simstudioai
diff --git a/‎apps/sim/app/api/users/me/api-keys/route.ts‎
Lines changed: 24 additions & 3 deletions b/‎apps/sim/app/api/users/me/api-keys/route.ts‎
Lines changed: 24 additions & 3 deletions
diff --git a/‎apps/sim/app/api/v1/auth.ts‎
Lines changed: 81 additions & 15 deletions b/‎apps/sim/app/api/v1/auth.ts‎
Lines changed: 81 additions & 15 deletions
diff --git a/‎apps/sim/app/api/workflows/[id]/deploy/route.ts‎
Lines changed: 48 additions & 6 deletions b/‎apps/sim/app/api/workflows/[id]/deploy/route.ts‎
Lines changed: 48 additions & 6 deletions
diff --git a/‎apps/sim/app/api/workflows/middleware.ts‎
Lines changed: 39 additions & 4 deletions b/‎apps/sim/app/api/workflows/middleware.ts‎
Lines changed: 39 additions & 4 deletions
@@ -1,4 +1,4 @@
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
@@ -57,11 +57,32 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
 
     // Validate the request
-    const { name } = body
-    if (!name || typeof name !== 'string') {
+    const { name: rawName } = body
+    if (!rawName || typeof rawName !== 'string') {
       return NextResponse.json({ error: 'Invalid request. Name is required.' }, { status: 400 })
     }
 
+    const name = rawName.trim()
+    if (!name) {
+      return NextResponse.json({ error: 'Name cannot be empty.' }, { status: 400 })
+    }
+
+    // Check if a key with this name already exists for the user
+    const existingKey = await db
+      .select()
+      .from(apiKey)
+      .where(and(eq(apiKey.userId, userId), eq(apiKey.name, name)))
+      .limit(1)
+
+    if (existingKey.length > 0) {
+      return NextResponse.json(
+        {
+          error: `A personal API key named "${name}" already exists. Please choose a different name.`,
+        },
+        { status: 409 }
+      )
+    }
+
     const keyValue = generateApiKey()
 
     // Insert the new API key
 
@@ -2,17 +2,22 @@ import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { createLogger } from '@/lib/logs/console/logger'
 import { db } from '@/db'
-import { apiKey as apiKeyTable } from '@/db/schema'
+import { apiKey as apiKeyTable, workflow, workspace, workspaceApiKey } from '@/db/schema'
 
 const logger = createLogger('V1Auth')
 
 export interface AuthResult {
   authenticated: boolean
   userId?: string
+  workspaceId?: string
+  keyType?: 'personal' | 'workspace'
   error?: string
 }
 
-export async function authenticateApiKey(request: NextRequest): Promise<AuthResult> {
+export async function authenticateApiKey(
+  request: NextRequest,
+  workflowId?: string
+): Promise<AuthResult> {
   const apiKey = request.headers.get('x-api-key')
 
   if (!apiKey) {
@@ -23,7 +28,8 @@ export async function authenticateApiKey(request: NextRequest): Promise<AuthResu
   }
 
   try {
-    const [keyRecord] = await db
+    // First, check personal API keys
+    const [personalKey] = await db
       .select({
         userId: apiKeyTable.userId,
         expiresAt: apiKeyTable.expiresAt,
@@ -32,27 +38,87 @@ export async function authenticateApiKey(request: NextRequest): Promise<AuthResu
       .where(eq(apiKeyTable.key, apiKey))
       .limit(1)
 
-    if (!keyRecord) {
-      logger.warn('Invalid API key attempted', { keyPrefix: apiKey.slice(0, 8) })
+    if (personalKey) {
+      if (personalKey.expiresAt && personalKey.expiresAt < new Date()) {
+        logger.warn('Expired personal API key attempted', { userId: personalKey.userId })
+        return {
+          authenticated: false,
+          error: 'API key expired',
+        }
+      }
+
+      await db.update(apiKeyTable).set({ lastUsed: new Date() }).where(eq(apiKeyTable.key, apiKey))
+
       return {
-        authenticated: false,
-        error: 'Invalid API key',
+        authenticated: true,
+        userId: personalKey.userId,
+        keyType: 'personal',
       }
     }
 
