fix(ratelimits): enterprise and team checks should be pooled limit (#1255)

* fix(ratelimits): enterprise and team checks should be pooled limit"

* fix

* fix dynamic imports

* fix tests"
;

Author: icecrasher321

apps/sim/app/api/schedules/execute/route.ts

@@ -4,6 +4,7 @@ import { NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
 import { checkServerSideUsageLimits } from '@/lib/billing'
+import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { createLogger } from '@/lib/logs/console/logger'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
@@ -18,7 +19,7 @@ import { decryptSecret } from '@/lib/utils'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/db-helpers'
 import { updateWorkflowRunCounts } from '@/lib/workflows/utils'
 import { db } from '@/db'
-import { subscription, userStats, workflow, workflowSchedule } from '@/db/schema'
+import { userStats, workflow, workflowSchedule } from '@/db/schema'
 import { Executor } from '@/executor'
 import { Serializer } from '@/serializer'
 import { RateLimiter } from '@/services/queue'
@@ -108,19 +109,15 @@ export async function GET() {
           continue
         }
 
-        // Check rate limits for scheduled execution
-        const [subscriptionRecord] = await db
-          .select({ plan: subscription.plan })
-          .from(subscription)
-          .where(eq(subscription.referenceId, workflowRecord.userId))
-          .limit(1)
+        // Check rate limits for scheduled execution (checks both personal and org subscriptions)
+        const userSubscription = await getHighestPrioritySubscription(workflowRecord.userId)
 
-        const subscriptionPlan = (subscriptionRecord?.plan || 'free') as SubscriptionPlan
+        const subscriptionPlan = (userSubscription?.plan || 'free') as SubscriptionPlan
 
         const rateLimiter = new RateLimiter()
-        const rateLimitCheck = await rateLimiter.checkRateLimit(
+        const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
           workflowRecord.userId,
-          subscriptionPlan,
+          userSubscription,
           'schedule',
           false // schedules are always sync
         )

apps/sim/app/api/users/me/rate-limit/route.ts

@@ -1,10 +1,11 @@
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { createLogger } from '@/lib/logs/console/logger'
 import { createErrorResponse } from '@/app/api/workflows/utils'
 import { db } from '@/db'
-import { apiKey as apiKeyTable, subscription } from '@/db/schema'
+import { apiKey as apiKeyTable } from '@/db/schema'
 import { RateLimiter } from '@/services/queue'
 
 const logger = createLogger('RateLimitAPI')
@@ -33,31 +34,22 @@ export async function GET(request: NextRequest) {
       return createErrorResponse('Authentication required', 401)
     }
 
-    const [subscriptionRecord] = await db
-      .select({ plan: subscription.plan })
-      .from(subscription)
-      .where(eq(subscription.referenceId, authenticatedUserId))
-      .limit(1)
-
-    const subscriptionPlan = (subscriptionRecord?.plan || 'free') as
-      | 'free'
-      | 'pro'
-      | 'team'
-      | 'enterprise'
+    // Get user subscription (checks both personal and org subscriptions)
+    const userSubscription = await getHighestPrioritySubscription(authenticatedUserId)
 
     const rateLimiter = new RateLimiter()
     const isApiAuth = !session?.user?.id
     const triggerType = isApiAuth ? 'api' : 'manual'
 
-    const syncStatus = await rateLimiter.getRateLimitStatus(
+    const syncStatus = await rateLimiter.getRateLimitStatusWithSubscription(
       authenticatedUserId,
-      subscriptionPlan,
+      userSubscription,
       triggerType,
       false
     )
-    const asyncStatus = await rateLimiter.getRateLimitStatus(
+    const asyncStatus = await rateLimiter.getRateLimitStatusWithSubscription(
       authenticatedUserId,
-      subscriptionPlan,
+      userSubscription,
       triggerType,
       true
     )

apps/sim/app/api/webhooks/trigger/[path]/route.ts

@@ -2,6 +2,7 @@ import { tasks } from '@trigger.dev/sdk'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkServerSideUsageLimits } from '@/lib/billing'
+import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { env, isTruthy } from '@/lib/env'
 import { createLogger } from '@/lib/logs/console/logger'
 import {
@@ -11,7 +12,7 @@ import {
 } from '@/lib/webhooks/utils'
 import { executeWebhookJob } from '@/background/webhook-execution'
 import { db } from '@/db'
-import { subscription, webhook, workflow } from '@/db/schema'
+import { webhook, workflow } from '@/db/schema'
 import { RateLimiter } from '@/services/queue'
 import type { SubscriptionPlan } from '@/services/queue/types'
 
