fix(workflows): require auth before deployment checks

Author: PlaneInABottle

apps/sim/app/api/workflows/middleware.test.ts

@@ -268,10 +268,21 @@ describe('validateWorkflowAccess', () => {
   })
 
   it('returns 404 for deployed access when workflow is missing', async () => {
+    mockAuthenticateApiKeyFromHeader.mockResolvedValue({
+      success: true,
+      userId: 'user-1',
+      keyId: 'key-1',
+      keyType: 'workspace',
+      workspaceId: WORKSPACE_ID,
+    })
     mockGetActiveWorkflowRecord.mockResolvedValue(null)
     mockGetWorkflowById.mockResolvedValue(null)
 
-    const result = await validateWorkflowAccess(createRequest(), WORKFLOW_ID, {
+    const request = new NextRequest(`http://localhost:3000/api/workflows/${WORKFLOW_ID}/status`, {
+      headers: { 'x-api-key': 'valid-key' },
+    })
+
+    const result = await validateWorkflowAccess(request, WORKFLOW_ID, {
       requireDeployment: true,
     })
 
@@ -282,14 +293,70 @@ describe('validateWorkflowAccess', () => {
       },
     })
     expect(mockCheckHybridAuth).not.toHaveBeenCalled()
+    expect(mockAuthenticateApiKeyFromHeader).toHaveBeenNthCalledWith(1, 'valid-key', {
+      keyTypes: ['workspace', 'personal'],
+    })
+  })
+
+  it('returns 401 before deployed workflow lookup when api key is missing', async () => {
+    const result = await validateWorkflowAccess(createRequest(), WORKFLOW_ID, {
+      requireDeployment: true,
+    })
+
+    expect(result).toEqual({
+      error: {
+        message: 'Unauthorized: API key required',
+        status: 401,
+      },
+    })
+    expect(mockGetActiveWorkflowRecord).not.toHaveBeenCalled()
+    expect(mockGetWorkflowById).not.toHaveBeenCalled()
     expect(mockAuthenticateApiKeyFromHeader).not.toHaveBeenCalled()
   })
 
-  it('returns 403 for deployed access when workflow has no workspace', async () => {
+  it('returns 401 before deployed workflow lookup when api key is invalid', async () => {
+    mockAuthenticateApiKeyFromHeader.mockResolvedValue({
+      success: false,
+      error: 'Invalid API key',
+    })
+
+    const request = new NextRequest(`http://localhost:3000/api/workflows/${WORKFLOW_ID}/status`, {
+      headers: { 'x-api-key': 'invalid-key' },
+    })
+
+    const result = await validateWorkflowAccess(request, WORKFLOW_ID, {
+      requireDeployment: true,
+    })
+
+    expect(result).toEqual({
+      error: {
+        message: 'Unauthorized: Invalid API key',
+        status: 401,
+      },
+    })
+    expect(mockGetActiveWorkflowRecord).not.toHaveBeenCalled()
+    expect(mockGetWorkflowById).not.toHaveBeenCalled()
+    expect(mockAuthenticateApiKeyFromHeader).toHaveBeenCalledWith('invalid-key', {
+      keyTypes: ['workspace', 'personal'],
+    })
+  })
+
+  it('returns 403 for deployed access when authenticated workflow has no workspace', async () => {
+    mockAuthenticateApiKeyFromHeader.mockResolvedValue({
+      success: true,
+      userId: 'user-1',
+      keyId: 'key-1',
+      keyType: 'workspace',
+      workspaceId: WORKSPACE_ID,
+    })
     mockGetActiveWorkflowRecord.mockResolvedValue(null)
     mockGetWorkflowById.mockResolvedValue(createWorkflow({ workspaceId: null, isDeployed: true }))
 
-    const result = await validateWorkflowAccess(createRequest(), WORKFLOW_ID, {
+    const request = new NextRequest(`http://localhost:3000/api/workflows/${WORKFLOW_ID}/status`, {
+      headers: { 'x-api-key': 'valid-key' },
+    })
+
+    const result = await validateWorkflowAccess(request, WORKFLOW_ID, {
       requireDeployment: true,
     })
 
@@ -301,14 +368,27 @@ describe('validateWorkflowAccess', () => {
       },
     })
     expect(mockCheckHybridAuth).not.toHaveBeenCalled()
-    expect(mockAuthenticateApiKeyFromHeader).not.toHaveBeenCalled()
+    expect(mockAuthenticateApiKeyFromHeader).toHaveBeenNthCalledWith(1, 'valid-key', {
+      keyTypes: ['workspace', 'personal'],
+    })
   })
 
-  it('returns 404 for deployed access when workflow workspace is archived', async () => {
+  it('returns 404 for deployed access when authenticated workflow workspace is archived', async () => {
+    mockAuthenticateApiKeyFromHeader.mockResolvedValue({
+      success: true,
+      userId: 'user-1',
+      keyId: 'key-1',
+      keyType: 'workspace',
+      workspaceId: WORKSPACE_ID,
+    })
     mockGetActiveWorkflowRecord.mockResolvedValue(null)
     mockGetWorkflowById.mockResolvedValue(createWorkflow({ isDeployed: true }))
 
