fix(auth): swap out hybrid auth in relevant callsites

[icecrasher321]

Summary

• Move away from checkHybridAuth to narrowing auth functions.
• Fix logs sidepanel url to be our serve route url

Type of Change

• Other: Security

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 7, 2026 5:54am

[greptile-apps]

Greptile Overview

Greptile Summary

Replaced checkHybridAuth with more specific auth functions across 23 API routes to implement stricter access control:

• Auth function changes: Routes now use checkSessionOrInternalAuth (allows session or internal JWT, rejects API keys) or checkInternalAuth (only allows internal JWT from executor)
• Memory and file parsing routes: Now use checkInternalAuth for executor-only access, preventing direct user API calls
• A2A, file operations, and OAuth routes: Use checkSessionOrInternalAuth to allow UI and executor access while blocking API keys
• Knowledge base tag definitions: Removed redundant API key check now handled by auth function
• Frontend file download: Always uses internal /api/files/serve/ route instead of falling back to file.url

The changes correctly narrow authentication methods based on each endpoint's security requirements, improving the principle of least privilege.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are systematic and correct, replacing generic auth with more specific functions that properly restrict access. The auth logic is well-tested (evident from existing test files), and the changes follow clear security patterns: executor-only routes use checkInternalAuth, UI+executor routes use checkSessionOrInternalAuth, and public API routes (not changed) keep checkHybridAuth
• No files require special attention

Important Files Changed

Filename	Overview
apps/sim/lib/auth/credential-access.ts	Updated to use checkSessionOrInternalAuth instead of checkHybridAuth, correctly removing API key support
apps/sim/app/api/files/parse/route.ts	Correctly changed to checkInternalAuth for executor-only access
apps/sim/app/api/memory/route.ts	Correctly changed to checkInternalAuth for executor-only memory access
apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts	Changed to checkSessionOrInternalAuth and removed redundant API key check
apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx	Removed file.url fallback logic and always uses internal serve route

Sequence Diagram

sequenceDiagram
    participant Client
    participant APIRoute
    participant AuthMiddleware
    participant AuthVerifier
    
    Note over Client,AuthVerifier: Scenario 1: checkHybridAuth (Before PR)
    Client->>APIRoute: Request with credentials
    APIRoute->>AuthMiddleware: checkHybridAuth()
    AuthMiddleware->>AuthVerifier: Check JWT token
    alt JWT valid
        AuthVerifier-->>AuthMiddleware: JWT verified
    else JWT invalid
        AuthMiddleware->>AuthVerifier: Check session cookie
        alt Session valid
            AuthVerifier-->>AuthMiddleware: Session verified
        else Session invalid
            AuthMiddleware->>AuthVerifier: Check API key header
            AuthVerifier-->>AuthMiddleware: API key verified or fail
        end
    end
    AuthMiddleware-->>APIRoute: Auth result
    APIRoute-->>Client: Response
    
    Note over Client,AuthVerifier: Scenario 2: checkSessionOrInternalAuth (After PR)
    Client->>APIRoute: Request with credentials
    APIRoute->>AuthMiddleware: checkSessionOrInternalAuth()
    AuthMiddleware->>AuthVerifier: Check for API key header
    alt API key detected
        AuthMiddleware-->>APIRoute: Reject with error
        APIRoute-->>Client: 401 Unauthorized
    else No API key
        AuthMiddleware->>AuthVerifier: Check JWT token
        alt JWT valid
            AuthVerifier-->>AuthMiddleware: JWT verified
            AuthMiddleware-->>APIRoute: Success
        else JWT invalid
            AuthMiddleware->>AuthVerifier: Check session cookie
            alt Session valid
                AuthVerifier-->>AuthMiddleware: Session verified
                AuthMiddleware-->>APIRoute: Success
            else All failed
                AuthMiddleware-->>APIRoute: Reject
            end
        end
        APIRoute-->>Client: Response
    end
    
    Note over Client,AuthVerifier: Scenario 3: checkInternalAuth (After PR)
    Client->>APIRoute: Request to memory/parse endpoint
    APIRoute->>AuthMiddleware: checkInternalAuth()
    AuthMiddleware->>AuthVerifier: Check for API key or session
    alt API key or session detected
        AuthMiddleware-->>APIRoute: Reject immediately
        APIRoute-->>Client: 401 Unauthorized
    else Only JWT present
        AuthMiddleware->>AuthVerifier: Verify JWT token
        alt JWT valid
            AuthVerifier-->>AuthMiddleware: JWT verified
            AuthMiddleware-->>APIRoute: Success
        else JWT invalid
            AuthMiddleware-->>APIRoute: Reject
        end
        APIRoute-->>Client: Response
    end

Loading

[greptile-apps]

_{5 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[icecrasher321]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[icecrasher321]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[icecrasher321]

@cursor review

[icecrasher321]

@cursor review

[icecrasher321]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR