fix(auth): copilot routes #2977
Merged
+1
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
Contributor
Greptile SummaryThis PR fixes authentication for the function execute endpoint by switching from
Confidence Score: 5/5
Important Files Changed
Sequence DiagramsequenceDiagram
actor User as User/Copilot
participant UI as Browser UI
participant API as /api/copilot/execute-tool
participant Execute as /api/function/execute
User->>UI: Triggers copilot code execution
UI->>API: POST (with session cookie)
activate API
Note over API: Validates session auth<br/>(getSession())
API->>Execute: POST (with internal JWT)
deactivate API
activate Execute
Note over Execute: NEW: checkSessionOrInternalAuth<br/>- Accepts session auth<br/>- Accepts internal JWT<br/>- Rejects API keys
Execute-->>API: Success response
deactivate Execute
API-->>UI: Tool execution result
UI-->>User: Display result
|
waleedlatif1
added a commit
that referenced
this pull request
Jan 24, 2026
…2973) * fix(subflows): tag dropdown + resolution logic (#2949) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change * chore(deps): bump posthog-js to 1.334.1 (#2948) * fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target * improvement(kb): add document filtering, select all, and React Query migration (#2951) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard * improvement(logs): trace span, details (#2952) * improvement(action-bar): ordering * improvement(logs): details, trace span * feat(blog): v0.5 release post (#2953) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from "Introducing Sim Studio v0.5" to "Introducing Sim v0.5" - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(admin): add credits endpoint to issue credits to users (#2954) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings * improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955) * Improvements * Fix actions mapping * Remove console logs * fix(billing): handle missing userStats and prevent crashes (#2956) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost * fix(logs): refresh logic to refresh logs details (#2958) * fix(security): add authentication and input validation to API routes (#2959) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep * improvement(helm): add internal ingress support and same-host path consolidation (#2960) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(blog): enterprise post (#2961) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> * fix(envvars): resolution standardized (#2957) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot * fix(copilot): mask credentials fix (#2963) * Fix copilot masking * Clean up * Lint * improvement(webhooks): remove dead code (#2965) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets * fix(preview): subblock values (#2969) * fix(child-workflow): nested spans handoff (#2966) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments * fix(security): restrict API key access on internal-only routes (#2964) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt * fix(copilot): update copilot chat title (#2968) * fix(hitl): fix condition blocks after hitl (#2967) * fix(notes): ghost edges (#2970) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check * improvement(docs): loop and parallel var reference syntax (#2975) * fix(blog): slash actions description (#2976) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description * fix(auth): copilot routes (#2977) * Fix copilot auth * Fix * Fix * Fix * fix(copilot): fix edit summary for loops/parallels (#2978) * fix(integrations): hide from tool bar (#2544) * fix(landing): ui (#2979) * fix(edge-validation): race condition on collaborative add (#2980) * fix(variables): boolean type support and input improvements (#2981) * fix(variables): boolean type support and input improvements * fix formatting --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
waleedlatif1
added a commit
that referenced
this pull request
Jan 24, 2026
…2973) * fix(subflows): tag dropdown + resolution logic (#2949) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change * chore(deps): bump posthog-js to 1.334.1 (#2948) * fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target * improvement(kb): add document filtering, select all, and React Query migration (#2951) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard * improvement(logs): trace span, details (#2952) * improvement(action-bar): ordering * improvement(logs): details, trace span * feat(blog): v0.5 release post (#2953) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from Introducing Sim Studio v0.5 to Introducing Sim v0.5 - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(admin): add credits endpoint to issue credits to users (#2954) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings * improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955) * Improvements * Fix actions mapping * Remove console logs * fix(billing): handle missing userStats and prevent crashes (#2956) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost * fix(logs): refresh logic to refresh logs details (#2958) * fix(security): add authentication and input validation to API routes (#2959) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep * improvement(helm): add internal ingress support and same-host path consolidation (#2960) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(blog): enterprise post (#2961) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> * fix(envvars): resolution standardized (#2957) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot * fix(copilot): mask credentials fix (#2963) * Fix copilot masking * Clean up * Lint * improvement(webhooks): remove dead code (#2965) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets * fix(preview): subblock values (#2969) * fix(child-workflow): nested spans handoff (#2966) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments * fix(security): restrict API key access on internal-only routes (#2964) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt * fix(copilot): update copilot chat title (#2968) * fix(hitl): fix condition blocks after hitl (#2967) * fix(notes): ghost edges (#2970) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check * improvement(docs): loop and parallel var reference syntax (#2975) * fix(blog): slash actions description (#2976) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description * fix(auth): copilot routes (#2977) * Fix copilot auth * Fix * Fix * Fix * fix(copilot): fix edit summary for loops/parallels (#2978) * fix(integrations): hide from tool bar (#2544) * fix(landing): ui (#2979) * fix(edge-validation): race condition on collaborative add (#2980) * fix(variables): boolean type support and input improvements (#2981) * fix(variables): boolean type support and input improvements * fix formatting --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Make function execute use check session or internal auth since copilot tool calls originate from the client
Type of Change
Testing
Manual
Checklist