fix(billing): address review findings on the paid-plan gate

TheodoreSpeaks · TheodoreSpeaks · commit 57a0f4711ed0 · 2026-06-13T17:26:30.000-07:00
- execute route: gate on the workflow's workspace billed account (like MCP/A2A/
  webhooks/chat) instead of the caller/creator's personal plan, so a paid
  workspace is never 402'd because an individual is on free
- webhooks: all-generic-all-free fan-out now returns 402, not a 500 'No webhooks
  processed' fallback
- deploy modal: hold the gate closed until the subscription query resolves
  (isFree(undefined) is true) to avoid flashing the upgrade wall at paid users
diff --git a/apps/sim/app/api/webhooks/trigger/[path]/route.test.ts b/apps/sim/app/api/webhooks/trigger/[path]/route.test.ts
@@ -399,6 +399,7 @@ describe('Webhook Trigger API Route', () => {
       isFromNormalizedTables: true,
     })
     workflowsPersistenceUtilsMockFns.mockBlockExistsInDeployment.mockResolvedValue(true)
+    isWorkspaceApiExecutionEntitledMock.mockResolvedValue(true)
 
     mockExecutionDependencies()
     mockTriggerDevSdk()
@@ -633,6 +634,44 @@ describe('Webhook Trigger API Route', () => {
       expect(response.status).toBe(402)
     })
 
+    it('returns 402 (not 500) when every webhook in a shared path is generic and free', async () => {
+      testData.webhooks.push(
+        {
+          id: 'generic-webhook-a',
+          provider: 'generic',
+          path: 'test-path',
+          isActive: true,
+          providerConfig: { requireAuth: false },
+          workflowId: 'test-workflow-id',
+          rateLimitCount: 100,
+          rateLimitPeriod: 60,
+        },
+        {
+          id: 'generic-webhook-b',
+          provider: 'generic',
+          path: 'test-path',
+          isActive: true,
+          providerConfig: { requireAuth: false },
+          workflowId: 'test-workflow-id',
+          rateLimitCount: 100,
+          rateLimitPeriod: 60,
+        }
+      )
+      testData.workflows.push({
+        id: 'test-workflow-id',
+        userId: 'test-user-id',
+        workspaceId: 'test-workspace-id',
+      })
+      isWorkspaceApiExecutionEntitledMock.mockResolvedValue(false)
+
+      const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
+      const params = Promise.resolve({ path: 'test-path' })
+
+      const response = await POST(req as any, { params })
+
+      expect(response.status).toBe(402)
+    })
+
     it('should authenticate with Bearer token when no custom header is configured', async () => {
       testData.webhooks.push({
         id: 'generic-webhook-id',
diff --git a/apps/sim/app/api/webhooks/trigger/[path]/route.ts b/apps/sim/app/api/webhooks/trigger/[path]/route.ts
@@ -126,6 +126,7 @@ async function handleWebhookPost(
   // Process each webhook
   // For credential sets with shared paths, each webhook represents a different credential
   const responses: NextResponse[] = []
+  let billingBlocked = false
 
   for (const { webhook: foundWebhook, workflow: foundWorkflow } of webhooksForPath) {
     // Generic ("custom") webhooks are an unauthenticated programmatic execution
@@ -136,6 +137,7 @@ async function handleWebhookPost(
       !(await isWorkspaceApiExecutionEntitled(foundWorkflow.workspaceId))
     ) {
       logger.warn(`[${requestId}] Generic webhook blocked: workspace on free plan`)
+      billingBlocked = true
       if (webhooksForPath.length > 1) continue
       return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
     }
@@ -203,6 +205,9 @@ async function handleWebhookPost(
   }
 
   if (responses.length === 0) {
+    if (billingBlocked) {
+      return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
+    }
     return new NextResponse('No webhooks processed successfully', { status: 500 })
   }
 
diff --git a/apps/sim/app/api/workflows/[id]/execute/response-block.test.ts b/apps/sim/app/api/workflows/[id]/execute/response-block.test.ts
@@ -21,19 +21,19 @@ const {
   mockRegisterLargeValueOwner,
   mockUploadFile,
   uploadedFiles,
-  mockIsApiExecutionEntitled,
+  mockIsWorkspaceApiExecutionEntitled,
 } = vi.hoisted(() => ({
   mockAddLargeValueReference: vi.fn(),
   mockDownloadFile: vi.fn(),
   mockRegisterLargeValueOwner: vi.fn(),
   mockUploadFile: vi.fn(),
   uploadedFiles: new Map<string, Buffer>(),
-  mockIsApiExecutionEntitled: vi.fn().mockResolvedValue(true),
+  mockIsWorkspaceApiExecutionEntitled: vi.fn().mockResolvedValue(true),
 }))
 
