fix(auth): add session and user-id checks to authorize-params endpoint

waleedlatif1 · waleedlatif1 · commit 312e545cf113 · 2026-02-20T13:43:50.000-08:00
diff --git a/apps/sim/app/api/auth/oauth2/authorize-params/route.ts b/apps/sim/app/api/auth/oauth2/authorize-params/route.ts
@@ -3,13 +3,19 @@ import { verification } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
 
 /**
  * Returns the original OAuth authorize parameters stored in the verification record
  * for a given consent code. Used by the consent page to reconstruct the authorize URL
  * when switching accounts.
  */
 export async function GET(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
   const consentCode = request.nextUrl.searchParams.get('consent_code')
   if (!consentCode) {
     return NextResponse.json({ error: 'consent_code is required' }, { status: 400 })
@@ -29,12 +35,17 @@ export async function GET(request: NextRequest) {
     clientId: string
     redirectURI: string
     scope: string[]
+    userId: string
     codeChallenge: string
     codeChallengeMethod: string
     state: string | null
     nonce: string | null
   }
 
+  if (data.userId !== session.user.id) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
   return NextResponse.json({
     client_id: data.clientId,
     redirect_uri: data.redirectURI,
