fix(security): restrict API key access on internal-only routes #2964
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
waleedlatif1
force-pushed
the
improvement/auth
branch
from
109e193 to
f78659e
Compare
Contributor
Greptile SummaryImplements three-tier authentication strategy to restrict API key access on internal routes:
This security enhancement prevents external API key access to sensitive internal endpoints while maintaining proper access for the executor and UI. Confidence Score: 4/5
Important Files Changed
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
Collaborator
Author
|
@greptile |
waleedlatif1
added a commit
that referenced
this pull request
Jan 24, 2026
…2973) * fix(subflows): tag dropdown + resolution logic (#2949) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change * chore(deps): bump posthog-js to 1.334.1 (#2948) * fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target * improvement(kb): add document filtering, select all, and React Query migration (#2951) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard * improvement(logs): trace span, details (#2952) * improvement(action-bar): ordering * improvement(logs): details, trace span * feat(blog): v0.5 release post (#2953) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from "Introducing Sim Studio v0.5" to "Introducing Sim v0.5" - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <[email protected]> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <[email protected]> * feat(admin): add credits endpoint to issue credits to users (#2954) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings * improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955) * Improvements * Fix actions mapping * Remove console logs * fix(billing): handle missing userStats and prevent crashes (#2956) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost * fix(logs): refresh logic to refresh logs details (#2958) * fix(security): add authentication and input validation to API routes (#2959) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep * improvement(helm): add internal ingress support and same-host path consolidation (#2960) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <[email protected]> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <[email protected]> * feat(blog): enterprise post (#2961) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <[email protected]> * fix(envvars): resolution standardized (#2957) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot * fix(copilot): mask credentials fix (#2963) * Fix copilot masking * Clean up * Lint * improvement(webhooks): remove dead code (#2965) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets * fix(preview): subblock values (#2969) * fix(child-workflow): nested spans handoff (#2966) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments * fix(security): restrict API key access on internal-only routes (#2964) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt * fix(copilot): update copilot chat title (#2968) * fix(hitl): fix condition blocks after hitl (#2967) * fix(notes): ghost edges (#2970) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check * improvement(docs): loop and parallel var reference syntax (#2975) * fix(blog): slash actions description (#2976) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description * fix(auth): copilot routes (#2977) * Fix copilot auth * Fix * Fix * Fix * fix(copilot): fix edit summary for loops/parallels (#2978) * fix(integrations): hide from tool bar (#2544) * fix(landing): ui (#2979) * fix(edge-validation): race condition on collaborative add (#2980) * fix(variables): boolean type support and input improvements (#2981) * fix(variables): boolean type support and input improvements * fix formatting --------- Co-authored-by: Vikhyath Mondreti <[email protected]> Co-authored-by: Emir Karabeg <[email protected]> Co-authored-by: Claude Opus 4.5 <[email protected]> Co-authored-by: Siddharth Ganesan <[email protected]> Co-authored-by: Vikhyath Mondreti <[email protected]>
waleedlatif1
added a commit
that referenced
this pull request
Jan 24, 2026
…2973) * fix(subflows): tag dropdown + resolution logic (#2949) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change * chore(deps): bump posthog-js to 1.334.1 (#2948) * fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target * improvement(kb): add document filtering, select all, and React Query migration (#2951) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard * improvement(logs): trace span, details (#2952) * improvement(action-bar): ordering * improvement(logs): details, trace span * feat(blog): v0.5 release post (#2953) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from Introducing Sim Studio v0.5 to Introducing Sim v0.5 - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <[email protected]> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <[email protected]> * feat(admin): add credits endpoint to issue credits to users (#2954) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings * improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955) * Improvements * Fix actions mapping * Remove console logs * fix(billing): handle missing userStats and prevent crashes (#2956) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost * fix(logs): refresh logic to refresh logs details (#2958) * fix(security): add authentication and input validation to API routes (#2959) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep * improvement(helm): add internal ingress support and same-host path consolidation (#2960) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <[email protected]> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <[email protected]> * feat(blog): enterprise post (#2961) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <[email protected]> * fix(envvars): resolution standardized (#2957) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot * fix(copilot): mask credentials fix (#2963) * Fix copilot masking * Clean up * Lint * improvement(webhooks): remove dead code (#2965) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets * fix(preview): subblock values (#2969) * fix(child-workflow): nested spans handoff (#2966) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments * fix(security): restrict API key access on internal-only routes (#2964) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt * fix(copilot): update copilot chat title (#2968) * fix(hitl): fix condition blocks after hitl (#2967) * fix(notes): ghost edges (#2970) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check * improvement(docs): loop and parallel var reference syntax (#2975) * fix(blog): slash actions description (#2976) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description * fix(auth): copilot routes (#2977) * Fix copilot auth * Fix * Fix * Fix * fix(copilot): fix edit summary for loops/parallels (#2978) * fix(integrations): hide from tool bar (#2544) * fix(landing): ui (#2979) * fix(edge-validation): race condition on collaborative add (#2980) * fix(variables): boolean type support and input improvements (#2981) * fix(variables): boolean type support and input improvements * fix formatting --------- Co-authored-by: Vikhyath Mondreti <[email protected]> Co-authored-by: Emir Karabeg <[email protected]> Co-authored-by: Claude Opus 4.5 <[email protected]> Co-authored-by: Siddharth Ganesan <[email protected]> Co-authored-by: Vikhyath Mondreti <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
checkInternalAuthandcheckSessionOrInternalAuthfunctions to enforce route-specific authcheckInternalAuth(executor-only, blocks API key access)/api/function/executeand/api/providersto internal-only authcheckSessionOrInternalAuth(UI + executor, no API keys)Type of Change
Testing
Tested manually - TypeScript compiles without errors
Checklist