fix: harden workflow API auth routes

Co-authored-by: GitHub Copilot <github-copilot[bot]@users.noreply.github.com>

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -5,16 +5,43 @@
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockValidateWorkflowAccess = vi.fn()
-const mockDbSelect = vi.fn()
-const mockDbFrom = vi.fn()
-const mockDbWhere = vi.fn()
-const mockDbLimit = vi.fn()
-const mockDbOrderBy = vi.fn()
-const mockDeployWorkflow = vi.fn()
-const mockUndeployWorkflow = vi.fn()
-const mockCleanupWebhooksForWorkflow = vi.fn()
-const mockRemoveMcpToolsForWorkflow = vi.fn()
+const {
+  mockCleanupWebhooksForWorkflow,
+  mockDbLimit,
+  mockDbOrderBy,
+  mockDbFrom,
+  mockDbSelect,
+  mockDbSet,
+  mockDbUpdate,
+  mockDbWhere,
+  mockCreateSchedulesForDeploy,
+  mockDeployWorkflow,
+  mockLoadWorkflowFromNormalizedTables,
+  mockRemoveMcpToolsForWorkflow,
+  mockSaveTriggerWebhooksForDeploy,
+  mockSyncMcpToolsForWorkflow,
+  mockUndeployWorkflow,
+  mockValidatePublicApiAllowed,
+  mockValidateWorkflowAccess,
+} = vi.hoisted(() => ({
+  mockCleanupWebhooksForWorkflow: vi.fn(),
+  mockDbLimit: vi.fn(),
+  mockDbOrderBy: vi.fn(),
+  mockDbFrom: vi.fn(),
+  mockDbSelect: vi.fn(),
+  mockDbSet: vi.fn(),
+  mockDbUpdate: vi.fn(),
+  mockDbWhere: vi.fn(),
+  mockCreateSchedulesForDeploy: vi.fn(),
+  mockDeployWorkflow: vi.fn(),
+  mockLoadWorkflowFromNormalizedTables: vi.fn(),
+  mockRemoveMcpToolsForWorkflow: vi.fn(),
+  mockSaveTriggerWebhooksForDeploy: vi.fn(),
+  mockSyncMcpToolsForWorkflow: vi.fn(),
+  mockUndeployWorkflow: vi.fn(),
+  mockValidatePublicApiAllowed: vi.fn(),
+  mockValidateWorkflowAccess: vi.fn(),
+}))
 
 vi.mock('@sim/logger', () => ({
   createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn() }),
@@ -33,19 +60,23 @@ vi.mock('@/lib/core/utils/request', () => ({
 }))
 
 vi.mock('@sim/db', () => ({
-  db: { select: mockDbSelect },
+  db: { select: mockDbSelect, update: mockDbUpdate },
   workflow: { variables: 'variables', id: 'id' },
   workflowDeploymentVersion: { state: 'state', workflowId: 'workflowId', isActive: 'isActive', createdAt: 'createdAt', id: 'id' },
 }))
 
-vi.mock('drizzle-orm', () => ({
-  and: vi.fn(),
-  desc: vi.fn(),
-  eq: vi.fn(),
-}))
+vi.mock('drizzle-orm', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('drizzle-orm')>()
+  return {
+    ...actual,
+    and: vi.fn(),
+    desc: vi.fn(),
+    eq: vi.fn(),
+  }
+})
 
 vi.mock('@/lib/workflows/persistence/utils', () => ({
-  loadWorkflowFromNormalizedTables: vi.fn().mockResolvedValue(null),
+  loadWorkflowFromNormalizedTables: (...args: unknown[]) => mockLoadWorkflowFromNormalizedTables(...args),
   deployWorkflow: (...args: unknown[]) => mockDeployWorkflow(...args),
   undeployWorkflow: (...args: unknown[]) => mockUndeployWorkflow(...args),
 }))
@@ -56,19 +87,19 @@ vi.mock('@/lib/workflows/comparison', () => ({
 
