extracted duplicate code into helper for resolving user from jwt

2026-01-24 06:18:04 -05:00 · 2026-01-24 01:43:06 -08:00
parent 28b51b7791
commit 243e01bb21
1 changed files with 61 additions and 194 deletions
--- a/apps/sim/lib/auth/hybrid.ts
+++ b/apps/sim/lib/auth/hybrid.ts
@@ -16,6 +16,63 @@ export interface AuthResult {
  error?: string
 }

+/**
+ * Resolves userId from a verified internal JWT token.
+ * Extracts workflowId/userId from URL params or POST body, then looks up userId if needed.
+ */
+async function resolveUserFromJwt(
+  request: NextRequest,
+  verificationUserId: string | null,
+  options: { requireWorkflowId?: boolean }
+): Promise<AuthResult> {
+  let workflowId: string | null = null
+  let userId: string | null = verificationUserId
+
+  const { searchParams } = new URL(request.url)
+  workflowId = searchParams.get('workflowId')
+  if (!userId) {
+    userId = searchParams.get('userId')
+  }
+
+  if (!workflowId && !userId && request.method === 'POST') {
+    try {
+      const clonedRequest = request.clone()
+      const bodyText = await clonedRequest.text()
+      if (bodyText) {
+        const body = JSON.parse(bodyText)
+        workflowId = body.workflowId || body._context?.workflowId
+        userId = userId || body.userId || body._context?.userId
+      }
+    } catch {
+      // Ignore JSON parse errors
+    }
+  }
+
+  if (userId) {
+    return { success: true, userId, authType: 'internal_jwt' }
+  }
+
+  if (workflowId) {
+    const [workflowData] = await db
+      .select({ userId: workflow.userId })
+      .from(workflow)
+      .where(eq(workflow.id, workflowId))
+      .limit(1)
+
+    if (!workflowData) {
+      return { success: false, error: 'Workflow not found' }
+    }
+
+    return { success: true, userId: workflowData.userId, authType: 'internal_jwt' }
+  }
+
+  if (options.requireWorkflowId !== false) {
+    return { success: false, error: 'workflowId or userId required for internal JWT calls' }
+  }
+
+  return { success: true, authType: 'internal_jwt' }
+}
+
 /**
 * Check for internal JWT authentication only.
 * Use this for routes that should ONLY be accessible by the executor (server-to-server).
@@ -51,75 +108,10 @@ export async function checkInternalAuth(
    const verification = await verifyInternalToken(token)

    if (!verification.valid) {
-      return {
-        success: false,
-        error: 'Invalid internal token',
-      }
+      return { success: false, error: 'Invalid internal token' }
    }

-    let workflowId: string | null = null
-    let userId: string | null = verification.userId || null
-
-    const { searchParams } = new URL(request.url)
-    workflowId = searchParams.get('workflowId')
-    if (!userId) {
-      userId = searchParams.get('userId')
-    }
-
-    if (!workflowId && !userId && request.method === 'POST') {
-      try {
-        const clonedRequest = request.clone()
-        const bodyText = await clonedRequest.text()
-        if (bodyText) {
-          const body = JSON.parse(bodyText)
-          workflowId = body.workflowId || body._context?.workflowId
-          userId = userId || body.userId || body._context?.userId
-        }
-      } catch {
-        // Ignore JSON parse errors
-      }
-    }
-
-    if (userId) {
-      return {
-        success: true,
-        userId,
-        authType: 'internal_jwt',
-      }
-    }
-
-    if (workflowId) {
-      const [workflowData] = await db
-        .select({ userId: workflow.userId })
-        .from(workflow)
-        .where(eq(workflow.id, workflowId))
-        .limit(1)
-
-      if (!workflowData) {
-        return {
-          success: false,
-          error: 'Workflow not found',
-        }
-      }
-
-      return {
-        success: true,
-        userId: workflowData.userId,
-        authType: 'internal_jwt',
-      }
-    }
-
-    if (options.requireWorkflowId !== false) {
-      return {
-        success: false,
-        error: 'workflowId or userId required for internal JWT calls',
-      }
-    }
-
-    return {
-      success: true,
-      authType: 'internal_jwt',
-    }
+    return resolveUserFromJwt(request, verification.userId || null, options)
  } catch (error) {
    logger.error('Error in internal authentication:', error)
    return {
@@ -159,69 +151,7 @@ export async function checkSessionOrInternalAuth(
      const verification = await verifyInternalToken(token)

