lint

simstudioai · waleedlatif1 · Mar 28, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
commit c52698da829342a022943ce5b28bbed4cb147f5d
diff --git a/apps/sim/app/api/copilot/training/examples/route.ts b/apps/sim/app/api/copilot/training/examples/route.ts
@@ -1,6 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import {
+  authenticateCopilotRequestSessionOnly,
+  createUnauthorizedResponse,
+} from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 
 const logger = createLogger('CopilotTrainingExamplesAPI')
@@ -16,6 +20,11 @@ const TrainingExampleSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
+  const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
+  if (!isAuthenticated || !userId) {
+    return createUnauthorizedResponse()
+  }
+
   const baseUrl = env.AGENT_INDEXER_URL
   if (!baseUrl) {
     logger.error('Missing AGENT_INDEXER_URL environment variable')

diff --git a/apps/sim/app/api/copilot/training/route.ts b/apps/sim/app/api/copilot/training/route.ts
@@ -1,6 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import {
+  authenticateCopilotRequestSessionOnly,
+  createUnauthorizedResponse,
+} from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 
 const logger = createLogger('CopilotTrainingAPI')
@@ -22,6 +26,11 @@ const TrainingDataSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
+  const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
+  if (!isAuthenticated || !userId) {
+    return createUnauthorizedResponse()
+  }
+
   try {
     const baseUrl = env.AGENT_INDEXER_URL
     if (!baseUrl) {

diff --git a/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts b/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
@@ -62,8 +62,7 @@ export async function GET(
     }
 
     // Verify caller is either an org member or the invitee
-    const isInvitee =
-      session.user.email?.toLowerCase() === orgInvitation.email.toLowerCase()
+    const isInvitee = session.user.email?.toLowerCase() === orgInvitation.email.toLowerCase()
 
     if (!isInvitee) {
       const memberEntry = await db

diff --git a/apps/sim/app/api/workflows/middleware.ts b/apps/sim/app/api/workflows/middleware.ts
@@ -6,7 +6,6 @@ import {
   updateApiKeyLastUsed,
 } from '@/lib/api-key/service'
 import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
-import { env } from '@/lib/core/config/env'
 import { authorizeWorkflowByWorkspacePermission, getWorkflowById } from '@/lib/workflows/utils'
 
 const logger = createLogger('WorkflowMiddleware')
@@ -81,11 +80,6 @@ export async function validateWorkflowAccess(
         }
       }
 
-      const internalSecret = request.headers.get('X-Internal-Secret')
-      if (env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET) {
-        return { workflow }
-      }
-
       let apiKeyHeader = null
       for (const [key, value] of request.headers.entries()) {
         if (key.toLowerCase() === 'x-api-key' && value) {

diff --git a/apps/sim/lib/auth/hybrid.ts b/apps/sim/lib/auth/hybrid.ts
@@ -25,7 +25,7 @@ const BEARER_PREFIX = 'Bearer '
 export function hasExternalApiCredentials(headers: Headers): boolean {
   if (headers.has(API_KEY_HEADER)) return true
   const auth = headers.get('authorization')
-  return auth !== null && auth.startsWith(BEARER_PREFIX)
+  return auth?.startsWith(BEARER_PREFIX)
 }
 
 export interface AuthResult {

diff --git a/bun.lock b/bun.lock