUserId,
       requestId
     )
     if (!accessToken) {
-      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
+      logger.error(`[${requestId}] Failed to obtain valid access token`)
+      return NextResponse.json(
+        { error: 'Failed to obtain valid access token', authRequired: true },
+        { status: 401 }
+      )
     }
 
     const searchQuery = query || '*'

apps/sim/hooks/selectors/registry.ts

@@ -727,22 +727,28 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     fetchList: async ({ context }: SelectorQueryArgs) => {
       const credentialId = ensureCredential(context, 'sharepoint.lists')
       if (!context.siteId) throw new Error('Missing site ID for sharepoint.lists selector')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        siteId: context.siteId,
+      })
       const data = await fetchJson<{ lists: SharepointList[] }>('/api/tools/sharepoint/lists', {
-        searchParams: {
-          credentialId,
-          siteId: context.siteId,
-        },
+        method: 'POST',
+        body,
       })
       return (data.lists || []).map((list) => ({ id: list.id, label: list.displayName }))
     },
     fetchById: async ({ context, detailId }: SelectorQueryArgs) => {
       if (!detailId || !context.siteId) return null
       const credentialId = ensureCredential(context, 'sharepoint.lists')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        siteId: context.siteId,
+      })
       const data = await fetchJson<{ lists: SharepointList[] }>('/api/tools/sharepoint/lists', {
-        searchParams: {
-          credentialId,
-          siteId: context.siteId,
-        },
+        method: 'POST',
+        body,
       })
       const list = (data.lists || []).find((l) => l.id === detailId) ?? null
       if (!list) return null
@@ -1020,10 +1026,15 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     enabled: ({ context }) => Boolean(context.credentialId),
     fetchList: async ({ context }: SelectorQueryArgs) => {
       const credentialId = ensureCredential(context, 'sharepoint.sites')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+      })
       const data = await fetchJson<{ files: { id: string; name: string }[] }>(
         '/api/tools/sharepoint/sites',
         {
-          searchParams: { credentialId },
+          method: 'POST',
+          body,
         }
       )
       return (data.files || []).map((file) => ({
@@ -1034,10 +1045,15 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     fetchById: async ({ context, detailId }: SelectorQueryArgs) => {
       if (!detailId) return null
       const credentialId = ensureCredential(context, 'sharepoint.sites')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+      })
       const data = await fetchJson<{ files: { id: string; name: string }[] }>(
         '/api/tools/sharepoint/sites',
         {
-          searchParams: { credentialId },
+          method: 'POST',
+          body,
         }
       )
       const site = (data.files || []).find((f) => f.id === detailId) ?? null