(
request: NextRequest,
options: { requireWorkflowId?: boolean } = {}
)
| 116 | * @param options.requireWorkflowId - Whether workflowId/userId is required for JWT (default: true) |
| 117 | */ |
| 118 | export async function checkSessionOrInternalAuth( |
| 119 | request: NextRequest, |
| 120 | options: { requireWorkflowId?: boolean } = {} |
| 121 | ): Promise<AuthResult> { |
| 122 | try { |
| 123 | // 1. Reject API keys first |
| 124 | const apiKeyHeader = request.headers.get('x-api-key') |
| 125 | if (apiKeyHeader) { |
| 126 | return { |
| 127 | success: false, |
| 128 | error: 'API key access not allowed for this endpoint', |
| 129 | } |
| 130 | } |
| 131 | |
| 132 | // 2. Check for internal JWT token |
| 133 | const authHeader = request.headers.get('authorization') |
| 134 | if (authHeader?.startsWith('Bearer ')) { |
| 135 | const token = authHeader.split(' ')[1] |
| 136 | const verification = await verifyInternalToken(token) |
| 137 | |
| 138 | if (verification.valid) { |
| 139 | return resolveUserFromJwt(verification.userId || null, options) |
| 140 | } |
| 141 | } |
| 142 | |
| 143 | // 3. Try session auth (for web UI) |
| 144 | const session = await getSession() |
| 145 | if (session?.user?.id) { |
| 146 | return { |
| 147 | success: true, |
| 148 | userId: session.user.id, |
| 149 | userName: session.user.name, |
| 150 | userEmail: session.user.email, |
| 151 | authType: AuthType.SESSION, |
| 152 | } |
| 153 | } |
| 154 | |
| 155 | return { |
| 156 | success: false, |
| 157 | error: 'Unauthorized', |
| 158 | } |
| 159 | } catch (error) { |
| 160 | logger.error('Error in session/internal authentication:', error) |
| 161 | return { |
| 162 | success: false, |
| 163 | error: 'Authentication error', |
| 164 | } |
| 165 | } |
| 166 | } |
| 167 | |
| 168 | /** |
| 169 | * Check for authentication using any of the 3 supported methods: |
no test coverage detected