fix(workflows): require user-backed workflow reads

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -174,6 +174,31 @@ describe('Workflow By ID API Route', () => {
       expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
     })
 
+    it('should return 401 for verified internal jwt without userId', async () => {
+      mockCheckHybridAuth.mockResolvedValue({
+        success: true,
+        authType: 'internal_jwt',
+      })
+      mockGetWorkflowById.mockResolvedValue({
+        id: 'workflow-123',
+        userId: 'other-user',
+        name: 'Internal Workflow',
+        workspaceId: 'workspace-456',
+      })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        headers: { authorization: 'Bearer internal-token' },
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await GET(req, { params })
+
+      expect(response.status).toBe(401)
+      const data = await response.json()
+      expect(data.error).toBe('Unauthorized')
+      expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
+    })
+
     it('should allow access when user has admin workspace permission', async () => {
       const mockWorkflow = {
         id: 'workflow-123',

apps/sim/app/api/workflows/[id]/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getAuditActorMetadata } from '@/lib/audit/actor-metadata'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import { AuthType, checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { archiveWorkflow } from '@/lib/workflows/lifecycle'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
@@ -40,7 +40,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const isInternalCall = auth.authType === AuthType.INTERNAL_JWT
     const userId = auth.userId || null
 
     let workflowData = await getWorkflowById(workflowId)
@@ -54,32 +53,28 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    if (isInternalCall && !userId) {
-      // Internal system calls (e.g. workflow-in-workflow executor) may not carry a userId.
-      // These are already authenticated via internal JWT; allow read access.
-      logger.info(`[${requestId}] Internal API call for workflow ${workflowId}`)
-    } else if (!userId) {
+    if (!userId) {
       logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    } else {
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId,
-        action: 'read',
-      })
-      if (!authorization.workflow) {
-        logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
-        return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
-      }
+    }
 
-      workflowData = authorization.workflow
-      if (!authorization.allowed) {
-        logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
-        return NextResponse.json(
-          { error: authorization.message || 'Access denied' },
-          { status: authorization.status }
-        )
-      }
+    const authorization = await authorizeWorkflowByWorkspacePermission({
+      workflowId,
+      userId,
+      action: 'read',
+    })
+    if (!authorization.workflow) {
+      logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
+      return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
+    }
+
+    workflowData = authorization.workflow
+    if (!authorization.allowed) {
+      logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
+      return NextResponse.json(
+        { error: authorization.message || 'Access denied' },
+        { status: authorization.status }
+      )
     }
 
     const normalizedData = await loadWorkflowFromNormalizedTables(workflowId)