From 243e01bb21489ef89411497986e47dfcf1cc1bae Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Sat, 24 Jan 2026 01:43:06 -0800 Subject: [PATCH] extracted duplicate code into helper for resolving user from jwt --- apps/sim/lib/auth/hybrid.ts | 255 +++++++++--------------------------- 1 file changed, 61 insertions(+), 194 deletions(-) diff --git a/apps/sim/lib/auth/hybrid.ts b/apps/sim/lib/auth/hybrid.ts index 8dc45cefa..2b49d7158 100644 --- a/apps/sim/lib/auth/hybrid.ts +++ b/apps/sim/lib/auth/hybrid.ts @@ -16,6 +16,63 @@ export interface AuthResult { error?: string } +/** + * Resolves userId from a verified internal JWT token. + * Extracts workflowId/userId from URL params or POST body, then looks up userId if needed. + */ +async function resolveUserFromJwt( + request: NextRequest, + verificationUserId: string | null, + options: { requireWorkflowId?: boolean } +): Promise { + let workflowId: string | null = null + let userId: string | null = verificationUserId + + const { searchParams } = new URL(request.url) + workflowId = searchParams.get('workflowId') + if (!userId) { + userId = searchParams.get('userId') + } + + if (!workflowId && !userId && request.method === 'POST') { + try { + const clonedRequest = request.clone() + const bodyText = await clonedRequest.text() + if (bodyText) { + const body = JSON.parse(bodyText) + workflowId = body.workflowId || body._context?.workflowId + userId = userId || body.userId || body._context?.userId + } + } catch { + // Ignore JSON parse errors + } + } + + if (userId) { + return { success: true, userId, authType: 'internal_jwt' } + } + + if (workflowId) { + const [workflowData] = await db + .select({ userId: workflow.userId }) + .from(workflow) + .where(eq(workflow.id, workflowId)) + .limit(1) + + if (!workflowData) { + return { success: false, error: 'Workflow not found' } + } + + return { success: true, userId: workflowData.userId, authType: 'internal_jwt' } + } + + if (options.requireWorkflowId !== false) { + return { success: false, error: 'workflowId or userId required for internal JWT calls' } + } + + return { success: true, authType: 'internal_jwt' } +} + /** * Check for internal JWT authentication only. * Use this for routes that should ONLY be accessible by the executor (server-to-server). @@ -51,75 +108,10 @@ export async function checkInternalAuth( const verification = await verifyInternalToken(token) if (!verification.valid) { - return { - success: false, - error: 'Invalid internal token', - } + return { success: false, error: 'Invalid internal token' } } - let workflowId: string | null = null - let userId: string | null = verification.userId || null - - const { searchParams } = new URL(request.url) - workflowId = searchParams.get('workflowId') - if (!userId) { - userId = searchParams.get('userId') - } - - if (!workflowId && !userId && request.method === 'POST') { - try { - const clonedRequest = request.clone() - const bodyText = await clonedRequest.text() - if (bodyText) { - const body = JSON.parse(bodyText) - workflowId = body.workflowId || body._context?.workflowId - userId = userId || body.userId || body._context?.userId - } - } catch { - // Ignore JSON parse errors - } - } - - if (userId) { - return { - success: true, - userId, - authType: 'internal_jwt', - } - } - - if (workflowId) { - const [workflowData] = await db - .select({ userId: workflow.userId }) - .from(workflow) - .where(eq(workflow.id, workflowId)) - .limit(1) - - if (!workflowData) { - return { - success: false, - error: 'Workflow not found', - } - } - - return { - success: true, - userId: workflowData.userId, - authType: 'internal_jwt', - } - } - - if (options.requireWorkflowId !== false) { - return { - success: false, - error: 'workflowId or userId required for internal JWT calls', - } - } - - return { - success: true, - authType: 'internal_jwt', - } + return resolveUserFromJwt(request, verification.userId || null, options) } catch (error) { logger.error('Error in internal authentication:', error) return { @@ -159,69 +151,7 @@ export async function checkSessionOrInternalAuth( const verification = await verifyInternalToken(token) if (verification.valid) { - let workflowId: string | null = null - let userId: string | null = verification.userId || null - - const { searchParams } = new URL(request.url) - workflowId = searchParams.get('workflowId') - if (!userId) { - userId = searchParams.get('userId') - } - - if (!workflowId && !userId && request.method === 'POST') { - try { - const clonedRequest = request.clone() - const bodyText = await clonedRequest.text() - if (bodyText) { - const body = JSON.parse(bodyText) - workflowId = body.workflowId || body._context?.workflowId - userId = userId || body.userId || body._context?.userId - } - } catch { - // Ignore JSON parse errors - } - } - - if (userId) { - return { - success: true, - userId, - authType: 'internal_jwt', - } - } - - if (workflowId) { - const [workflowData] = await db - .select({ userId: workflow.userId }) - .from(workflow) - .where(eq(workflow.id, workflowId)) - .limit(1) - - if (!workflowData) { - return { - success: false, - error: 'Workflow not found', - } - } - - return { - success: true, - userId: workflowData.userId, - authType: 'internal_jwt', - } - } - - if (options.requireWorkflowId !== false) { - return { - success: false, - error: 'workflowId or userId required for internal JWT calls', - } - } - - return { - success: true, - authType: 'internal_jwt', - } + return resolveUserFromJwt(request, verification.userId || null, options) } } @@ -268,70 +198,7 @@ export async function checkHybridAuth( const verification = await verifyInternalToken(token) if (verification.valid) { - let workflowId: string | null = null - let userId: string | null = verification.userId || null - - const { searchParams } = new URL(request.url) - workflowId = searchParams.get('workflowId') - if (!userId) { - userId = searchParams.get('userId') - } - - if (!workflowId && !userId && request.method === 'POST') { - try { - // Clone the request to avoid consuming the original body - const clonedRequest = request.clone() - const bodyText = await clonedRequest.text() - if (bodyText) { - const body = JSON.parse(bodyText) - workflowId = body.workflowId || body._context?.workflowId - userId = userId || body.userId || body._context?.userId - } - } catch { - // Ignore JSON parse errors - } - } - - if (userId) { - return { - success: true, - userId, - authType: 'internal_jwt', - } - } - - if (workflowId) { - const [workflowData] = await db - .select({ userId: workflow.userId }) - .from(workflow) - .where(eq(workflow.id, workflowId)) - .limit(1) - - if (!workflowData) { - return { - success: false, - error: 'Workflow not found', - } - } - - return { - success: true, - userId: workflowData.userId, - authType: 'internal_jwt', - } - } - - if (options.requireWorkflowId !== false) { - return { - success: false, - error: 'workflowId or userId required for internal JWT calls', - } - } - - return { - success: true, - authType: 'internal_jwt', - } + return resolveUserFromJwt(request, verification.userId || null, options) } }