 vi.mock('@/lib/workflows/schedules', () => ({
   cleanupDeploymentVersion: vi.fn(),
-  createSchedulesForDeploy: vi.fn(),
+  createSchedulesForDeploy: (...args: unknown[]) => mockCreateSchedulesForDeploy(...args),
   validateWorkflowSchedules: vi.fn().mockReturnValue({ isValid: true }),
 }))
 
 vi.mock('@/lib/webhooks/deploy', () => ({
   cleanupWebhooksForWorkflow: (...args: unknown[]) => mockCleanupWebhooksForWorkflow(...args),
   restorePreviousVersionWebhooks: vi.fn(),
-  saveTriggerWebhooksForDeploy: vi.fn(),
+  saveTriggerWebhooksForDeploy: (...args: unknown[]) => mockSaveTriggerWebhooksForDeploy(...args),
 }))
 
 vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
   removeMcpToolsForWorkflow: (...args: unknown[]) => mockRemoveMcpToolsForWorkflow(...args),
-  syncMcpToolsForWorkflow: vi.fn(),
+  syncMcpToolsForWorkflow: (...args: unknown[]) => mockSyncMcpToolsForWorkflow(...args),
 }))
 
 vi.mock('@/lib/audit/log', () => ({
@@ -77,7 +108,12 @@ vi.mock('@/lib/audit/log', () => ({
   recordAudit: vi.fn(),
 }))
 
-import { POST, DELETE } from '@/app/api/workflows/[id]/deploy/route'
+vi.mock('@/ee/access-control/utils/permission-check', () => ({
+  PublicApiNotAllowedError: class PublicApiNotAllowedError extends Error {},
+  validatePublicApiAllowed: (...args: unknown[]) => mockValidatePublicApiAllowed(...args),
+}))
+
+import { DELETE, PATCH, POST } from '@/app/api/workflows/[id]/deploy/route'
 
 describe('Workflow deploy route', () => {
   beforeEach(() => {
@@ -87,8 +123,20 @@ describe('Workflow deploy route', () => {
     mockDbWhere.mockReturnValue({ limit: mockDbLimit, orderBy: mockDbOrderBy })
     mockDbOrderBy.mockReturnValue({ limit: mockDbLimit })
     mockDbLimit.mockResolvedValue([])
+    mockDbUpdate.mockReturnValue({ set: mockDbSet })
+    mockDbSet.mockReturnValue({ where: mockDbWhere })
     mockCleanupWebhooksForWorkflow.mockResolvedValue(undefined)
+    mockCreateSchedulesForDeploy.mockResolvedValue({ success: true })
+    mockLoadWorkflowFromNormalizedTables.mockResolvedValue({
+      blocks: { 'block-1': { id: 'block-1', type: 'start_trigger', name: 'Start' } },
+      edges: [],
+      loops: {},
+      parallels: {},
+    })
+    mockSaveTriggerWebhooksForDeploy.mockResolvedValue({ success: true, warnings: [] })
     mockRemoveMcpToolsForWorkflow.mockResolvedValue(undefined)
+    mockSyncMcpToolsForWorkflow.mockResolvedValue(undefined)
+    mockValidatePublicApiAllowed.mockResolvedValue(undefined)
   })
 
   it('allows API-key auth for deploy using hybrid auth userId', async () => {
@@ -136,4 +184,21 @@ describe('Workflow deploy route', () => {
     expect(data.isDeployed).toBe(false)
     expect(mockUndeployWorkflow).toHaveBeenCalledWith({ workflowId: 'wf-1' })
   })
+
+  it('checks public API restrictions against hybrid auth userId', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+    })
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deploy', {
+      method: 'PATCH',
+      headers: { 'content-type': 'application/json', 'x-api-key': 'test-key' },
+      body: JSON.stringify({ isPublicApi: true }),
+    })
+    const response = await PATCH(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(200)
+    expect(mockValidatePublicApiAllowed).toHaveBeenCalledWith('api-user')
+  })
 })

