* Validates that requested permissions are allowed for API keys * @param user - The logged-in user * @param permissions - string array of requested permissions * @param operation - The operation being performed (for error message) * @throws InternalFlowiseError if validation fails
(user: LoggedInUser, requestedPermissions: string[], operation: string)
| 18 | * @throws InternalFlowiseError if validation fails |
| 19 | */ |
| 20 | function validatePermissions(user: LoggedInUser, requestedPermissions: string[], operation: string) { |
| 21 | // API Keys should not have workspace or admin permissions |
| 22 | // This applies to ALL users, including admins (platform constraint) |
| 23 | const hasRestrictedPermissions = requestedPermissions.some( |
| 24 | (permission: string) => permission.startsWith('workspace:') || permission.startsWith('admin:') |
| 25 | ) |
| 26 | |
| 27 | if (hasRestrictedPermissions) { |
| 28 | throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, `Cannot ${operation} API key with workspace or admin permissions`) |
| 29 | } |
| 30 | |
| 31 | // For Cloud platform, check feature-gated permissions |
| 32 | // This also applies to ALL users, including admins (platform constraint) |
| 33 | const appServer = getRunningExpressApp() |
| 34 | if (appServer.identityManager.getPlatformType() === Platform.CLOUD) { |
| 35 | if (!user.features) { |
| 36 | // On Cloud platform, user features should always exist |
| 37 | // Log the anomaly with context for debugging |
| 38 | logger.error( |
| 39 | `[server]: Missing user features on Cloud platform for ${operation} API key. ` + |
| 40 | `User: ${user.email || user.id}, ` + |
| 41 | `Organization: ${user.activeOrganizationId || 'unknown'}, ` + |
| 42 | `Subscription: ${user.activeOrganizationSubscriptionId || 'unknown'}, ` + |
| 43 | `Customer: ${user.activeOrganizationCustomerId || 'unknown'}, ` + |
| 44 | `Workspace: ${user.activeWorkspaceId || 'unknown'}` |
| 45 | ) |
| 46 | throw new InternalFlowiseError(StatusCodes.INTERNAL_SERVER_ERROR, `Unable to validate permissions: user features not available`) |
| 47 | } |
| 48 | |
| 49 | const featureToPermissionMap: { [key: string]: string[] } = { |
| 50 | 'feat:login-activity': ['loginActivity:'], |
| 51 | 'feat:logs': ['logs:'], |
| 52 | 'feat:roles': ['roles:'], |
| 53 | 'feat:share': ['credentials:share', 'templates:custom-share'], |
| 54 | 'feat:sso-config': ['sso:'], |
| 55 | 'feat:users': ['users:'], |
| 56 | 'feat:workspaces': ['workspace:'] |
| 57 | } |
| 58 | |
| 59 | const disabledFeatures = Object.entries(user.features).filter(([, value]) => value === 'false') |
| 60 | const disabledPermissionPrefixes: string[] = [] |
| 61 | disabledFeatures.forEach(([featureKey]) => { |
| 62 | const prefixes = featureToPermissionMap[featureKey] |
| 63 | if (prefixes) { |
| 64 | disabledPermissionPrefixes.push(...prefixes) |
| 65 | } |
| 66 | }) |
| 67 | |
| 68 | const hasDisabledFeaturePermissions = requestedPermissions.some((permission: string) => |
| 69 | disabledPermissionPrefixes.some((prefix) => permission.startsWith(prefix)) |
| 70 | ) |
| 71 | |
| 72 | if (hasDisabledFeaturePermissions) { |
| 73 | throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, `Cannot ${operation} API key with permissions for disabled features`) |
| 74 | } |
| 75 | } |
| 76 | |
| 77 | // User permission validation - only applies to non-admins (authorization check) |
no test coverage detected