fix(copilot): fix image auth

[Sg312]

Summary

Fixes copilot image auth

Type of Change

• Bug fix

Testing

Manual

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Nov 7, 2025 7:39pm

[greptile-apps]

Greptile Overview

Greptile Summary

Fixed copilot image authorization by ensuring uploaded files include the context prefix in their storage keys and correcting the authorization logic to prevent misidentification of copilot files as execution files.

Key Changes

• Upload key generation (upload/route.ts): Copilot, chat, and profile-picture uploads now generate storage keys with the context prefix (e.g., copilot/timestamp-filename) using preserveKey and customKey options, ensuring inferContextFromKey can correctly identify the file context
• Authorization logic fix (authorization.ts): Modified execution file check to only run when context is not explicitly provided (!context && isExecutionFile(...)), preventing copilot files from being incorrectly routed to execution file verification
• Enhanced error logging (authorization.ts): Improved error logging across all authorization functions to include error messages, stack traces, and error types for better debugging

Root Cause

Before this fix, copilot image uploads were failing authorization because:

1. Storage keys were generated without the copilot/ prefix
2. The authorization flow couldn't infer the correct context from the key
3. Files were incorrectly being checked as execution files, leading to authorization failures

Confidence Score: 4/5

• Safe to merge after removing the debug console.log statement
• The core authorization fix is well-implemented and addresses a real bug. The storage key generation now correctly prefixes keys with the context, and the authorization logic properly checks for explicit context. However, the PR contains a console.log debug statement that must be removed before merging.
• apps/sim/app/api/copilot/chat/route.ts - Remove debug console.log on line 328

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/app/api/copilot/chat/route.ts	4/5	Added debug console.log statement that should be removed before merging
apps/sim/app/api/files/authorization.ts	5/5	Fixed context checking logic for execution files and improved error logging throughout authorization functions
apps/sim/app/api/files/upload/route.ts	5/5	Fixed storage key generation for copilot/chat/profile-pictures uploads to include context prefix and timestamp

Sequence Diagram

sequenceDiagram
    participant Client
    participant UploadAPI as /api/files/upload
    participant StorageService
    participant ChatAPI as /api/copilot/chat
    participant CopilotFiles
    participant AuthZ as authorization.ts
    participant Database

    Note over Client,Database: Copilot Image Upload Flow

    Client->>UploadAPI: POST file (context=copilot)
    UploadAPI->>UploadAPI: Generate storageKey<br/>(copilot/timestamp-filename)
    UploadAPI->>StorageService: uploadFile(storageKey, metadata)
    StorageService->>Database: Store file metadata (userId)
    StorageService-->>UploadAPI: fileInfo with key
    UploadAPI-->>Client: Return file path & key

    Note over Client,Database: Copilot Chat with Image Attachment

    Client->>ChatAPI: POST message with fileAttachments
    ChatAPI->>CopilotFiles: processCopilotAttachments(attachments)
    CopilotFiles->>AuthZ: verifyFileAccess(key, userId, context='copilot')
    
    alt Context explicitly provided
        AuthZ->>AuthZ: inferredContext = 'copilot'
        AuthZ->>AuthZ: Skip execution file check
    else No context (legacy)
        AuthZ->>AuthZ: Check if execution file
    end
    
    AuthZ->>Database: getFileMetadataByKey(key, 'copilot')
    Database-->>AuthZ: fileRecord with userId
    AuthZ->>AuthZ: Verify userId matches
    AuthZ-->>CopilotFiles: Access granted
    
    CopilotFiles->>StorageService: downloadFile(key)
    StorageService-->>CopilotFiles: File buffer
    CopilotFiles-->>ChatAPI: Processed attachments
    ChatAPI->>ChatAPI: Create file content (base64)
    ChatAPI-->>Client: Stream response with attachments

Loading

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}