From 4ee6fa85243e30710a286975d3e5f104d4f06da6 Mon Sep 17 00:00:00 2001
From: Siddharth Ganesan <siddharthganesan@gmail.com>
Date: Mon, 6 Apr 2026 12:54:18 -0700
Subject: [PATCH] Security

---
 apps/sim/app/api/copilot/api-keys/validate/route.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apps/sim/app/api/copilot/api-keys/validate/route.ts b/apps/sim/app/api/copilot/api-keys/validate/route.ts
index b653f4d55a..1c1df54013 100644
--- a/apps/sim/app/api/copilot/api-keys/validate/route.ts
+++ b/apps/sim/app/api/copilot/api-keys/validate/route.ts
@@ -1,4 +1,7 @@
+import { db } from '@sim/db'
+import { user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkServerSideUsageLimits } from '@/lib/billing/calculations/usage-monitor'
@@ -34,6 +37,12 @@ export async function POST(req: NextRequest) {
 
     const { userId } = validationResult.data
 
+    const [existingUser] = await db.select().from(user).where(eq(user.id, userId)).limit(1)
+    if (!existingUser) {
+      logger.warn('[API VALIDATION] userId does not exist', { userId })
+      return NextResponse.json({ error: 'User not found' }, { status: 403 })
+    }
+
     logger.info('[API VALIDATION] Validating usage limit', { userId })
 
     const { isExceeded, currentUsage, limit } = await checkServerSideUsageLimits(userId)