verifies integration ownership before saving workflow (#98)

* verifies integration ownership before saving workflow

* verify integration ownership when running workflow

* fix bug

Author: ctate

app/api/workflow/[workflowId]/execute/route.ts

@@ -3,6 +3,7 @@ import { NextResponse } from "next/server";
 import { start } from "workflow/api";
 import { auth } from "@/lib/auth";
 import { db } from "@/lib/db";
+import { validateWorkflowIntegrations } from "@/lib/db/integrations";
 import { workflowExecutions, workflows } from "@/lib/db/schema";
 import { executeWorkflow } from "@/lib/workflow-executor.workflow";
 import type { WorkflowEdge, WorkflowNode } from "@/lib/workflow-store";
@@ -91,6 +92,25 @@ export async function POST(
       return NextResponse.json({ error: "Forbidden" }, { status: 403 });
     }
 
+    // Validate that all integrationIds in workflow nodes belong to the current user
+    const validation = await validateWorkflowIntegrations(
+      workflow.nodes as WorkflowNode[],
+      session.user.id
+    );
+    if (!validation.valid) {
+      console.error(
+        "[Workflow Execute] Invalid integration references:",
+        validation.invalidIds
+      );
+      return NextResponse.json(
+        {
+          error: "Workflow contains invalid integration references",
+          invalidIds: validation.invalidIds,
+        },
+        { status: 403 }
+      );
+    }
+
     // Parse request body
     const body = await request.json().catch(() => ({}));
     const input = body.input || {};

app/api/workflows/[workflowId]/route.ts

@@ -2,6 +2,7 @@ import { and, eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { auth } from "@/lib/auth";
 import { db } from "@/lib/db";
+import { validateWorkflowIntegrations } from "@/lib/db/integrations";
 import { workflows } from "@/lib/db/schema";
 
 export async function GET(
@@ -79,6 +80,24 @@ export async function PATCH(
     }
 
     const body = await request.json();
+
+    // Validate that all integrationIds in nodes belong to the current user
+    if (Array.isArray(body.nodes)) {
+      const validation = await validateWorkflowIntegrations(
+        body.nodes,
+        session.user.id
+      );
+      if (!validation.valid) {
+        return NextResponse.json(
+          {
+            error: "Invalid integration references in workflow",
+            invalidIds: validation.invalidIds,
+          },
+          { status: 403 }
+        );
+      }
+    }
+
     const updateData: Record<string, unknown> = {
       updatedAt: new Date(),
     };

app/api/workflows/[workflowId]/webhook/route.ts

@@ -2,6 +2,7 @@ import { eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
 import { start } from "workflow/api";
 import { db } from "@/lib/db";
+import { validateWorkflowIntegrations } from "@/lib/db/integrations";
 import { workflowExecutions, workflows } from "@/lib/db/schema";
 import { executeWorkflow } from "@/lib/workflow-executor.workflow";
 import type { WorkflowEdge, WorkflowNode } from "@/lib/workflow-store";
@@ -94,6 +95,22 @@ export async function POST(
       );
     }
 
+    // Validate that all integrationIds in workflow nodes belong to the workflow owner
+    const validation = await validateWorkflowIntegrations(
+      workflow.nodes as WorkflowNode[],
+      workflow.userId
+    );
+    if (!validation.valid) {
+      console.error(
+        "[Webhook] Invalid integration references:",
+        validation.invalidIds
+      );
+      return NextResponse.json(
+        { error: "Workflow contains invalid integration references" },
+        { status: 403, headers: corsHeaders }
+      );
+    }
+
     // Parse request body
     const body = await request.json().catch(() => ({}));
 

app/api/workflows/create/route.ts

@@ -3,6 +3,7 @@ import { nanoid } from "nanoid";
 import { NextResponse } from "next/server";
 import { auth } from "@/lib/auth";
 import { db } from "@/lib/db";
+import { validateWorkflowIntegrations } from "@/lib/db/integrations";
 import { workflows } from "@/lib/db/schema";
 import { generateId } from "@/lib/utils/id";
 
@@ -41,6 +42,21 @@ export async function POST(request: Request) {
       );
     }
 
+    // Validate that all integrationIds in nodes belong to the current user
+    const validation = await validateWorkflowIntegrations(
+      body.nodes,
+      session.user.id
+    );
+    if (!validation.valid) {
+      return NextResponse.json(
+        {
+          error: "Invalid integration references in workflow",
+          invalidIds: validation.invalidIds,
+        },
+        { status: 403 }
+      );
+    }
+
     // Ensure there's always a trigger node (only add one if nodes array is empty)
     let nodes = body.nodes;
     if (nodes.length === 0) {

lib/db/integrations.ts

@@ -1,7 +1,7 @@
 import "server-only";
 
 import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import type { IntegrationConfig, IntegrationType } from "../types/integration";
 import { db } from "./index";
 import { integrations, type NewIntegration } from "./schema";
@@ -260,3 +260,70 @@ export async function deleteIntegration(
 
   return result.length > 0;
 }
+
+/**
+ * Workflow node structure for validation
+ */
+type WorkflowNodeForValidation = {
+  data?: {
+    config?: {
+      integrationId?: string;
+    };
+  };
+};
+
+/**
+ * Extract all integration IDs from workflow nodes
+ */
+export function extractIntegrationIds(
+  nodes: WorkflowNodeForValidation[]
+): string[] {
+  const integrationIds: string[] = [];
+
+  for (const node of nodes) {
+    const integrationId = node.data?.config?.integrationId;
+    if (integrationId && typeof integrationId === "string") {
+      integrationIds.push(integrationId);
+    }
+  }
+
+  return [...new Set(integrationIds)];
+}
+
+/**
+ * Validate that all integration IDs in workflow nodes belong to the specified user.
+ * This prevents users from accessing other users' credentials by embedding
+ * foreign integration IDs in their workflows.
+ *
+ * @returns Object with `valid` boolean and optional `invalidIds` array
+ */
+export async function validateWorkflowIntegrations(
+  nodes: WorkflowNodeForValidation[],
+  userId: string
+): Promise<{ valid: boolean; invalidIds?: string[] }> {
+  const integrationIds = extractIntegrationIds(nodes);
+
+  if (integrationIds.length === 0) {
+    return { valid: true };
+  }
+
+  // Query for integrations that belong to this user
+  const userIntegrations = await db
+    .select({ id: integrations.id })
+    .from(integrations)
+    .where(
+      and(
+        inArray(integrations.id, integrationIds),
+        eq(integrations.userId, userId)
+      )
+    );
+
+  const validIds = new Set(userIntegrations.map((i) => i.id));
+  const invalidIds = integrationIds.filter((id) => !validIds.has(id));
+
+  if (invalidIds.length > 0) {
+    return { valid: false, invalidIds };
+  }
+
+  return { valid: true };
+}