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -2,6 +2,7 @@ import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import type { AuthResult } from '@/lib/auth/hybrid'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
@@ -30,22 +31,57 @@ const logger = createLogger('WorkflowDeployAPI')
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
+type LifecycleAdminAccessResult = {
+  error: { message: string; status: number } | null | undefined
+  auth: AuthResult | null | undefined
+  session:
+    | Awaited<ReturnType<typeof validateWorkflowPermissions>>['session']
+    | null
+    | undefined
+  workflow:
+    | Awaited<ReturnType<typeof validateWorkflowPermissions>>['workflow']
+    | Awaited<ReturnType<typeof validateWorkflowAccess>>['workflow']
+    | null
+    | undefined
+}
+
 async function validateLifecycleAdminAccess(
   request: NextRequest,
   workflowId: string,
   requestId: string
-) {
+): Promise<LifecycleAdminAccessResult> {
   const hybridAccess = await validateWorkflowAccess(request, workflowId, {
     requireDeployment: false,
     action: 'admin',
   })
 
   if (hybridAccess.error) {
-    return hybridAccess
+    return {
+      error: hybridAccess.error,
+      auth: hybridAccess.auth,
+      session: null,
+      workflow: hybridAccess.workflow,
+    }
   }
 
   if (hybridAccess.auth?.authType === 'session') {
-    return await validateWorkflowPermissions(workflowId, requestId, 'admin')
+    const sessionAccess = await validateWorkflowPermissions(workflowId, requestId, 'admin')
+    const auth: AuthResult | null = sessionAccess.session?.user?.id
+      ? {
+          success: true,
+          userId: sessionAccess.session.user.id,
+          userName: sessionAccess.session.user.name,
+          userEmail: sessionAccess.session.user.email,
+          authType: 'session',
+        }
+      : null
+
+    return {
+      error: sessionAccess.error,
+      auth,
+      session: sessionAccess.session,
+      workflow: sessionAccess.workflow,
+    }
   }
 
   return {
@@ -338,7 +374,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
   const { id } = await params
 
   try {
-    const { error, session } = await validateLifecycleAdminAccess(request, id, requestId)
+    const { auth, error, session } = await validateLifecycleAdminAccess(request, id, requestId)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
@@ -354,8 +390,9 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       const { validatePublicApiAllowed, PublicApiNotAllowedError } = await import(
         '@/ee/access-control/utils/permission-check'
       )
+      const actorUserId = session?.user?.id ?? auth?.userId
       try {
-        await validatePublicApiAllowed(session?.user?.id)
+        await validatePublicApiAllowed(actorUserId)
       } catch (err) {
         if (err instanceof PublicApiNotAllowedError) {
           return createErrorResponse('Public API access is disabled', 403)

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.test.ts

@@ -5,16 +5,29 @@
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockValidateWorkflowAccess = vi.fn()
-const mockDbSelect = vi.fn()
-const mockDbFrom = vi.fn()
-const mockDbWhere = vi.fn()
-const mockDbLimit = vi.fn()
-const mockDbUpdate = vi.fn()
-const mockDbSet = vi.fn()
-const mockDbWhereUpdate = vi.fn()
-const mockSaveWorkflowToNormalizedTables = vi.fn()
-const mockSyncMcpToolsForWorkflow = vi.fn()
+const {
+  mockDbFrom,
+  mockDbLimit,
+  mockDbSelect,
+  mockDbSet,
+  mockDbUpdate,
+  mockDbWhere,
+  mockDbWhereUpdate,
+  mockSaveWorkflowToNormalizedTables,
+  mockSyncMcpToolsForWorkflow,
+  mockValidateWorkflowAccess,
+} = vi.hoisted(() => ({
+  mockDbFrom: vi.fn(),
+  mockDbLimit: vi.fn(),
+  mockDbSelect: vi.fn(),
+  mockDbSet: vi.fn(),
+  mockDbUpdate: vi.fn(),
+  mockDbWhere: vi.fn(),
+  mockDbWhereUpdate: vi.fn(),
+  mockSaveWorkflowToNormalizedTables: vi.fn(),
+  mockSyncMcpToolsForWorkflow: vi.fn(),
+  mockValidateWorkflowAccess: vi.fn(),
+}))
 const mockFetch = vi.fn()
 
 vi.stubGlobal('fetch', mockFetch)
@@ -49,10 +62,14 @@ vi.mock('@sim/db', () => ({
   },
 }))
 
