fix(security): add authentication and input validation to API routes (#2959)

* fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep
2026-02-11 07:04:58 -05:00 · 2026-01-23 17:48:39 -08:00
parent 6464cfa7f2
commit f44594c380
50 changed files with 490 additions and 54 deletions
--- a/apps/sim/app/api/function/execute/route.test.ts
+++ b/apps/sim/app/api/function/execute/route.test.ts
@@ -84,6 +84,14 @@ vi.mock('@/lib/execution/isolated-vm', () => ({

 vi.mock('@sim/logger', () => loggerMock)

+vi.mock('@/lib/auth/hybrid', () => ({
+  checkHybridAuth: vi.fn().mockResolvedValue({
+    success: true,
+    userId: 'user-123',
+    authType: 'session',
+  }),
+}))
+
 vi.mock('@/lib/execution/e2b', () => ({
  executeInE2B: vi.fn(),
 }))
@@ -110,6 +118,24 @@ describe('Function Execute API Route', () => {
  })

  describe('Security Tests', () => {
+    it('should reject unauthorized requests', async () => {
+      const { checkHybridAuth } = await import('@/lib/auth/hybrid')
+      vi.mocked(checkHybridAuth).mockResolvedValueOnce({
+        success: false,
+        error: 'Unauthorized',
+      })
+
+      const req = createMockRequest('POST', {
+        code: 'return "test"',
+      })
+
+      const response = await POST(req)
+      const data = await response.json()
+
+      expect(response.status).toBe(401)
+      expect(data).toHaveProperty('error', 'Unauthorized')
+    })
+
    it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
      const req = createMockRequest('POST', {
        code: 'return "test"',
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -581,6 +582,12 @@ export async function POST(req: NextRequest) {
  let resolvedCode = '' // Store resolved code for error reporting

  try {
+    const auth = await checkHybridAuth(req)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await req.json()

    const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')