From 28b51b77913093e0269ef3fe8ee00a1ca9b3a43a Mon Sep 17 00:00:00 2001
From: Waleed Latif <walif6@gmail.com>
Date: Sat, 24 Jan 2026 01:39:01 -0800
Subject: [PATCH] move session check higher in checkSessionOrInternalAuth

---
 apps/sim/lib/auth/hybrid.ts | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/apps/sim/lib/auth/hybrid.ts b/apps/sim/lib/auth/hybrid.ts
index b0d9916ac..8dc45cefa 100644
--- a/apps/sim/lib/auth/hybrid.ts
+++ b/apps/sim/lib/auth/hybrid.ts
@@ -143,7 +143,16 @@ export async function checkSessionOrInternalAuth(
   options: { requireWorkflowId?: boolean } = {}
 ): Promise<AuthResult> {
   try {
-    // 1. Check for internal JWT token first
+    // 1. Reject API keys first
+    const apiKeyHeader = request.headers.get('x-api-key')
+    if (apiKeyHeader) {
+      return {
+        success: false,
+        error: 'API key access not allowed for this endpoint',
+      }
+    }
+
+    // 2. Check for internal JWT token
     const authHeader = request.headers.get('authorization')
     if (authHeader?.startsWith('Bearer ')) {
       const token = authHeader.split(' ')[1]
@@ -216,7 +225,7 @@ export async function checkSessionOrInternalAuth(
       }
     }
 
-    // 2. Try session auth (for web UI)
+    // 3. Try session auth (for web UI)
     const session = await getSession()
     if (session?.user?.id) {
       return {
@@ -226,15 +235,6 @@ export async function checkSessionOrInternalAuth(
       }
     }
 
-    // 3. Explicitly reject API key
-    const apiKeyHeader = request.headers.get('x-api-key')
-    if (apiKeyHeader) {
-      return {
-        success: false,
-        error: 'API key access not allowed for this endpoint',
-      }
-    }
-
     return {
       success: false,
       error: 'Authentication required - provide session or internal JWT',