fix(api-service): Environment ID organization check

[scopsy]

What changed? Why was the change needed?

This change introduces a validation mechanism for the environmentId when it's provided as a query parameter to the getWorkflow endpoint.

Previously, a custom environmentId from the query parameter would directly override the user's session environmentId. This could lead to unauthorized access or incorrect data retrieval if the provided environmentId did not belong to the user's organization.

Now, if a custom environmentId is passed and differs from the session's environmentId, the system verifies that this custom environmentId belongs to the current user's organization. If the environment is not found within the organization, a NotFoundException is thrown, enhancing security and data integrity.

Specifically:

• The GetWorkflowCommand now includes an optional environmentId field.
• The WorkflowController passes the query environmentId to the command as this new, separate field.
• The GetWorkflowUseCase injects EnvironmentRepository to perform the necessary validation.

Screenshots

---

Slack Thread

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[netlify]

✅ Deploy Preview for dashboard-v2-novu-staging canceled.

Name	Link
🔨 Latest commit	09f076a
🔍 Latest deploy log	https://app.netlify.com/projects/dashboard-v2-novu-staging/deploys/6996d2cc0a4c790008cd65cf

[github-actions]

Hey there and thank you for opening this pull request! 👋

We require pull request titles to follow specific formatting rules and it looks like your proposed title needs to be adjusted.

Your PR title is: fix(api-service): Environment ID organization check

Requirements:

1. Follow the Conventional Commits specification
2. As a team member, include Linear ticket ID at the end: fixes TICKET-ID or include it in your branch name

Expected format: feat(scope): Add fancy new feature fixes NOV-123

Details:

PR title must end with 'fixes TICKET-ID' (e.g., 'fixes NOV-123') or include ticket ID in branch name

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This change introduces environment awareness to the workflow retrieval flow. The GetWorkflowCommand now accepts an optional environmentId parameter alongside the existing workflowIdOrInternalId. The GetWorkflowUseCase gains an EnvironmentRepository dependency and implements logic to validate and resolve the effective environment ID. When an explicit environment ID is provided that differs from the user's environment, the system verifies the environment exists through the repository. The controller is updated to pass environment ID as a separate field rather than mutating the user object. The resolved environment ID flows through the workflow retrieval process.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}