v0.5.87: workflow block auth fix

[icecrasher321]

Summary

fix(auth): workflow system handler (#3193)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 11, 2026 6:27am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR changes the GET /api/workflows/[id] handler to treat internal JWT requests specially: if authType is internal_jwt and no userId is present, it skips the usual workspace permission authorization and allows the workflow to be fetched.

This route previously always required a userId and ran authorizeWorkflowByWorkspacePermission before returning workflow data. With the new branch, internal calls without a user context can read workflow records directly via getWorkflowById, and only user-scoped calls go through the existing authorization + normalized-table loading flow.

Confidence Score: 2/5

• This PR has a significant auth/authorization risk and should not merge as-is.
• The new internal_jwt-without-userId path bypasses authorizeWorkflowByWorkspacePermission, enabling reads of arbitrary workflows by ID for callers presenting a valid internal JWT without user context. This changes the security model of the endpoint and is not constrained by workspace permissions.
• apps/sim/app/api/workflows/[id]/route.ts

Important Files Changed

Filename	Overview
apps/sim/app/api/workflows/[id]/route.ts	Adjusts GET auth flow to allow internal_jwt calls without userId to fetch workflows, but this bypasses workspace permission authorization when userId is missing.

Sequence Diagram

sequenceDiagram
  autonumber
  participant C as Caller
  participant R as Next.js Route GET /api/workflows/:id
  participant A as checkHybridAuth
  participant W as getWorkflowById
  participant Z as authorizeWorkflowByWorkspacePermission
  participant N as loadWorkflowFromNormalizedTables

  C->>R: GET /api/workflows/:id
  R->>A: checkHybridAuth(requireWorkflowId=false)
  A-->>R: { success, authType, userId? }

  alt auth.success is false
    R-->>C: 401 Unauthorized
  else auth.success is true
    R->>W: getWorkflowById(id)
    W-->>R: workflowData?
    alt workflowData is null
      R-->>C: 404 Not Found
    else workflowData exists
      alt authType == internal_jwt AND userId is missing
        R-->>C: 200 returns workflowData (no workspace auth)
      else userId missing
        R-->>C: 401 Unauthorized
      else userId present
        R->>Z: authorizeWorkflowByWorkspacePermission(id, userId, read)
        Z-->>R: { allowed, workflow }
        alt not allowed
          R-->>C: 403/other status
        else allowed
          R->>N: loadWorkflowFromNormalizedTables(id)
          N-->>R: normalizedData?
          R-->>C: 200 returns merged workflow
        end
      end
    end
  end

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}