fix(workflows): allow app auth on workflow lifecycle actions

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -0,0 +1,139 @@
+/**
+ * @vitest-environment node
+ */
+
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const mockValidateWorkflowAccess = vi.fn()
+const mockDbSelect = vi.fn()
+const mockDbFrom = vi.fn()
+const mockDbWhere = vi.fn()
+const mockDbLimit = vi.fn()
+const mockDbOrderBy = vi.fn()
+const mockDeployWorkflow = vi.fn()
+const mockUndeployWorkflow = vi.fn()
+const mockCleanupWebhooksForWorkflow = vi.fn()
+const mockRemoveMcpToolsForWorkflow = vi.fn()
+
+vi.mock('@sim/logger', () => ({
+  createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn() }),
+}))
+
+vi.mock('@/lib/workflows/utils', () => ({
+  validateWorkflowPermissions: vi.fn(),
+}))
+
+vi.mock('@/app/api/workflows/middleware', () => ({
+  validateWorkflowAccess: (...args: unknown[]) => mockValidateWorkflowAccess(...args),
+}))
+
+vi.mock('@/lib/core/utils/request', () => ({
+  generateRequestId: () => 'req-123',
+}))
+
+vi.mock('@sim/db', () => ({
+  db: { select: mockDbSelect },
+  workflow: { variables: 'variables', id: 'id' },
+  workflowDeploymentVersion: { state: 'state', workflowId: 'workflowId', isActive: 'isActive', createdAt: 'createdAt', id: 'id' },
+}))
+
+vi.mock('drizzle-orm', () => ({
+  and: vi.fn(),
+  desc: vi.fn(),
+  eq: vi.fn(),
+}))
+
+vi.mock('@/lib/workflows/persistence/utils', () => ({
+  loadWorkflowFromNormalizedTables: vi.fn().mockResolvedValue(null),
+  deployWorkflow: (...args: unknown[]) => mockDeployWorkflow(...args),
+  undeployWorkflow: (...args: unknown[]) => mockUndeployWorkflow(...args),
+}))
+
+vi.mock('@/lib/workflows/comparison', () => ({
+  hasWorkflowChanged: vi.fn().mockReturnValue(false),
+}))
+
+vi.mock('@/lib/workflows/schedules', () => ({
+  cleanupDeploymentVersion: vi.fn(),
+  createSchedulesForDeploy: vi.fn(),
+  validateWorkflowSchedules: vi.fn().mockReturnValue({ isValid: true }),
+}))
+
+vi.mock('@/lib/webhooks/deploy', () => ({
+  cleanupWebhooksForWorkflow: (...args: unknown[]) => mockCleanupWebhooksForWorkflow(...args),
+  restorePreviousVersionWebhooks: vi.fn(),
+  saveTriggerWebhooksForDeploy: vi.fn(),
+}))
+
+vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
+  removeMcpToolsForWorkflow: (...args: unknown[]) => mockRemoveMcpToolsForWorkflow(...args),
+  syncMcpToolsForWorkflow: vi.fn(),
+}))
+
+vi.mock('@/lib/audit/log', () => ({
+  AuditAction: {},
+  AuditResourceType: {},
+  recordAudit: vi.fn(),
+}))
+
+import { POST, DELETE } from '@/app/api/workflows/[id]/deploy/route'
+
+describe('Workflow deploy route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockDbSelect.mockReturnValue({ from: mockDbFrom })
+    mockDbFrom.mockReturnValue({ where: mockDbWhere })
+    mockDbWhere.mockReturnValue({ limit: mockDbLimit, orderBy: mockDbOrderBy })
+    mockDbOrderBy.mockReturnValue({ limit: mockDbLimit })
+    mockDbLimit.mockResolvedValue([])
+    mockCleanupWebhooksForWorkflow.mockResolvedValue(undefined)
+    mockRemoveMcpToolsForWorkflow.mockResolvedValue(undefined)
+  })
+
+  it('allows API-key auth for deploy using hybrid auth userId', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+    })
+    mockDeployWorkflow.mockResolvedValue({
+      success: true,
+      deployedAt: '2024-01-01T00:00:00Z',
+      deploymentVersionId: 'dep-1',
+    })
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deploy', {
+      method: 'POST',
+      headers: { 'x-api-key': 'test-key' },
+    })
+    const response = await POST(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(200)
+    const data = await response.json()
+    expect(data.isDeployed).toBe(true)
+    expect(mockDeployWorkflow).toHaveBeenCalledWith({
+      workflowId: 'wf-1',
+      deployedBy: 'api-user',
+      workflowName: 'Test Workflow',
+    })
+  })
+
+  it('allows API-key auth for undeploy using hybrid auth userId', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+    })
+    mockUndeployWorkflow.mockResolvedValue({ success: true })
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deploy', {
+      method: 'DELETE',
+      headers: { 'x-api-key': 'test-key' },
+    })
+    const response = await DELETE(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(200)
+    const data = await response.json()
+    expect(data.isDeployed).toBe(false)
+    expect(mockUndeployWorkflow).toHaveBeenCalledWith({ workflowId: 'wf-1' })
+  })
+})

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -21,6 +21,7 @@ import {
   validateWorkflowSchedules,
 } from '@/lib/workflows/schedules'
 import { validateWorkflowPermissions } from '@/lib/workflows/utils'
+import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 import type { WorkflowState } from '@/stores/workflows/workflow/types'
 
@@ -29,20 +30,47 @@ const logger = createLogger('WorkflowDeployAPI')
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 
+async function validateLifecycleAdminAccess(
+  request: NextRequest,
+  workflowId: string,
+  requestId: string
+) {
+  const hybridAccess = await validateWorkflowAccess(request, workflowId, {
+    requireDeployment: false,
+    action: 'admin',
+  })
+
+  if (hybridAccess.error) {
+    return hybridAccess
+  }
+
+  if (hybridAccess.auth?.authType === 'session') {
+    return await validateWorkflowPermissions(workflowId, requestId, 'admin')
+  }
+
+  return {
+    error: null,
+    auth: hybridAccess.auth,
+    session: null,
+    workflow: hybridAccess.workflow,
+  }
+}
+
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = generateRequestId()
   const { id } = await params
 
   try {
-    const { error, workflow: workflowData } = await validateWorkflowPermissions(
-      id,
-      requestId,
-      'read'
-    )
-    if (error) {
-      return createErrorResponse(error.message, error.status)
+    const access = await validateWorkflowAccess(request, id, {
+      requireDeployment: false,
+      action: 'read',
+    })
+    if (access.error) {
+      return createErrorResponse(access.error.message, access.error.status)
     }
 
+    const workflowData = access.workflow
+
     if (!workflowData.isDeployed) {
       logger.info(`[${requestId}] Workflow is not deployed: ${id}`)
       return createSuccessResponse({
@@ -115,15 +143,16 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
   try {
     const {
+      auth,
       error,
       session,
       workflow: workflowData,
-    } = await validateWorkflowPermissions(id, requestId, 'admin')
+    } = await validateLifecycleAdminAccess(request, id, requestId)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
 
-    const actorUserId: string | null = session?.user?.id ?? null
+    const actorUserId: string | null = session?.user?.id ?? auth?.userId ?? null
     if (!actorUserId) {
       logger.warn(`[${requestId}] Unable to resolve actor user for workflow deployment: ${id}`)
       return createErrorResponse('Unable to determine deploying user', 400)
@@ -309,7 +338,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
   const { id } = await params
 
   try {
-    const { error, session } = await validateWorkflowPermissions(id, requestId, 'admin')
+    const { error, session } = await validateLifecycleAdminAccess(request, id, requestId)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
@@ -356,14 +385,20 @@ export async function DELETE(
 
   try {
     const {
+      auth,
       error,
       session,
       workflow: workflowData,
-    } = await validateWorkflowPermissions(id, requestId, 'admin')
+    } = await validateLifecycleAdminAccess(request, id, requestId)
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
 
+    const actorUserId = session?.user?.id ?? auth?.userId ?? null
+    if (!actorUserId) {
+      return createErrorResponse('Unable to determine undeploying user', 400)
+    }
+
     // Clean up external webhook subscriptions before undeploying
     await cleanupWebhooksForWorkflow(id, workflowData as Record<string, unknown>, requestId)
 
@@ -385,7 +420,7 @@ export async function DELETE(
 
     recordAudit({
       workspaceId: workflowData?.workspaceId || null,
-      actorId: session!.user.id,
+      actorId: actorUserId,
       actorName: session?.user?.name,
       actorEmail: session?.user?.email,
       action: AuditAction.WORKFLOW_UNDEPLOYED,