-    const result = await validateWorkflowAccess(createRequest(), WORKFLOW_ID, {
+    const request = new NextRequest(`http://localhost:3000/api/workflows/${WORKFLOW_ID}/status`, {
+      headers: { 'x-api-key': 'valid-key' },
+    })
+
+    const result = await validateWorkflowAccess(request, WORKFLOW_ID, {
       requireDeployment: true,
     })
 
@@ -320,6 +400,38 @@ describe('validateWorkflowAccess', () => {
     })
     expect(mockGetWorkflowById).toHaveBeenCalledWith(WORKFLOW_ID)
     expect(mockCheckHybridAuth).not.toHaveBeenCalled()
-    expect(mockAuthenticateApiKeyFromHeader).not.toHaveBeenCalled()
+    expect(mockAuthenticateApiKeyFromHeader).toHaveBeenNthCalledWith(1, 'valid-key', {
+      keyTypes: ['workspace', 'personal'],
+    })
+  })
+
+  it('returns 403 for deployed access when authenticated workflow is not deployed', async () => {
+    mockAuthenticateApiKeyFromHeader.mockResolvedValue({
+      success: true,
+      userId: 'user-1',
+      keyId: 'key-1',
+      keyType: 'workspace',
+      workspaceId: WORKSPACE_ID,
+    })
+    mockGetActiveWorkflowRecord.mockResolvedValue(createWorkflow({ isDeployed: false }))
+
+    const request = new NextRequest(`http://localhost:3000/api/workflows/${WORKFLOW_ID}/status`, {
+      headers: { 'x-api-key': 'valid-key' },
+    })
+
+    const result = await validateWorkflowAccess(request, WORKFLOW_ID, {
+      requireDeployment: true,
+    })
+
+    expect(result).toEqual({
+      error: {
+        message: 'Workflow is not deployed',
+        status: 403,
+      },
+    })
+    expect(mockAuthenticateApiKeyFromHeader).toHaveBeenCalledWith('valid-key', {
+      keyTypes: ['workspace', 'personal'],
+    })
+    expect(mockUpdateApiKeyLastUsed).not.toHaveBeenCalled()
   })
 })

apps/sim/app/api/workflows/middleware.ts

@@ -118,51 +118,66 @@ export async function validateWorkflowAccess(
       return { workflow, auth }
     }
 
-    const workflowResult = await getValidatedWorkflow(workflowId)
-    if (workflowResult.error || !workflowResult.workflow) {
-      return workflowResult
-    }
-    const workflow = workflowResult.workflow
-
     if (requireDeployment) {
-      if (!workflow.isDeployed) {
-        return {
-          error: {
-            message: 'Workflow is not deployed',
-            status: 403,
-          },
+      const internalSecret = request.headers.get('X-Internal-Secret')
+      const hasValidInternalSecret =
+        allowInternalSecret && env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET
+
+      let apiKeyHeader: string | null = null
+
+      if (!hasValidInternalSecret) {
+        for (const [key, value] of request.headers.entries()) {
+          if (key.toLowerCase() === 'x-api-key' && value) {
+            apiKeyHeader = value
+            break
+          }
         }
-      }
 
-      const internalSecret = request.headers.get('X-Internal-Secret')
-      if (
-        allowInternalSecret &&
-        env.INTERNAL_API_SECRET &&
-        internalSecret === env.INTERNAL_API_SECRET
-      ) {
-        return { workflow }
-      }
+        if (!apiKeyHeader) {
+          return {
+            error: {
+              message: 'Unauthorized: API key required',
+              status: 401,
+            },
+          }
+        }
 
-      let apiKeyHeader = null
-      for (const [key, value] of request.headers.entries()) {
-        if (key.toLowerCase() === 'x-api-key' && value) {
-          apiKeyHeader = value
-          break
+        const preflightResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
+          keyTypes: ['workspace', 'personal'],
+        })
+
+        if (!preflightResult.success) {
+          return {
+            error: {
+              message: 'Unauthorized: Invalid API key',
+              status: 401,
+            },
+          }
         }
       }
 
-      if (!apiKeyHeader) {
+      const workflowResult = await getValidatedWorkflow(workflowId)
+      if (workflowResult.error || !workflowResult.workflow) {
+        return workflowResult
+      }
+      const workflow = workflowResult.workflow
+
+      if (!workflow.isDeployed) {
         return {
           error: {
-            message: 'Unauthorized: API key required',
-            status: 401,
+            message: 'Workflow is not deployed',
+            status: 403,
           },
         }
       }
 
+      if (hasValidInternalSecret) {
+        return { workflow }
+      }
+
       let validResult: ApiKeyAuthResult | null = null
 
-      const workspaceResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
+      const workspaceResult = await authenticateApiKeyFromHeader(apiKeyHeader!, {
         workspaceId: workflow.workspaceId as string,
         keyTypes: ['workspace', 'personal'],
       })
@@ -183,8 +198,16 @@ export async function validateWorkflowAccess(
       if (validResult.keyId) {
         await updateApiKeyLastUsed(validResult.keyId)
       }
+
+      return { workflow }
+    }
+
+    return {
+      error: {
+        message: 'Internal server error',
+        status: 500,
+      },
     }
-    return { workflow }
   } catch (error) {
     logger.error('Validation error:', { error })
     return {