(
request: NextRequest,
params: {
credentialId: string
workflowId?: string
requireWorkflowIdForInternal?: boolean
callerUserId?: string
}
)
| 23 | * - Direct legacy account-ID access without workflowId is restricted to account owners only. |
| 24 | */ |
| 25 | export async function authorizeCredentialUse( |
| 26 | request: NextRequest, |
| 27 | params: { |
| 28 | credentialId: string |
| 29 | workflowId?: string |
| 30 | requireWorkflowIdForInternal?: boolean |
| 31 | callerUserId?: string |
| 32 | } |
| 33 | ): Promise<CredentialAccessResult> { |
| 34 | const { credentialId, workflowId, requireWorkflowIdForInternal = true, callerUserId } = params |
| 35 | |
| 36 | const auth = await checkSessionOrInternalAuth(request, { |
| 37 | requireWorkflowId: requireWorkflowIdForInternal, |
| 38 | }) |
| 39 | if (!auth.success || !auth.userId) { |
| 40 | return { ok: false, error: auth.error || 'Authentication required' } |
| 41 | } |
| 42 | |
| 43 | if ( |
| 44 | auth.authType === AuthType.INTERNAL_JWT && |
| 45 | callerUserId !== undefined && |
| 46 | callerUserId !== auth.userId |
| 47 | ) { |
| 48 | return { ok: false, error: 'Caller user does not match internal token subject' } |
| 49 | } |
| 50 | |
| 51 | const actingUserId = auth.userId |
| 52 | |
| 53 | const [workflowContext] = workflowId |
| 54 | ? await db |
| 55 | .select({ workspaceId: workflowTable.workspaceId }) |
| 56 | .from(workflowTable) |
| 57 | .where(eq(workflowTable.id, workflowId)) |
| 58 | .limit(1) |
| 59 | : [null] |
| 60 | |
| 61 | if (workflowId && (!workflowContext || !workflowContext.workspaceId)) { |
| 62 | return { ok: false, error: 'Workflow not found' } |
| 63 | } |
| 64 | |
| 65 | const [platformCredential] = await db |
| 66 | .select({ |
| 67 | id: credential.id, |
| 68 | workspaceId: credential.workspaceId, |
| 69 | type: credential.type, |
| 70 | accountId: credential.accountId, |
| 71 | }) |
| 72 | .from(credential) |
| 73 | .where(eq(credential.id, credentialId)) |
| 74 | .limit(1) |
| 75 | |
| 76 | if (platformCredential) { |
| 77 | if (platformCredential.type === 'service_account') { |
| 78 | if (workflowContext && workflowContext.workspaceId !== platformCredential.workspaceId) { |
| 79 | return { ok: false, error: 'Credential is not accessible from this workflow workspace' } |
| 80 | } |
| 81 | |
| 82 | const requesterPerm = await getUserEntityPermissions( |
no test coverage detected