fix(auth): workflow system handler

[icecrasher321]

Summary

Restore internal JWT bypass for GET workflow route to fix workflow-in-workflow executor calls that don't carry a userId.

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 11, 2026 6:21am

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR changes the GET /api/workflows/[id] handler to allow “internal_jwt” requests to fetch a workflow even when no userId is present (intended to support workflow-in-workflow executor calls).

The handler now branches on auth.authType === 'internal_jwt' and skips workspace permission checks when userId is missing; otherwise it uses authorizeWorkflowByWorkspacePermission to enforce normal access control and then loads normalized workflow state as before.

Confidence Score: 2/5

• This PR is not safe to merge as-is due to an authorization bypass for internal JWT calls without user context.
• The new internal_jwt + missing userId branch returns workflow data without any workspace permission check. Since internal JWT auth can succeed without a userId when requireWorkflowId=false, this creates a clear, reproducible authz gap for reading arbitrary workflows by ID for any holder of a valid internal token.
• apps/sim/app/api/workflows/[id]/route.ts

Important Files Changed

Filename	Overview
apps/sim/app/api/workflows/[id]/route.ts	Adds internal_jwt bypass for GET workflow reads when userId is missing; introduces an authz gap where internal JWT calls without userId skip workspace permission checks and can read any workflow by ID.

Sequence Diagram

sequenceDiagram
  autonumber
  participant C as Caller
  participant R as GET /api/workflows/[id]
  participant A as checkHybridAuth
  participant DB as getWorkflowById
  participant P as authorizeWorkflowByWorkspacePermission

  C->>R: GET /api/workflows/{id}
  R->>A: checkHybridAuth(requireWorkflowId=false)
  A-->>R: {success, authType, userId?}
  R->>DB: getWorkflowById(workflowId)
  DB-->>R: workflowData | null

  alt internal_jwt && userId missing
    R-->>C: 200 {data: workflowData}
  else userId present
    R->>P: authorizeWorkflowByWorkspacePermission(workflowId, userId, read)
    P-->>R: {allowed, workflow}
    alt allowed
      R-->>C: 200 {data: workflowData}
    else denied
      R-->>C: 4xx {error}
    end
  else no userId
    R-->>C: 401 Unauthorized
  end

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}