-    if (keyRecord.expiresAt && keyRecord.expiresAt < new Date()) {
-      logger.warn('Expired API key attempted', { userId: keyRecord.userId })
+    // If not found in personal keys, check workspace API keys
+    const [workspaceKey] = await db
+      .select({
+        workspaceId: workspaceApiKey.workspaceId,
+        expiresAt: workspaceApiKey.expiresAt,
+        workspaceOwnerId: workspace.ownerId,
+      })
+      .from(workspaceApiKey)
+      .leftJoin(workspace, eq(workspaceApiKey.workspaceId, workspace.id))
+      .where(eq(workspaceApiKey.key, apiKey))
+      .limit(1)
+
+    if (workspaceKey) {
+      if (workspaceKey.expiresAt && workspaceKey.expiresAt < new Date()) {
+        logger.warn('Expired workspace API key attempted', {
+          workspaceId: workspaceKey.workspaceId,
+        })
+        return {
+          authenticated: false,
+          error: 'API key expired',
+        }
+      }
+
+      // If a workflowId is provided, verify that the workflow belongs to this workspace
+      if (workflowId) {
+        const [workflowRecord] = await db
+          .select({
+            workspaceId: workflow.workspaceId,
+          })
+          .from(workflow)
+          .where(eq(workflow.id, workflowId))
+          .limit(1)
+
+        if (!workflowRecord || workflowRecord.workspaceId !== workspaceKey.workspaceId) {
+          logger.warn('Workspace API key attempted to access workflow from different workspace', {
+            workspaceId: workspaceKey.workspaceId,
+            workflowId,
+            workflowWorkspaceId: workflowRecord?.workspaceId,
+          })
+          return {
+            authenticated: false,
+            error: 'API key not authorized for this workflow',
+          }
+        }
+      }
+
+      await db
+        .update(workspaceApiKey)
+        .set({ lastUsed: new Date() })
+        .where(eq(workspaceApiKey.key, apiKey))
+
       return {
-        authenticated: false,
-        error: 'API key expired',
+        authenticated: true,
+        userId: workspaceKey.workspaceOwnerId!, // Workspace owner is the effective user
+        workspaceId: workspaceKey.workspaceId,
+        keyType: 'workspace',
       }
     }
 
-    await db.update(apiKeyTable).set({ lastUsed: new Date() }).where(eq(apiKeyTable.key, apiKey))
-
+    logger.warn('Invalid API key attempted', { keyPrefix: apiKey.slice(0, 8) })
     return {
-      authenticated: true,
-      userId: keyRecord.userId,
+      authenticated: false,
+      error: 'Invalid API key',
     }
   } catch (error) {
     logger.error('API key authentication error', { error })
 
@@ -6,7 +6,14 @@ import { generateApiKey, generateRequestId } from '@/lib/utils'
 import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 import { db } from '@/db'
-import { apiKey, workflow, workflowBlocks, workflowEdges, workflowSubflows } from '@/db/schema'
+import {
+  apiKey,
+  workflow,
+  workflowBlocks,
+  workflowEdges,
+  workflowSubflows,
+  workspaceApiKey,
+} from '@/db/schema'
 
 const logger = createLogger('WorkflowDeployAPI')
 
@@ -313,15 +320,41 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       userKey = userApiKey[0].key
     }
 