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -24,6 +24,7 @@ const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
 const mockDbDelete = vi.fn()
 const mockDbUpdate = vi.fn()
 const mockDbSelect = vi.fn()
+const mockValidateWorkflowAccess = vi.fn()
 
 /**
  * Helper to set mock auth state consistently across getSession and hybrid auth.
@@ -32,9 +33,16 @@ function mockGetSession(session: { user: { id: string } } | null) {
   if (session) {
     mockCheckHybridAuth.mockResolvedValue({ success: true, userId: session.user.id })
     mockCheckSessionOrInternalAuth.mockResolvedValue({ success: true, userId: session.user.id })
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'workflow-123', workspaceId: 'workspace-456' },
+      auth: { success: true, userId: session.user.id, authType: 'session' },
+    })
   } else {
     mockCheckHybridAuth.mockResolvedValue({ success: false })
     mockCheckSessionOrInternalAuth.mockResolvedValue({ success: false })
+    mockValidateWorkflowAccess.mockResolvedValue({
+      error: { message: 'Unauthorized', status: 401 },
+    })
   }
 }
 
@@ -63,6 +71,10 @@ vi.mock('@/lib/workflows/persistence/utils', () => ({
     mockLoadWorkflowFromNormalizedTables(workflowId),
 }))
 
+vi.mock('@/app/api/workflows/middleware', () => ({
+  validateWorkflowAccess: (...args: unknown[]) => mockValidateWorkflowAccess(...args),
+}))
+
 vi.mock('@/lib/workflows/utils', () => ({
   getWorkflowById: (workflowId: string) => mockGetWorkflowById(workflowId),
   authorizeWorkflowByWorkspacePermission: (params: {
@@ -358,6 +370,46 @@ describe('Workflow By ID API Route', () => {
       expect(data.success).toBe(true)
     })
 
+    it('should allow API-key-backed deletion when workflow access is validated', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'other-user',
+        name: 'Test Workflow',
+        workspaceId: 'workspace-456',
+      }
+
+      mockValidateWorkflowAccess.mockResolvedValue({
+        workflow: mockWorkflow,
+        auth: { success: true, userId: 'api-user-1', authType: 'api_key' },
+      })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'admin',
+      })
+      mockDbSelect.mockReturnValue({
+        from: vi.fn().mockReturnValue({
+          where: vi.fn().mockResolvedValue([{ id: 'workflow-123' }, { id: 'workflow-456' }]),
+        }),
+      })
+      mockDbDelete.mockReturnValue({
+        where: vi.fn().mockResolvedValue([{ id: 'workflow-123' }]),
+      })
+      setupGlobalFetchMock({ ok: true })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'DELETE',
+        headers: { 'x-api-key': 'test-key' },
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await DELETE(req, { params })
+
+      expect(response.status).toBe(200)
+    })
+
     it('should prevent deletion of the last workflow in workspace', async () => {
       const mockWorkflow = {
         id: 'workflow-123',

apps/sim/app/api/workflows/[id]/route.ts

@@ -5,12 +5,13 @@ import { and, eq, isNull, ne } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import { AuthType, checkHybridAuth, checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { AuthType, checkHybridAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { authorizeWorkflowByWorkspacePermission, getWorkflowById } from '@/lib/workflows/utils'
+import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 
 const logger = createLogger('WorkflowByIdAPI')
 
@@ -146,13 +147,25 @@ export async function DELETE(
   const { id: workflowId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const validation = await validateWorkflowAccess(request, workflowId, {
+      requireDeployment: false,
+      action: 'admin',
+    })
+    if (validation.error) {
       logger.warn(`[${requestId}] Unauthorized deletion attempt for workflow ${workflowId}`)
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+      return NextResponse.json({ error: validation.error.message }, { status: validation.error.status })
     }
 
-    const userId = auth.userId
+    const auth = validation.auth
+    const userId = auth?.userId
+
+    if (!userId) {
+      logger.warn(`[${requestId}] Missing user identity for workflow deletion ${workflowId}`)
+      return NextResponse.json(
+        { error: 'Workflow deletion requires a user-backed session or API key identity' },
+        { status: 400 }
+      )
+    }
 
     const authorization = await authorizeWorkflowByWorkspacePermission({
       workflowId,