 vi.mock('@/lib/billing/core/api-access', () => ({
   API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE: 'paid plan required',
-  isApiExecutionEntitled: mockIsApiExecutionEntitled,
+  isWorkspaceApiExecutionEntitled: mockIsWorkspaceApiExecutionEntitled,
 }))
 
 const MATERIALIZATION_CONTEXT = {
diff --git a/apps/sim/app/api/workflows/[id]/execute/route.async.test.ts b/apps/sim/app/api/workflows/[id]/execute/route.async.test.ts
@@ -22,17 +22,17 @@ const {
   mockEnqueue,
   mockExecuteWorkflowCore,
   mockHandlePostExecutionPauseState,
-  mockIsApiExecutionEntitled,
+  mockIsWorkspaceApiExecutionEntitled,
 } = vi.hoisted(() => ({
   mockEnqueue: vi.fn().mockResolvedValue('job-123'),
   mockExecuteWorkflowCore: vi.fn(),
   mockHandlePostExecutionPauseState: vi.fn(),
-  mockIsApiExecutionEntitled: vi.fn().mockResolvedValue(true),
+  mockIsWorkspaceApiExecutionEntitled: vi.fn().mockResolvedValue(true),
 }))
 
 vi.mock('@/lib/billing/core/api-access', () => ({
   API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE: 'paid plan required',
-  isApiExecutionEntitled: mockIsApiExecutionEntitled,
+  isWorkspaceApiExecutionEntitled: mockIsWorkspaceApiExecutionEntitled,
 }))
 
 const mockCheckHybridAuth = hybridAuthMockFns.mockCheckHybridAuth
diff --git a/apps/sim/app/api/workflows/[id]/execute/route.ts b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -11,7 +11,7 @@ import { AuthType, checkHybridAuth, hasExternalApiCredentials } from '@/lib/auth
 import { releaseExecutionSlot } from '@/lib/billing/calculations/usage-reservation'
 import {
   API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE,
-  isApiExecutionEntitled,
+  isWorkspaceApiExecutionEntitled,
 } from '@/lib/billing/core/api-access'
 import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
 import { getJobQueue, shouldExecuteInline } from '@/lib/core/async-jobs'
@@ -400,6 +400,7 @@ async function handleExecutePost(
 
     let userId: string
     let isPublicApiAccess = false
+    let gateWorkspaceId: string | undefined
 
     if (!auth.success || !auth.userId) {
       const hasExplicitCredentials =
@@ -434,15 +435,29 @@ async function handleExecutePost(
 
       userId = wf.userId
       isPublicApiAccess = true
+      gateWorkspaceId = wf.workspaceId
     } else {
       userId = auth.userId
     }
 
-    if (
-      (auth.authType === AuthType.API_KEY || isPublicApiAccess) &&
-      !(await isApiExecutionEntitled(userId))
-    ) {
-      return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
+    // Programmatic execution (API key or public API) is gated on the workflow's
+    // workspace billed account — the same entity MCP/A2A/webhooks/chat gate on —
+    // so a paid workspace is never blocked because an individual is on free.
+    if (auth.authType === AuthType.API_KEY || isPublicApiAccess) {
+      if (!gateWorkspaceId) {
+        const [wfRow] = await db
+          .select({ workspaceId: workflowTable.workspaceId })
+          .from(workflowTable)
+          .where(eq(workflowTable.id, workflowId))
+          .limit(1)
+        gateWorkspaceId = wfRow?.workspaceId ?? undefined
+      }
+      if (!(await isWorkspaceApiExecutionEntitled(gateWorkspaceId))) {
+        return NextResponse.json(
+          { error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE },
+          { status: 402 }
+        )
+      }
     }
 
     let body: any = {}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/deploy-modal.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/deploy-modal.tsx
@@ -158,8 +158,11 @@ export function DeployModal({
   const userPermissions = useUserPermissionsContext()
   const canManageWorkspaceKeys = userPermissions.canAdmin
   const { config: permissionConfig, isPublicApiDisabled } = usePermissionConfig()
-  const { data: subscriptionData } = useSubscriptionData()
-  const gateProgrammaticDeploy = isHosted && isFree(subscriptionData?.data?.plan)
+  const { data: subscriptionData, isLoading: isLoadingSubscription } = useSubscriptionData()
+  // Hold the gate closed until the plan is known — isFree(undefined) is true, so
+  // gating during load would flash the upgrade wall at paid users.
+  const gateProgrammaticDeploy =
+    isHosted && !isLoadingSubscription && isFree(subscriptionData?.data?.plan)
   const { data: apiKeysData, isLoading: isLoadingKeys } = useApiKeys(workflowWorkspaceId || '')
   const { data: workspaceSettingsData, isLoading: isLoadingSettings } = useWorkspaceSettings(
     workflowWorkspaceId || ''
