fix: bind auth tokens to deployment password for immediate revocation

Include a SHA-256 hash of the encrypted password in the HMAC-signed
token payload. Changing the deployment password now immediately
invalidates all existing auth cookies, restoring the pre-HMAC behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/chat/[identifier]/route.ts

@@ -141,7 +141,7 @@ export async function POST(
     if ((password || email) && !input) {
       const response = addCorsHeaders(createSuccessResponse({ authenticated: true }), request)
 
-      setChatAuthCookie(response, deployment.id, deployment.authType)
+      setChatAuthCookie(response, deployment.id, deployment.authType, deployment.password)
 
       return response
     }
@@ -327,7 +327,7 @@ export async function GET(
     if (
       deployment.authType !== 'public' &&
       authCookie &&
-      validateAuthToken(authCookie.value, deployment.id)
+      validateAuthToken(authCookie.value, deployment.id, deployment.password)
     ) {
       return addCorsHeaders(
         createSuccessResponse({

apps/sim/app/api/chat/utils.ts

@@ -13,8 +13,13 @@ import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 
 const logger = createLogger('ChatAuthUtils')
 
-export function setChatAuthCookie(response: NextResponse, chatId: string, type: string): void {
-  setDeploymentAuthCookie(response, 'chat', chatId, type)
+export function setChatAuthCookie(
+  response: NextResponse,
+  chatId: string,
+  type: string,
+  encryptedPassword?: string | null
+): void {
+  setDeploymentAuthCookie(response, 'chat', chatId, type, encryptedPassword)
 }
 
 /**
@@ -93,7 +98,7 @@ export async function validateChatAuth(
   const cookieName = `chat_auth_${deployment.id}`
   const authCookie = request.cookies.get(cookieName)
 
-  if (authCookie && validateAuthToken(authCookie.value, deployment.id)) {
+  if (authCookie && validateAuthToken(authCookie.value, deployment.id, deployment.password)) {
     return { authorized: true }
   }
 

apps/sim/app/api/form/[identifier]/route.ts

@@ -157,7 +157,7 @@ export async function POST(
     // If only authentication credentials provided (no form data), just return authenticated
     if ((password || email) && !formData) {
       const response = addCorsHeaders(createSuccessResponse({ authenticated: true }), request)
-      setFormAuthCookie(response, deployment.id, deployment.authType)
+      setFormAuthCookie(response, deployment.id, deployment.authType, deployment.password)
       return response
     }
 
@@ -337,7 +337,7 @@ export async function GET(
     if (
       deployment.authType !== 'public' &&
       authCookie &&
-      validateAuthToken(authCookie.value, deployment.id)
+      validateAuthToken(authCookie.value, deployment.id, deployment.password)
     ) {
       return addCorsHeaders(
         createSuccessResponse({

apps/sim/app/api/form/utils.ts

@@ -13,8 +13,13 @@ import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 
 const logger = createLogger('FormAuthUtils')
 
-export function setFormAuthCookie(response: NextResponse, formId: string, type: string): void {
-  setDeploymentAuthCookie(response, 'form', formId, type)
+export function setFormAuthCookie(
+  response: NextResponse,
+  formId: string,
+  type: string,
+  encryptedPassword?: string | null
+): void {
+  setDeploymentAuthCookie(response, 'form', formId, type, encryptedPassword)
 }
 
 /**
@@ -90,7 +95,7 @@ export async function validateFormAuth(
   const cookieName = `form_auth_${deployment.id}`
   const authCookie = request.cookies.get(cookieName)
 
-  if (authCookie && validateAuthToken(authCookie.value, deployment.id)) {
+  if (authCookie && validateAuthToken(authCookie.value, deployment.id, deployment.password)) {
     return { authorized: true }
   }
 

apps/sim/app/api/proxy/tts/stream/route.ts

@@ -40,7 +40,7 @@ async function validateChatAuth(request: NextRequest, chatId: string): Promise<b
     const cookieName = `chat_auth_${chatId}`
     const authCookie = request.cookies.get(cookieName)
 
-    if (authCookie && validateAuthToken(authCookie.value, chatId)) {
+    if (authCookie && validateAuthToken(authCookie.value, chatId, chatData.password)) {
       return true
     }
 

apps/sim/lib/core/security/deployment.ts

@@ -1,4 +1,4 @@
-import { createHmac, timingSafeEqual } from 'crypto'
+import { createHash, createHmac, timingSafeEqual } from 'crypto'
 import type { NextRequest, NextResponse } from 'next/server'
 import { env } from '@/lib/core/config/env'
 import { isDev } from '@/lib/core/config/feature-flags'
@@ -12,16 +12,31 @@ function signPayload(payload: string): string {
   return createHmac('sha256', env.BETTER_AUTH_SECRET).update(payload).digest('hex')
 }
 
-function generateAuthToken(deploymentId: string, type: string): string {
-  const payload = `${deploymentId}:${type}:${Date.now()}`
+function passwordSlot(encryptedPassword?: string | null): string {
+  if (!encryptedPassword) return ''
+  return createHash('sha256').update(encryptedPassword).digest('hex').slice(0, 8)
+}
+
+function generateAuthToken(
+  deploymentId: string,
+  type: string,
+  encryptedPassword?: string | null
+): string {
+  const payload = `${deploymentId}:${type}:${Date.now()}:${passwordSlot(encryptedPassword)}`
   const sig = signPayload(payload)
   return Buffer.from(`${payload}:${sig}`).toString('base64')
 }
 
 /**
- * Validates an HMAC-signed authentication token for a deployment (chat or form)
+ * Validates an HMAC-signed authentication token for a deployment (chat or form).
+ * Includes a password-derived slot so changing the deployment password immediately
+ * invalidates existing sessions.
  */
-export function validateAuthToken(token: string, deploymentId: string): boolean {
+export function validateAuthToken(
+  token: string,
+  deploymentId: string,
+  encryptedPassword?: string | null
+): boolean {
   try {
     const decoded = Buffer.from(token, 'base64').toString()
     const lastColon = decoded.lastIndexOf(':')
@@ -39,10 +54,14 @@ export function validateAuthToken(token: string, deploymentId: string): boolean
     }
 
     const parts = payload.split(':')
-    const [storedId, _type, timestamp] = parts
+    if (parts.length < 4) return false
+    const [storedId, _type, timestamp, storedPwSlot] = parts
 
     if (storedId !== deploymentId) return false
 
+    const expectedPwSlot = passwordSlot(encryptedPassword)
+    if (storedPwSlot !== expectedPwSlot) return false
+
     const createdAt = Number.parseInt(timestamp)
     const expireTime = 24 * 60 * 60 * 1000
     if (Date.now() - createdAt > expireTime) return false
@@ -60,9 +79,10 @@ export function setDeploymentAuthCookie(
   response: NextResponse,
   cookiePrefix: 'chat' | 'form',
   deploymentId: string,
-  authType: string
+  authType: string,
+  encryptedPassword?: string | null
 ): void {
-  const token = generateAuthToken(deploymentId, authType)
+  const token = generateAuthToken(deploymentId, authType, encryptedPassword)
   response.cookies.set({
     name: `${cookiePrefix}_auth_${deploymentId}`,
     value: token,