@@ -249,21 +250,17 @@ export async function POST(
   // --- PHASE 3: Rate limiting for webhook execution ---
   let isEnterprise = false
   try {
-    // Get user subscription for rate limiting
-    const [subscriptionRecord] = await db
-      .select({ plan: subscription.plan })
-      .from(subscription)
-      .where(eq(subscription.referenceId, foundWorkflow.userId))
-      .limit(1)
+    // Get user subscription for rate limiting (checks both personal and org subscriptions)
+    const userSubscription = await getHighestPrioritySubscription(foundWorkflow.userId)
 
-    const subscriptionPlan = (subscriptionRecord?.plan || 'free') as SubscriptionPlan
+    const subscriptionPlan = (userSubscription?.plan || 'free') as SubscriptionPlan
     isEnterprise = subscriptionPlan === 'enterprise'
 
     // Check async rate limits (webhooks are processed asynchronously)
     const rateLimiter = new RateLimiter()
-    const rateLimitCheck = await rateLimiter.checkRateLimit(
+    const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
       foundWorkflow.userId,
-      subscriptionPlan,
+      userSubscription,
       'webhook',
       true // isAsync = true for webhook execution
     )

apps/sim/app/api/workflows/[id]/execute/route.test.ts

@@ -46,6 +46,11 @@ describe('Workflow Execution API Route', () => {
           remaining: 10,
           resetAt: new Date(),
         }),
+        checkRateLimitWithSubscription: vi.fn().mockResolvedValue({
+          allowed: true,
+          remaining: 10,
+          resetAt: new Date(),
+        }),
       })),
       RateLimitError: class RateLimitError extends Error {
         constructor(
@@ -66,6 +71,13 @@ describe('Workflow Execution API Route', () => {
       }),
     }))
 
+    vi.doMock('@/lib/billing/core/subscription', () => ({
+      getHighestPrioritySubscription: vi.fn().mockResolvedValue({
+        plan: 'free',
+        referenceId: 'user-id',
+      }),
+    }))
+
     vi.doMock('@/db/schema', () => ({
       subscription: {
         plan: 'plan',

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -5,6 +5,7 @@ import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { checkServerSideUsageLimits } from '@/lib/billing'
+import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { createLogger } from '@/lib/logs/console/logger'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
@@ -19,7 +20,7 @@ import {
 import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 import { db } from '@/db'
-import { subscription, userStats } from '@/db/schema'
+import { userStats } from '@/db/schema'
 import { Executor } from '@/executor'
 import { Serializer } from '@/serializer'
 import {
@@ -374,19 +375,15 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     try {
       // Check rate limits BEFORE entering queue for GET requests
       if (triggerType === 'api') {
-        // Get user subscription
-        const [subscriptionRecord] = await db
-          .select({ plan: subscription.plan })
-          .from(subscription)
-          .where(eq(subscription.referenceId, validation.workflow.userId))
-          .limit(1)
+        // Get user subscription (checks both personal and org subscriptions)
+        const userSubscription = await getHighestPrioritySubscription(validation.workflow.userId)
 
-        const subscriptionPlan = (subscriptionRecord?.plan || 'free') as SubscriptionPlan
+        const subscriptionPlan = (userSubscription?.plan || 'free') as SubscriptionPlan
 
         const rateLimiter = new RateLimiter()
-        const rateLimitCheck = await rateLimiter.checkRateLimit(
+        const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
           validation.workflow.userId,
-          subscriptionPlan,
+          userSubscription,
           triggerType,
           false // isAsync = false for sync calls
         )
@@ -505,20 +502,17 @@ export async function POST(
       return createErrorResponse('Authentication required', 401)
     }
 
-    const [subscriptionRecord] = await db
-      .select({ plan: subscription.plan })
-      .from(subscription)
-      .where(eq(subscription.referenceId, authenticatedUserId))
-      .limit(1)
+    // Get user subscription (checks both personal and org subscriptions)
+    const userSubscription = await getHighestPrioritySubscription(authenticatedUserId)
 
-    const subscriptionPlan = (subscriptionRecord?.plan || 'free') as SubscriptionPlan
+    const subscriptionPlan = (userSubscription?.plan || 'free') as SubscriptionPlan
 
     if (isAsync) {
       try {
         const rateLimiter = new RateLimiter()
-        const rateLimitCheck = await rateLimiter.checkRateLimit(
+        const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
           authenticatedUserId,
-          subscriptionPlan,
+          userSubscription,
           'api',
           true // isAsync = true
         )
@@ -580,9 +574,9 @@ export async function POST(
 
     try {
       const rateLimiter = new RateLimiter()
-      const rateLimitCheck = await rateLimiter.checkRateLimit(
+      const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
         authenticatedUserId,
-        subscriptionPlan,
+        userSubscription,
         triggerType,
         false // isAsync = false for sync calls
       )

apps/sim/db/migrations/0084_even_lockheed.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "user_rate_limits" RENAME COLUMN "user_id" TO "reference_id";--> statement-breakpoint
+ALTER TABLE "user_rate_limits" DROP CONSTRAINT "user_rate_limits_user_id_user_id_fk";