feat: add api key check in api route

web/src/app/api/run/route.ts

@@ -3,6 +3,7 @@ import { createRun } from "../../../server/createRun";
 import { db } from "@/db/db";
 import { deploymentsTable } from "@/db/schema";
 import { getRunsData } from "@/server/getRunsOutput";
+import { parseJWT } from "@/server/parseJWT";
 import { replaceCDNUrl } from "@/server/resource";
 import { eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
@@ -18,6 +19,14 @@ const Request2 = z.object({
 });
 
 export async function GET(request: Request) {
+  const token = request.headers.get("Authorization")?.split(" ")?.[1]; // Assuming token is sent as "Bearer your_token"
+  const userData = token ? parseJWT(token) : undefined;
+  if (!userData) {
+    return new NextResponse("Invalid or expired token", {
+      status: 401,
+    });
+  }
+
   const [data, error] = await parseDataSafe(Request2, request);
   if (!data || error) return error;
 
@@ -44,6 +53,14 @@ export async function GET(request: Request) {
 }
 
 export async function POST(request: Request) {
+  const token = request.headers.get("Authorization")?.split(" ")?.[1]; // Assuming token is sent as "Bearer your_token"
+  const userData = token ? parseJWT(token) : undefined;
+  if (!userData) {
+    return new NextResponse("Invalid or expired token", {
+      status: 401,
+    });
+  }
+
   const [data, error] = await parseDataSafe(Request, request);
   if (!data || error) return error;
 

web/src/app/api/upload/route.ts

@@ -1,3 +1,4 @@
+import { parseJWT } from "../../../server/parseJWT";
 import { db } from "@/db/db";
 import {
   workflowAPIType,
@@ -7,7 +8,6 @@ import {
 } from "@/db/schema";
 import { parseDataSafe } from "@/lib/parseDataSafe";
 import { sql } from "drizzle-orm";
-import jwt from "jsonwebtoken";
 import { NextResponse } from "next/server";
 import { z } from "zod";
 
@@ -36,24 +36,6 @@ export async function OPTIONS(request: Request) {
   });
 }
 
-const APIKeyBodyRequest = z.object({
-  user_id: z.string().optional(),
-  org_id: z.string().optional(),
-  iat: z.number(),
-});
-
-function parseJWT(token: string) {
-  try {
-    // Verify the token - this also decodes it
-    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
-    return APIKeyBodyRequest.parse(decoded);
-  } catch (err) {
-    // Handle error (token is invalid, expired, etc.)
-    console.error(err);
-    return null;
-  }
-}
-
 export async function POST(request: Request) {
   const token = request.headers.get("Authorization")?.split(" ")?.[1]; // Assuming token is sent as "Bearer your_token"
   const userData = token ? parseJWT(token) : undefined;
@@ -64,8 +46,6 @@ export async function POST(request: Request) {
     });
   }
 
-  console.log(userData);
-
   const { user_id, org_id } = userData;
 
   if (!user_id) return new NextResponse("Invalid user_id", { status: 401 });

web/src/server/APIKeyBodyRequest.ts

@@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const APIKeyBodyRequest = z.object({
+  user_id: z.string().optional(),
+  org_id: z.string().optional(),
+  iat: z.number(),
+});

web/src/server/parseJWT.ts

@@ -0,0 +1,14 @@
+import { APIKeyBodyRequest } from "@/server/APIKeyBodyRequest";
+import jwt from "jsonwebtoken";
+
+export function parseJWT(token: string) {
+  try {
+    // Verify the token - this also decodes it
+    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
+    return APIKeyBodyRequest.parse(decoded);
+  } catch (err) {
+    // Handle error (token is invalid, expired, etc.)
+    console.error(err);
+    return null;
+  }
+}