feat(api): Hybrid auth for workflows api endpoints #1443
Conversation
|
@Lutherwaves is attempting to deploy a commit to the Sim Team on Vercel. A member of the Team first needs to authorize it. |
Lutherwaves
force-pushed
the
feat/HybridAuthForListWorkflows
branch
from
0474ba7 to
9e8b0b3
Compare
Lutherwaves
force-pushed
the
feat/HybridAuthForListWorkflows
branch
from
9e8b0b3 to
5021e69
Compare
Lutherwaves
changed the title
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Summary
This PR successfully implements hybrid authentication for the workflows list endpoint, enabling programmatic access via API keys while maintaining session-based authentication for the web UI. The implementation replaces getSession() with checkHybridAuth() in both GET and POST handlers, allowing users to authenticate using either cookies, API keys, or internal JWT tokens.
Key changes:
- Updated import from
@/lib/authto@/lib/auth/hybrid - Modified request parameter type from
RequesttoNextRequestfor proper typing - Replaced session-based user ID extraction with hybrid authentication result handling
- Maintained all existing functionality including workspace validation and error handling
The implementation is clean, follows existing patterns, and directly addresses the feature request in issue #1335.
Confidence Score: 5/5
- This PR is safe to merge with minimal risk
- Score reflects a straightforward implementation that follows existing patterns, maintains backward compatibility, and includes proper error handling
- No files require special attention
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| apps/sim/app/api/workflows/route.ts | 5/5 | Successfully replaced session-only auth with hybrid auth supporting both session and API key authentication |
Sequence Diagram
sequenceDiagram
participant Client
participant WorkflowAPI as /api/workflows
participant HybridCheck as checkHybridAuth
participant SessionSvc as Session Service
participant HeaderSvc as Header Service
participant DB as Database
Client->>WorkflowAPI: Request workflows
WorkflowAPI->>HybridCheck: Verify identity
alt Session Cookie Present
HybridCheck->>SessionSvc: Check session
SessionSvc-->>HybridCheck: Return user ID
else Request Header Present
HybridCheck->>HeaderSvc: Validate header
HeaderSvc-->>HybridCheck: Return user ID
else No Credentials
HybridCheck-->>WorkflowAPI: Identity check failed
WorkflowAPI-->>Client: 401 Unauthorized
end
HybridCheck-->>WorkflowAPI: Identity verified with user ID
WorkflowAPI->>DB: Query workflows for user
DB-->>WorkflowAPI: Return workflows
WorkflowAPI-->>Client: 200 OK with workflow data
1 file reviewed, no comments
|
@waleedlatif1 seems the bots have given us their blessing |
Lutherwaves
force-pushed
the
feat/HybridAuthForListWorkflows
branch
from
5021e69 to
c2e1de7
Compare
|
We should add this into our me/ endpoint set similar to usage-limits --> and it doesn't have to return all fields related to the workflow. Making the internal route externally accessible is not in line with the pattern we want to follow. |
That is a good point. Let me look into it. |
I looked at the /me approach you are referring to. It seems if we want to expose workflows listing there we would have to think about what information we want to return for the workflows. I think having duplicated APIs (external vs internal) isn't the most scalable architecture to have in general. Why not simply expose a single api, then manage what users can see based on their permissions, as opposed to having different internal/external endpoints. Let me know how I can better align with the pattern you want to follow, nonetheless. |
waleedlatif1
force-pushed
the
staging
branch
from
f0c20a9 to
010753d
Compare
|
@waleedlatif1 @icecrasher321 were you able to take a look? |
2 participants
Summary
Implements #1335
Type of Change
Testing
How has this been tested? What should reviewers focus on?
Checklist
Screenshots/Videos