      if (verification.valid) {
-        let workflowId: string | null = null
-        let userId: string | null = verification.userId || null
-
-        const { searchParams } = new URL(request.url)
-        workflowId = searchParams.get('workflowId')
-        if (!userId) {
-          userId = searchParams.get('userId')
-        }
-
-        if (!workflowId && !userId && request.method === 'POST') {
-          try {
-            const clonedRequest = request.clone()
-            const bodyText = await clonedRequest.text()
-            if (bodyText) {
-              const body = JSON.parse(bodyText)
-              workflowId = body.workflowId || body._context?.workflowId
-              userId = userId || body.userId || body._context?.userId
-            }
-          } catch {
-            // Ignore JSON parse errors
-          }
-        }
-
-        if (userId) {
-          return {
-            success: true,
-            userId,
-            authType: 'internal_jwt',
-          }
-        }
-
-        if (workflowId) {
-          const [workflowData] = await db
-            .select({ userId: workflow.userId })
-            .from(workflow)
-            .where(eq(workflow.id, workflowId))
-            .limit(1)
-
-          if (!workflowData) {
-            return {
-              success: false,
-              error: 'Workflow not found',
-            }
-          }
-
-          return {
-            success: true,
-            userId: workflowData.userId,
-            authType: 'internal_jwt',
-          }
-        }
-
-        if (options.requireWorkflowId !== false) {
-          return {
-            success: false,
-            error: 'workflowId or userId required for internal JWT calls',
-          }
-        }
-
-        return {
-          success: true,
-          authType: 'internal_jwt',
-        }
+        return resolveUserFromJwt(request, verification.userId || null, options)
      }
    }

@@ -268,70 +198,7 @@ export async function checkHybridAuth(
      const verification = await verifyInternalToken(token)

      if (verification.valid) {
-        let workflowId: string | null = null
-        let userId: string | null = verification.userId || null
-
-        const { searchParams } = new URL(request.url)
-        workflowId = searchParams.get('workflowId')
-        if (!userId) {
-          userId = searchParams.get('userId')
-        }
-
-        if (!workflowId && !userId && request.method === 'POST') {
-          try {
-            // Clone the request to avoid consuming the original body
-            const clonedRequest = request.clone()
-            const bodyText = await clonedRequest.text()
-            if (bodyText) {
-              const body = JSON.parse(bodyText)
-              workflowId = body.workflowId || body._context?.workflowId
-              userId = userId || body.userId || body._context?.userId
-            }
-          } catch {
-            // Ignore JSON parse errors
-          }
-        }
-
-        if (userId) {
-          return {
-            success: true,
-            userId,
-            authType: 'internal_jwt',
-          }
-        }
-
-        if (workflowId) {
-          const [workflowData] = await db
-            .select({ userId: workflow.userId })
-            .from(workflow)
-            .where(eq(workflow.id, workflowId))
-            .limit(1)
-
-          if (!workflowData) {
-            return {
-              success: false,
-              error: 'Workflow not found',
-            }
-          }
-
-          return {
-            success: true,
-            userId: workflowData.userId,
-            authType: 'internal_jwt',
-          }
-        }
-
-        if (options.requireWorkflowId !== false) {
-          return {
-            success: false,
-            error: 'workflowId or userId required for internal JWT calls',
-          }
-        }
-
-        return {
-          success: true,
-          authType: 'internal_jwt',
-        }
+        return resolveUserFromJwt(request, verification.userId || null, options)
      }
    }