Skip to content

fix(auth): workflow system handler#3193

Merged
icecrasher321 merged 1 commit intostagingfrom
fix/auth-workflow
Feb 11, 2026
Merged

fix(auth): workflow system handler#3193
icecrasher321 merged 1 commit intostagingfrom
fix/auth-workflow

Conversation

@icecrasher321
Copy link
Collaborator

@icecrasher321 icecrasher321 commented Feb 11, 2026

Summary

Restore internal JWT bypass for GET workflow route to fix workflow-in-workflow executor calls that don't carry a userId.

Type of Change

  • Bug fix

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Feb 11, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 11, 2026 6:21am

Request Review

cursor[bot]
cursor bot reviewed Feb 11, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 11, 2026

Greptile Overview

Greptile Summary

This PR changes the GET /api/workflows/[id] handler to allow “internal_jwt” requests to fetch a workflow even when no userId is present (intended to support workflow-in-workflow executor calls).

The handler now branches on auth.authType === 'internal_jwt' and skips workspace permission checks when userId is missing; otherwise it uses authorizeWorkflowByWorkspacePermission to enforce normal access control and then loads normalized workflow state as before.

Confidence Score: 2/5

  • This PR is not safe to merge as-is due to an authorization bypass for internal JWT calls without user context.
  • The new internal_jwt + missing userId branch returns workflow data without any workspace permission check. Since internal JWT auth can succeed without a userId when requireWorkflowId=false, this creates a clear, reproducible authz gap for reading arbitrary workflows by ID for any holder of a valid internal token.
  • apps/sim/app/api/workflows/[id]/route.ts

Important Files Changed

Filename Overview
apps/sim/app/api/workflows/[id]/route.ts Adds internal_jwt bypass for GET workflow reads when userId is missing; introduces an authz gap where internal JWT calls without userId skip workspace permission checks and can read any workflow by ID.

Sequence Diagram

sequenceDiagram
  autonumber
  participant C as Caller
  participant R as GET /api/workflows/[id]
  participant A as checkHybridAuth
  participant DB as getWorkflowById
  participant P as authorizeWorkflowByWorkspacePermission

  C->>R: GET /api/workflows/{id}
  R->>A: checkHybridAuth(requireWorkflowId=false)
  A-->>R: {success, authType, userId?}
  R->>DB: getWorkflowById(workflowId)
  DB-->>R: workflowData | null

  alt internal_jwt && userId missing
    R-->>C: 200 {data: workflowData}
  else userId present
    R->>P: authorizeWorkflowByWorkspacePermission(workflowId, userId, read)
    P-->>R: {allowed, workflow}
    alt allowed
      R-->>C: 200 {data: workflowData}
    else denied
      R-->>C: 4xx {error}
    end
  else no userId
    R-->>C: 401 Unauthorized
  end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@icecrasher321 icecrasher321 merged commit 5792e7e into staging Feb 11, 2026
12 checks passed
@icecrasher321 icecrasher321 deleted the fix/auth-workflow branch February 11, 2026 06:26
@icecrasher321 icecrasher321 mentioned this pull request Feb 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@icecrasher321