( rateLimit: RateLimitResult, requestedWorkspaceId: string )
| 166 | * surface in `app/api/workflows/middleware.ts`. |
| 167 | */ |
| 168 | export async function checkWorkspaceScope( |
| 169 | rateLimit: RateLimitResult, |
| 170 | requestedWorkspaceId: string |
| 171 | ): Promise<NextResponse | null> { |
| 172 | if ( |
| 173 | rateLimit.keyType === 'workspace' && |
| 174 | rateLimit.workspaceId && |
| 175 | rateLimit.workspaceId !== requestedWorkspaceId |
| 176 | ) { |
| 177 | return NextResponse.json( |
| 178 | { error: 'API key is not authorized for this workspace' }, |
| 179 | { status: 403 } |
| 180 | ) |
| 181 | } |
| 182 | |
| 183 | if (rateLimit.keyType === 'personal') { |
| 184 | const settings = await getWorkspaceBillingSettings(requestedWorkspaceId) |
| 185 | if (!settings?.allowPersonalApiKeys) { |
| 186 | return NextResponse.json( |
| 187 | { error: 'Personal API keys are not allowed for this workspace' }, |
| 188 | { status: 403 } |
| 189 | ) |
| 190 | } |
| 191 | } |
| 192 | |
| 193 | return null |
| 194 | } |
| 195 | |
| 196 | /** |
| 197 | * Validates workspace-scoped API key bounds and the user's workspace permission. |
no test coverage detected