fix(oauth): webhook + oauthblocks in workflow (#979)

icecrasher321 · web-flow · commit 9f02f88bf50b · 2025-08-15T13:07:46.000-07:00
* fix(oauth): webhook + oauthblocks in workflow

* propagate workflow id

* requireWorkflowId for internal can be false
diff --git a/apps/sim/app/api/auth/oauth/token/route.ts b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -28,7 +28,12 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
     }
 
-    const authz = await authorizeCredentialUse(request, { credentialId, workflowId })
+    // We already have workflowId from the parsed body; avoid forcing hybrid auth to re-read it
+    const authz = await authorizeCredentialUse(request, {
+      credentialId,
+      workflowId,
+      requireWorkflowIdForInternal: false,
+    })
     if (!authz.ok || !authz.credentialOwnerUserId) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
diff --git a/apps/sim/public/.well-known/microsoft-identity-association b/apps/sim/public/.well-known/microsoft-identity-association
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
@@ -1,3 +1,4 @@
+import { generateInternalToken } from '@/lib/auth/internal'
 import { createLogger } from '@/lib/logs/console/logger'
 import { getBaseUrl } from '@/lib/urls/utils'
 import type { ExecutionContext } from '@/executor/types'
@@ -116,18 +117,37 @@ export async function executeTool(
           credentialId: contextParams.credential,
         }
 
-        // Add workflowId if it exists in params or context
-        const workflowId = contextParams.workflowId || contextParams._context?.workflowId
+        // Add workflowId if it exists in params, context, or executionContext
+        const workflowId =
+          contextParams.workflowId ||
+          contextParams._context?.workflowId ||
+          executionContext?.workflowId
         if (workflowId) {
           tokenPayload.workflowId = workflowId
         }
 
         logger.info(`[${requestId}] Fetching access token from ${baseUrl}/api/auth/oauth/token`)
 
-        const tokenUrl = new URL('/api/auth/oauth/token', baseUrl).toString()
-        const response = await fetch(tokenUrl, {
+        // Build token URL and also include workflowId in query so server auth can read it
+        const tokenUrlObj = new URL('/api/auth/oauth/token', baseUrl)
+        if (workflowId) {
+          tokenUrlObj.searchParams.set('workflowId', workflowId)
+        }
+
+        // Always send Content-Type; add internal auth on server-side runs
+        const tokenHeaders: Record<string, string> = { 'Content-Type': 'application/json' }
+        if (typeof window === 'undefined') {
+          try {
+            const internalToken = await generateInternalToken()
+            tokenHeaders.Authorization = `Bearer ${internalToken}`
+          } catch (_e) {
+            // Swallow token generation errors; the request will fail and be reported upstream
+          }
+        }
+
+        const response = await fetch(tokenUrlObj.toString(), {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: tokenHeaders,
           body: JSON.stringify(tokenPayload),
         })
 

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,12 @@ export async function POST(request: NextRequest) {`
`28`	`28`	`return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })`
`29`	`29`	`}`
`30`	`30`
`31`		`- const authz = await authorizeCredentialUse(request, { credentialId, workflowId })`
	`31`	`+ // We already have workflowId from the parsed body; avoid forcing hybrid auth to re-read it`
	`32`	`+ const authz = await authorizeCredentialUse(request, {`
	`33`	`+ credentialId,`
	`34`	`+ workflowId,`
	`35`	`+ requireWorkflowIdForInternal: false,`
	`36`	`+ })`
`32`	`37`	`if (!authz.ok \|\| !authz.credentialOwnerUserId) {`
`33`	`38`	`return NextResponse.json({ error: authz.error \|\| 'Unauthorized' }, { status: 403 })`
`34`	`39`	`}`