fix(auth): swap out hybrid auth in relevant callsites (#3160)

* fix(logs): execution files should always use our internal route

* correct degree of access control

* fix tests

* fix tag defs flag

* fix type check

* fix mcp tools

* make webhooks consistent

* fix ollama and vllm visibility

* remove dup test

Author: icecrasher321

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { generateAgentCard, generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
@@ -40,7 +40,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
     }
 
     if (!agent.agent.isPublished) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
       if (!auth.success) {
         return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
       }
@@ -81,7 +81,7 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -151,7 +151,7 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -189,7 +189,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       logger.warn('A2A agent publish auth failed:', { error: auth.error, hasUserId: !!auth.userId })
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/a2a/agents/route.ts

@@ -13,7 +13,7 @@ import { v4 as uuidv4 } from 'uuid'
 import { generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import { A2A_DEFAULT_CAPABILITIES } from '@/lib/a2a/constants'
 import { sanitizeAgentName } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { hasValidStartBlockInState } from '@/lib/workflows/triggers/trigger-utils'
 import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
@@ -27,7 +27,7 @@ export const dynamic = 'force-dynamic'
  */
 export async function GET(request: NextRequest) {
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -87,7 +87,7 @@ export async function GET(request: NextRequest) {
  */
 export async function POST(request: NextRequest) {
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -5,7 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -81,7 +81,7 @@ export async function GET(request: NextRequest) {
     const { provider: providerParam, workflowId, credentialId } = parseResult.data
 
     // Authenticate requester (supports session, API key, internal JWT)
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkSessionOrInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthenticated credentials request rejected`)
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })

apps/sim/app/api/auth/oauth/token/route.test.ts

@@ -12,7 +12,7 @@ describe('OAuth Token API Routes', () => {
   const mockRefreshTokenIfNeeded = vi.fn()
   const mockGetOAuthToken = vi.fn()
   const mockAuthorizeCredentialUse = vi.fn()
-  const mockCheckHybridAuth = vi.fn()
+  const mockCheckSessionOrInternalAuth = vi.fn()
 
   const mockLogger = createMockLogger()
 
@@ -42,7 +42,7 @@ describe('OAuth Token API Routes', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: mockCheckHybridAuth,
+      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
     }))
   })
 
@@ -235,7 +235,7 @@ describe('OAuth Token API Routes', () => {
 
     describe('credentialAccountUserId + providerId path', () => {
       it('should reject unauthenticated requests', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: false,
           error: 'Authentication required',
         })
@@ -255,30 +255,8 @@ describe('OAuth Token API Routes', () => {
         expect(mockGetOAuthToken).not.toHaveBeenCalled()
       })
 
-      it('should reject API key authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
-          success: true,
-          authType: 'api_key',
-          userId: 'test-user-id',
-        })
-
-        const req = createMockRequest('POST', {
-          credentialAccountUserId: 'test-user-id',
-          providerId: 'google',
-        })
-
-        const { POST } = await import('@/app/api/auth/oauth/token/route')
-
-        const response = await POST(req)
-        const data = await response.json()
-
-        expect(response.status).toBe(401)
-        expect(data).toHaveProperty('error', 'User not authenticated')
-        expect(mockGetOAuthToken).not.toHaveBeenCalled()
-      })
-
       it('should reject internal JWT authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'internal_jwt',
           userId: 'test-user-id',
@@ -300,7 +278,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should reject requests for other users credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'attacker-user-id',
@@ -322,7 +300,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should allow session-authenticated users to access their own credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'test-user-id',
@@ -345,7 +323,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should return 404 when credential not found for user', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'test-user-id',
@@ -373,7 +351,7 @@ describe('OAuth Token API Routes', () => {
    */
   describe('GET handler', () => {
     it('should return access token successfully', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -402,7 +380,7 @@ describe('OAuth Token API Routes', () => {
       expect(response.status).toBe(200)
       expect(data).toHaveProperty('accessToken', 'fresh-token')
 
-      expect(mockCheckHybridAuth).toHaveBeenCalled()
+      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
       expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
       expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
     })
@@ -421,7 +399,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle authentication failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: false,
         error: 'Authentication required',
       })
@@ -440,7 +418,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle credential not found', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -461,7 +439,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle missing access token', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -487,7 +465,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle token refresh failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',

apps/sim/app/api/auth/oauth/token/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, getOAuthToken, refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -71,7 +71,7 @@ export async function POST(request: NextRequest) {
         providerId,
       })
 
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
       if (!auth.success || auth.authType !== 'session' || !auth.userId) {
         logger.warn(`[${requestId}] Unauthorized request for credentialAccountUserId path`, {
           success: auth.success,
@@ -187,7 +187,7 @@ export async function GET(request: NextRequest) {
     const { credentialId } = parseResult.data
 
     // For GET requests, we only support session-based authentication
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || auth.authType !== 'session' || !auth.userId) {
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
     }

apps/sim/app/api/files/delete/route.test.ts

@@ -29,7 +29,7 @@ function setupFileApiMocks(
   }
 
   vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
       success: authenticated,
       userId: authenticated ? 'test-user-id' : undefined,
       error: authenticated ? undefined : 'Unauthorized',

apps/sim/app/api/files/delete/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { deleteFile, hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
@@ -24,7 +24,7 @@ const logger = createLogger('FilesDeleteAPI')
  */
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized file delete request', {

apps/sim/app/api/files/download/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -12,7 +12,7 @@ export const dynamic = 'force-dynamic'
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized download URL request', {

apps/sim/app/api/files/parse/route.test.ts

@@ -35,7 +35,7 @@ function setupFileApiMocks(
   }
 
   vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkInternalAuth: vi.fn().mockResolvedValue({
       success: authenticated,
       userId: authenticated ? 'test-user-id' : undefined,
       error: authenticated ? undefined : 'Unauthorized',

apps/sim/app/api/files/parse/route.ts

@@ -5,7 +5,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   secureFetchWithPinnedIP,
   validateUrlWithDNS,
@@ -66,7 +66,7 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: true })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: true })
 
     if (!authResult.success) {
       logger.warn('Unauthorized file parse request', {