-vi.mock('drizzle-orm', () => ({
-  and: vi.fn(),
-  eq: vi.fn(),
-}))
+vi.mock('drizzle-orm', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('drizzle-orm')>()
+  return {
+    ...actual,
+    and: vi.fn(),
+    eq: vi.fn(),
+  }
+})
 
 vi.mock('@/lib/workflows/persistence/utils', () => ({
   saveWorkflowToNormalizedTables: (...args: unknown[]) => mockSaveWorkflowToNormalizedTables(...args),

apps/sim/app/api/workflows/[id]/deployments/[version]/route.test.ts

@@ -5,15 +5,35 @@
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockValidateWorkflowAccess = vi.fn()
-const mockDbSelect = vi.fn()
-const mockDbFrom = vi.fn()
-const mockDbWhere = vi.fn()
-const mockDbLimit = vi.fn()
-const mockSaveTriggerWebhooksForDeploy = vi.fn()
-const mockCreateSchedulesForDeploy = vi.fn()
-const mockActivateWorkflowVersion = vi.fn()
-const mockSyncMcpToolsForWorkflow = vi.fn()
+const {
+  mockActivateWorkflowVersion,
+  mockCreateSchedulesForDeploy,
+  mockDbFrom,
+  mockDbLimit,
+  mockDbReturning,
+  mockDbSelect,
+  mockDbSet,
+  mockDbUpdate,
+  mockDbWhere,
+  mockDbWhereUpdate,
+  mockSaveTriggerWebhooksForDeploy,
+  mockSyncMcpToolsForWorkflow,
+  mockValidateWorkflowAccess,
+} = vi.hoisted(() => ({
+  mockActivateWorkflowVersion: vi.fn(),
+  mockCreateSchedulesForDeploy: vi.fn(),
+  mockDbFrom: vi.fn(),
+  mockDbLimit: vi.fn(),
+  mockDbReturning: vi.fn(),
+  mockDbSelect: vi.fn(),
+  mockDbSet: vi.fn(),
+  mockDbUpdate: vi.fn(),
+  mockDbWhere: vi.fn(),
+  mockDbWhereUpdate: vi.fn(),
+  mockSaveTriggerWebhooksForDeploy: vi.fn(),
+  mockSyncMcpToolsForWorkflow: vi.fn(),
+  mockValidateWorkflowAccess: vi.fn(),
+}))
 
 vi.mock('@sim/logger', () => ({
   createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn() }),
@@ -30,7 +50,7 @@ vi.mock('@/lib/core/utils/request', () => ({
 vi.mock('@sim/db', () => ({
   db: {
     select: mockDbSelect,
-    update: vi.fn(() => ({ set: vi.fn(() => ({ where: vi.fn(() => ({ returning: vi.fn() })) })) }),
+    update: mockDbUpdate,
   },
   workflowDeploymentVersion: {
     id: 'id',
@@ -43,10 +63,14 @@ vi.mock('@sim/db', () => ({
   },
 }))
 
-vi.mock('drizzle-orm', () => ({
-  and: vi.fn(),
-  eq: vi.fn(),
-}))
+vi.mock('drizzle-orm', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('drizzle-orm')>()
+  return {
+    ...actual,
+    and: vi.fn(),
+    eq: vi.fn(),
+  }
+})
 
 vi.mock('@/lib/webhooks/deploy', () => ({
   restorePreviousVersionWebhooks: vi.fn(),
@@ -91,6 +115,10 @@ describe('Workflow deployment version route', () => {
         },
       ])
       .mockResolvedValueOnce([{ id: 'dep-2' }])
+    mockDbUpdate.mockReturnValue({ set: mockDbSet })
+    mockDbSet.mockReturnValue({ where: mockDbWhereUpdate })
+    mockDbWhereUpdate.mockReturnValue({ returning: mockDbReturning })
+    mockDbReturning.mockResolvedValue([])
     mockSaveTriggerWebhooksForDeploy.mockResolvedValue({ success: true, warnings: [] })
     mockCreateSchedulesForDeploy.mockResolvedValue({ success: true })
     mockActivateWorkflowVersion.mockResolvedValue({