move session check higher in checkSessionOrInternalAuth

2026-01-24 06:18:04 -05:00 · 2026-01-24 01:39:01 -08:00
parent b1bcd9a796
commit 28b51b7791
1 changed files with 11 additions and 11 deletions
--- a/apps/sim/lib/auth/hybrid.ts
+++ b/apps/sim/lib/auth/hybrid.ts
@@ -143,7 +143,16 @@ export async function checkSessionOrInternalAuth(
  options: { requireWorkflowId?: boolean } = {}
 ): Promise<AuthResult> {
  try {
-    // 1. Check for internal JWT token first
+    // 1. Reject API keys first
+    const apiKeyHeader = request.headers.get('x-api-key')
+    if (apiKeyHeader) {
+      return {
+        success: false,
+        error: 'API key access not allowed for this endpoint',
+      }
+    }
+
+    // 2. Check for internal JWT token
    const authHeader = request.headers.get('authorization')
    if (authHeader?.startsWith('Bearer ')) {
      const token = authHeader.split(' ')[1]
@@ -216,7 +225,7 @@ export async function checkSessionOrInternalAuth(
      }
    }

-    // 2. Try session auth (for web UI)
+    // 3. Try session auth (for web UI)
    const session = await getSession()
    if (session?.user?.id) {
      return {
@@ -226,15 +235,6 @@ export async function checkSessionOrInternalAuth(
      }
    }

-    // 3. Explicitly reject API key
-    const apiKeyHeader = request.headers.get('x-api-key')
-    if (apiKeyHeader) {
-      return {
-        success: false,
-        error: 'API key access not allowed for this endpoint',
-      }
-    }
-
    return {
      success: false,
      error: 'Authentication required - provide session or internal JWT',