fix(workflows): hide route workspace existence

PlaneInABottle · PlaneInABottle · commit 61c92a488d42 · 2026-03-19T17:01:08.000+03:00
diff --git a/apps/sim/app/api/workflows/[id]/route.test.ts b/apps/sim/app/api/workflows/[id]/route.test.ts
@@ -144,6 +144,36 @@ describe('Workflow By ID API Route', () => {
       expect(data.error).toBe('Workflow not found')
     })
 
+    it('should return 404 for workspace api key targeting a workflow in another workspace', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'other-user',
+        name: 'Foreign Workflow',
+        workspaceId: 'workspace-b',
+      }
+
+      mockCheckHybridAuth.mockResolvedValue({
+        success: true,
+        userId: 'api-user',
+        authType: 'api_key',
+        apiKeyType: 'workspace',
+        workspaceId: 'workspace-a',
+      })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        headers: { 'x-api-key': 'test-key' },
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await GET(req, { params })
+
+      expect(response.status).toBe(404)
+      const data = await response.json()
+      expect(data.error).toBe('Workflow not found')
+      expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
+    })
+
     it('should allow access when user has admin workspace permission', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
@@ -220,6 +250,38 @@ describe('Workflow By ID API Route', () => {
       expect(data.data.id).toBe('workflow-123')
     })
 
+    it('should keep session access semantics unchanged for readable workflows', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'other-user',
+        name: 'Test Workflow',
+        workspaceId: 'workspace-456',
+      }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'read',
+      })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123')
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await GET(req, { params })
+
+      expect(response.status).toBe(200)
+      const data = await response.json()
+      expect(data.data.id).toBe('workflow-123')
+      expect(mockAuthorizeWorkflowByWorkspacePermission).toHaveBeenCalledWith({
+        workflowId: 'workflow-123',
+        userId: 'user-123',
+        action: 'read',
+      })
+    })
+
     it('should deny access when user has no workspace permissions', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
diff --git a/apps/sim/app/api/workflows/[id]/route.ts b/apps/sim/app/api/workflows/[id]/route.ts
@@ -51,10 +51,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     }
 
     if (auth.apiKeyType === 'workspace' && auth.workspaceId !== workflowData.workspaceId) {
-      return NextResponse.json(
-        { error: 'API key is not authorized for this workspace' },
-        { status: 403 }
-      )
+      return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
     if (isInternalCall && !userId) {

Original file line number	Diff line number	Diff line change
`@@ -51,10 +51,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`if (auth.apiKeyType === 'workspace' && auth.workspaceId !== workflowData.workspaceId) {`
`54`		`- return NextResponse.json(`
`55`		`- { error: 'API key is not authorized for this workspace' },`
`56`		`- { status: 403 }`
`57`		`- )`
	`54`	`+ return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })`
`58`	`55`	`}`
`59`	`56`
`60`	`57`	`if (isInternalCall && !userId) {`