-    // If client provided a specific API key and it belongs to the user, prefer it
+    // If client provided a specific API key, check if it's either personal or workspace key
     if (providedApiKey) {
-      const [owned] = await db
+      // First check personal API keys
+      const [personalOwned] = await db
         .select({ key: apiKey.key })
         .from(apiKey)
         .where(and(eq(apiKey.userId, userId), eq(apiKey.key, providedApiKey)))
         .limit(1)
-      if (owned) {
+
+      if (personalOwned) {
         userKey = providedApiKey
+      } else {
+        // Check workspace API keys - get the workflow's workspace ID
+        const [workflowData] = await db
+          .select({ workspaceId: workflow.workspaceId })
+          .from(workflow)
+          .where(eq(workflow.id, id))
+          .limit(1)
+
+        if (workflowData) {
+          const [workspaceOwned] = await db
+            .select({ key: workspaceApiKey.key })
+            .from(workspaceApiKey)
+            .where(
+              and(
+                eq(workspaceApiKey.workspaceId, workflowData.workspaceId),
+                eq(workspaceApiKey.key, providedApiKey)
+              )
+            )
+            .limit(1)
+
+          if (workspaceOwned) {
+            userKey = providedApiKey
+          }
+        }
       }
     }
 
@@ -338,13 +371,22 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     await db.update(workflow).set(updateData).where(eq(workflow.id, id))
 
-    // Update lastUsed for the key we returned
+    // Update lastUsed for the key we returned (try both personal and workspace keys)
     if (userKey) {
       try {
-        await db
+        // First try to update personal API key
+        const personalResult = await db
           .update(apiKey)
           .set({ lastUsed: new Date(), updatedAt: new Date() })
           .where(eq(apiKey.key, userKey))
+
+        // If no personal key was updated, try workspace API key
+        if (!personalResult || personalResult.rowCount === 0) {
+          await db
+            .update(workspaceApiKey)
+            .set({ lastUsed: new Date(), updatedAt: new Date() })
+            .where(eq(workspaceApiKey.key, userKey))
+        }
       } catch (e) {
         logger.warn(`[${requestId}] Failed to update lastUsed for api key`)
       }
 
@@ -3,7 +3,7 @@ import type { NextRequest } from 'next/server'
 import { createLogger } from '@/lib/logs/console/logger'
 import { getWorkflowById } from '@/lib/workflows/utils'
 import { db } from '@/db'
-import { apiKey } from '@/db/schema'
+import { apiKey, workspace, workspaceApiKey } from '@/db/schema'
 
 const logger = createLogger('WorkflowMiddleware')
 
@@ -67,21 +67,56 @@ export async function validateWorkflowAccess(
           }
         }
       } else {
-        // Otherwise, verify the key belongs to the workflow owner
-        const [owned] = await db
+        // Check both personal API keys and workspace API keys
+
+        // First, check personal API keys belonging to the workflow owner
+        const [personalKey] = await db
           .select({ key: apiKey.key })
           .from(apiKey)
           .where(and(eq(apiKey.userId, workflow.userId), eq(apiKey.key, apiKeyHeader)))
           .limit(1)
 
-        if (!owned) {
+        // If not found in personal keys, check workspace API keys
+        let workspaceKey = null
+        if (!personalKey) {
+          const [wsKey] = await db
+            .select({
+              key: workspaceApiKey.key,
+              workspaceId: workspaceApiKey.workspaceId,
+              workspaceOwnerId: workspace.ownerId,
+            })
+            .from(workspaceApiKey)
+            .leftJoin(workspace, eq(workspaceApiKey.workspaceId, workspace.id))
+            .where(
+              and(
+                eq(workspaceApiKey.key, apiKeyHeader),
+                eq(workspace.id, workflow.workspaceId) // Key must belong to the same workspace as the workflow
+              )
+            )
+            .limit(1)
+
+          workspaceKey = wsKey
+        }
+
+        // If neither personal nor workspace key is valid, reject
+        if (!personalKey && !workspaceKey) {
           return {
             error: {
               message: 'Unauthorized: Invalid API key',
               status: 401,
             },
           }
         }
+
+        // Update last used for the key that was found
+        if (personalKey) {
+          await db.update(apiKey).set({ lastUsed: new Date() }).where(eq(apiKey.key, apiKeyHeader))
+        } else if (workspaceKey) {
+          await db
+            .update(workspaceApiKey)
+            .set({ lastUsed: new Date() })
+            .where(eq(workspaceApiKey.key, apiKeyHeader))
+        }
       }
     }
     return { workflow }