fix(security): close cross-tenant IDOR gaps in OAuth credential and execution auth (#4549)

* fix(security): close IDOR gaps in OAuth credential and execution authorization

Routes that called resolveOAuthAccountId followed by a conditional
workspace permission check (only run when workspaceId was set) silently
skipped all ownership validation on the legacy account-ID fallback path.
Any authenticated user could supply a raw account.id to access another
tenant's OAuth credentials.

- Replace resolveOAuthAccountId + conditional perm check with
  authorizeCredentialUse in: auth/oauth/wealthbox/item, tools/gmail/label,
  tools/onedrive/files, tools/onedrive/folder, tools/outlook/folders,
  tools/wealthbox/item (routes 1, 3-7)
- Add authorizeCredentialUse ownership gate before resolveVertexCredential
  in providers/route.ts (route 2)
- Add verifyFileAccess check on the user-supplied file key before
  downloadFileFromStorage in tools/wordpress/upload (route 8)
- Add workflowId param to PauseResumeManager methods
  (enqueueOrStartResume, beginPausedCancellation, completePausedCancellation,
  blockQueuedResumesForCancellation, clearPausedCancellationIntent,
  getPausedCancellationStatus, processQueuedResumes) and filter all
  pausedExecutions lookups by workflowId so callers cannot act on another
  tenant's paused execution by supplying a foreign executionId (route 9)
- Update all call sites (cancel, resume, poll routes) to pass workflowId

* fix(security): close verifyFileAccess bypass, thread workflowId to processQueuedResumes, fix log level

- Fail closed in WordPress upload when userFile.key is present but authResult.userId is absent, preventing silent bypass of ownership check via JWT fallback path
- Thread workflowId into processQueuedResumes in the async resume error-recovery path and in pause-persistence.ts to close residual cross-tenant gap
- Change logger.error to logger.warn for credential access denial in OneDrive folder route to match all other routes in this PR

* fix(security): thread workflowId through all processQueuedResumes call sites

Closes residual cross-tenant IDOR gap where processQueuedResumes was called
without a workflowId scope in persistPauseResult, startResumeExecution (success
and error paths), and clearPausedCancellationIntent. workflowId was already in
scope at each site — this wires it through to the existing optional parameter.

* fix(security): remove any types, drop extraneous comments, normalize caught errors

- catch (error: any) → catch (error) + toError(error).message in resume and cancel routes
- Remove what-not-why inline comments from wordpress upload and onedrive/files routes
- Remove redundant debug-only item breakdown log and the file-IDs log in onedrive/files
- Trim extraneous DAG-edge comments from updateSnapshotAfterResume in HITL manager

* fix: use logger.warn for credential access denial in outlook folders route

* fix(security): make workflowId required in all HITL pause/resume methods

All 7 method signatures (processQueuedResumes, enqueueOrStartResume,
beginPausedCancellation, completePausedCancellation, blockQueuedResumesForCancellation,
clearPausedCancellationIntent, getPausedCancellationStatus) previously accepted
workflowId as optional. Every call site already supplies it — making it required
closes the vulnerability at the type level so future callers cannot accidentally
omit tenant scoping and silently fall back to an unscoped DB query.

* fix(security): thread workflowId through internal HITL cancellation calls and remove dead branches in credential-access

* fix(security): harden workflowId scoping and file key guard

Replace falsy workflowId checks in PauseResumeManager (all methods now
unconditionally apply the workflowId WHERE clause, preventing empty-string
bypass). Flip WordPress upload file guard from truthy key check to explicit
non-empty validation so key:"" fails closed with a 404 instead of silently
skipping access control.

Author: waleedlatif1

apps/sim/app/api/auth/oauth/wealthbox/item/route.ts

@@ -1,15 +1,12 @@
-import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { wealthboxOAuthItemContract } from '@/lib/api/contracts/selectors/wealthbox'
 import { parseRequest } from '@/lib/api/server'
-import { getSession } from '@/lib/auth'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
-import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -31,13 +28,6 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
   const requestId = generateRequestId()
 
   try {
-    const session = await getSession()
-
-    if (!session?.user?.id) {
-      logger.warn(`[${requestId}] Unauthenticated request rejected`)
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
-    }
-
     const parsed = await parseRequest(wealthboxOAuthItemContract, request, {})
     if (!parsed.success) return parsed.response
     const { credentialId, itemId, type } = parsed.data.query
@@ -60,39 +50,18 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: itemIdValidation.error }, { status: 400 })
     }
 
-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    if (resolved.workspaceId) {
-      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
-      const perm = await getUserEntityPermissions(
-        session.user.id,
-        'workspace',
-        resolved.workspaceId
-      )
-      if (perm === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
-    const credentials = await db
-      .select()
-      .from(account)
-      .where(eq(account.id, resolved.accountId))
-      .limit(1)
-
-    if (!credentials.length) {
-      logger.warn(`[${requestId}] Credential not found`, { credentialId })
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    const credAccess = await authorizeCredentialUse(request, {
+      credentialId,
+      requireWorkflowIdForInternal: false,
+    })
+    if (!credAccess.ok || !credAccess.credentialOwnerUserId) {
+      logger.warn(`[${requestId}] Credential access denied`, { error: credAccess.error })
+      return NextResponse.json({ error: credAccess.error || 'Unauthorized' }, { status: 401 })
     }
 
