@@ -156,6 +156,57 @@ describe('validateWorkflowAccess', () => {
156156 } )
157157 } )
158158
159+ it ( 'returns 403 for workspace api keys scoped to a different workspace' , async ( ) => {
160+ const auth = {
161+ success : true ,
162+ userId : 'user-1' ,
163+ workspaceId : 'ws-2' ,
164+ authType : 'api_key' as const ,
165+ apiKeyType : 'workspace' as const ,
166+ }
167+
168+ mockCheckHybridAuth . mockResolvedValue ( auth )
169+
170+ const result = await validateWorkflowAccess ( createRequest ( ) , WORKFLOW_ID , {
171+ requireDeployment : false ,
172+ action : 'read' ,
173+ } )
174+
175+ expect ( result ) . toEqual ( {
176+ error : {
177+ message : 'Unauthorized: API key does not have access to this workspace' ,
178+ status : 403 ,
179+ } ,
180+ } )
181+ expect ( mockAuthorizeWorkflowByWorkspacePermission ) . not . toHaveBeenCalled ( )
182+ } )
183+
184+ it ( 'allows workspace api keys scoped to the same workspace' , async ( ) => {
185+ const workflow = createWorkflow ( { name : 'Scoped Workflow' } )
186+ const auth = {
187+ success : true ,
188+ userId : 'user-1' ,
189+ workspaceId : WORKSPACE_ID ,
190+ authType : 'api_key' as const ,
191+ apiKeyType : 'workspace' as const ,
192+ }
193+
194+ mockCheckHybridAuth . mockResolvedValue ( auth )
195+ mockGetWorkflowById . mockResolvedValue ( workflow )
196+
197+ const result = await validateWorkflowAccess ( createRequest ( ) , WORKFLOW_ID , {
198+ requireDeployment : false ,
199+ action : 'read' ,
200+ } )
201+
202+ expect ( result ) . toEqual ( { workflow, auth } )
203+ expect ( mockAuthorizeWorkflowByWorkspacePermission ) . toHaveBeenCalledWith ( {
204+ workflowId : WORKFLOW_ID ,
205+ userId : 'user-1' ,
206+ action : 'read' ,
207+ } )
208+ } )
209+
159210 it ( 'returns workflow and auth on success' , async ( ) => {
160211 const workflow = createWorkflow ( { name : 'Test Workflow' } )
161212 const auth = { success : true , userId : 'user-1' , authType : 'session' as const }
0 commit comments