MCPcopy
hub / github.com/simstudioai/sim / authorizeCredentialUse

Function authorizeCredentialUse

apps/sim/lib/auth/credential-access.ts:25–295  ·  view source on GitHub ↗
(
  request: NextRequest,
  params: {
    credentialId: string
    workflowId?: string
    requireWorkflowIdForInternal?: boolean
    callerUserId?: string
  }
)

Source from the content-addressed store, hash-verified

23 * - Direct legacy account-ID access without workflowId is restricted to account owners only.
24 */
25export async function authorizeCredentialUse(
26 request: NextRequest,
27 params: {
28 credentialId: string
29 workflowId?: string
30 requireWorkflowIdForInternal?: boolean
31 callerUserId?: string
32 }
33): Promise<CredentialAccessResult> {
34 const { credentialId, workflowId, requireWorkflowIdForInternal = true, callerUserId } = params
35
36 const auth = await checkSessionOrInternalAuth(request, {
37 requireWorkflowId: requireWorkflowIdForInternal,
38 })
39 if (!auth.success || !auth.userId) {
40 return { ok: false, error: auth.error || 'Authentication required' }
41 }
42
43 if (
44 auth.authType === AuthType.INTERNAL_JWT &&
45 callerUserId !== undefined &&
46 callerUserId !== auth.userId
47 ) {
48 return { ok: false, error: 'Caller user does not match internal token subject' }
49 }
50
51 const actingUserId = auth.userId
52
53 const [workflowContext] = workflowId
54 ? await db
55 .select({ workspaceId: workflowTable.workspaceId })
56 .from(workflowTable)
57 .where(eq(workflowTable.id, workflowId))
58 .limit(1)
59 : [null]
60
61 if (workflowId && (!workflowContext || !workflowContext.workspaceId)) {
62 return { ok: false, error: 'Workflow not found' }
63 }
64
65 const [platformCredential] = await db
66 .select({
67 id: credential.id,
68 workspaceId: credential.workspaceId,
69 type: credential.type,
70 accountId: credential.accountId,
71 })
72 .from(credential)
73 .where(eq(credential.id, credentialId))
74 .limit(1)
75
76 if (platformCredential) {
77 if (platformCredential.type === 'service_account') {
78 if (workflowContext && workflowContext.workspaceId !== platformCredential.workspaceId) {
79 return { ok: false, error: 'Credential is not accessible from this workflow workspace' }
80 }
81
82 const requesterPerm = await getUserEntityPermissions(

Callers 15

route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90
route.tsFile · 0.90

Calls 3

getUserEntityPermissionsFunction · 0.90
eqFunction · 0.50

Tested by

no test coverage detected