-    const accountRow = credentials[0]
-
     const accessToken = await refreshAccessTokenIfNeeded(
-      resolved.accountId,
-      accountRow.userId,
+      credentialId,
+      credAccess.credentialOwnerUserId,
       requestId
     )
 

apps/sim/app/api/providers/route.ts

@@ -6,6 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { executeProviderContract } from '@/lib/api/contracts/providers'
 import { parseRequest } from '@/lib/api/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
@@ -141,6 +142,21 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     let finalApiKey: string | undefined = apiKey
     try {
       if (provider === 'vertex' && vertexCredential) {
+        const vertexCredAccess = await authorizeCredentialUse(request, {
+          credentialId: vertexCredential,
+          workflowId: workflowId || undefined,
+          requireWorkflowIdForInternal: false,
+        })
+        if (!vertexCredAccess.ok) {
+          logger.warn(`[${requestId}] Vertex credential access denied`, {
+            error: vertexCredAccess.error,
+            credentialId: vertexCredential,
+          })
+          return NextResponse.json(
+            { error: vertexCredAccess.error || 'Unauthorized' },
+            { status: 401 }
+          )
+        }
         finalApiKey = await resolveVertexCredential(requestId, vertexCredential)
       }
     } catch (error) {

apps/sim/app/api/resume/[workflowId]/[executionId]/[contextId]/route.ts

@@ -141,6 +141,7 @@ export const POST = withRouteHandler(
     try {
       const enqueueResult = await PauseResumeManager.enqueueOrStartResume({
         executionId,
+        workflowId,
         contextId,
         resumeInput,
         userId,
@@ -249,7 +250,7 @@ export const POST = withRouteHandler(
             contextId: enqueueResult.contextId,
             failureReason: 'Failed to queue async resume execution',
           })
-          await PauseResumeManager.processQueuedResumes(executionId)
+          await PauseResumeManager.processQueuedResumes(executionId, workflowId)
           return NextResponse.json(
             { error: 'Failed to queue resume execution. Please try again.' },
             { status: 503 }
@@ -283,15 +284,15 @@ export const POST = withRouteHandler(
         executionId: enqueueResult.resumeExecutionId,
         message: 'Resume execution started.',
       })
-    } catch (error: any) {
+    } catch (error) {
       logger.error('Resume request failed', {
         workflowId,
         executionId,
         contextId,
         error,
       })
       return NextResponse.json(
-        { error: error.message || 'Failed to queue resume request' },
+        { error: toError(error).message || 'Failed to queue resume request' },
         { status: 400 }
       )
     }

apps/sim/app/api/resume/poll/route.ts

@@ -128,6 +128,7 @@ async function dispatchRow(row: DueRow, now: Date): Promise<RowResult> {
     try {
       const enqueueResult = await PauseResumeManager.enqueueOrStartResume({
         executionId: row.executionId,
+        workflowId: row.workflowId,
         contextId: point.contextId,
         resumeInput: {},
         userId,

apps/sim/app/api/tools/gmail/label/route.ts

@@ -1,21 +1,13 @@
-import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { gmailLabelSelectorContract } from '@/lib/api/contracts/selectors/google'
 import { parseRequest } from '@/lib/api/server'
-import { getSession } from '@/lib/auth'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { getScopesForService } from '@/lib/oauth/utils'
-import {
-  getServiceAccountToken,
-  refreshAccessTokenIfNeeded,
-  resolveOAuthAccountId,
-  ServiceAccountTokenError,
-} from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, ServiceAccountTokenError } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -25,13 +17,6 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
   const requestId = generateRequestId()
 
   try {
-    const session = await getSession()
-
-    if (!session?.user?.id) {
-      logger.warn(`[${requestId}] Unauthenticated label request rejected`)
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
-    }
-
     const parsed = await parseRequest(gmailLabelSelectorContract, request, {})
     if (!parsed.success) return parsed.response
     const { credentialId, labelId } = parsed.data.query
@@ -43,56 +28,22 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: labelIdValidation.error }, { status: 400 })
     }
 
-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    if (resolved.workspaceId) {
-      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
-      const perm = await getUserEntityPermissions(
-        session.user.id,
-        'workspace',
-        resolved.workspaceId
-      )
-      if (perm === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
+    const credAccess = await authorizeCredentialUse(request, {
+      credentialId,
+      requireWorkflowIdForInternal: false,
+    })
+    if (!credAccess.ok || !credAccess.credentialOwnerUserId) {
+      logger.warn(`[${requestId}] Credential access denied`, { error: credAccess.error })
+      return NextResponse.json({ error: credAccess.error || 'Unauthorized' }, { status: 401 })
     }
 
-    let accessToken: string | null = null
-
-    if (resolved.credentialType === 'service_account' && resolved.credentialId) {
-      accessToken = await getServiceAccountToken(
-        resolved.credentialId,
-        getScopesForService('gmail'),
-        impersonateEmail
-      )
-    } else {
-      const credentials = await db
-        .select()
-        .from(account)
-        .where(eq(account.id, resolved.accountId))
-        .limit(1)
-
-      if (!credentials.length) {
-        logger.warn(`[${requestId}] Credential not found`)
-        return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-      }
-
-      const accountRow = credentials[0]
-
-      logger.info(
-        `[${requestId}] Using credential: ${accountRow.id}, provider: ${accountRow.providerId}`
-      )
-
-      accessToken = await refreshAccessTokenIfNeeded(
-        resolved.accountId,
-        accountRow.userId,
-        requestId,
-        getScopesForService('gmail')
-      )
-    }
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credentialId,
+      credAccess.credentialOwnerUserId,
+      requestId,
+      getScopesForService('gmail'),
+      impersonateEmail
+    )
 
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })