fix: add pagination to GET /api/workflows to prevent memory exhaustion

[MaxwellCalkin]

Summary

Fixes #3435

The GET /api/workflows endpoint currently fetches all workflows for a user or workspace without any LIMIT clause in the database query. As workspaces scale up and accumulate thousands of workflows, this forces the database to dump every row into server memory at once, risking Node.js OOM crashes, freezing the client browser when parsing the massive JSON payload, and acting as an unintentional DoS vector.

Changes

Backend (apps/sim/app/api/workflows/route.ts):

• Accept optional limit (default 200, max 500) and offset (default 0) query params
• Run a parallel COUNT(*) query alongside the paginated SELECT for total count
• Return pagination metadata (total, limit, offset, hasMore) in the response
• Follows the same pattern already used by GET /api/v1/admin/workspaces/[id]/workflows

Frontend (3 callers updated):

• hooks/queries/workflows.ts — main workflow list fetch
• hooks/queries/workflow-mcp-servers.ts — deployed workflows fetch
• app/workspace/[workspaceId]/w/hooks/use-export-workspace.ts — workspace export

All three callers now use a shared fetchAllPages() utility that loops through pages until hasMore is false, so existing behavior is preserved while the backend is protected from unbounded queries.

Tests (apps/sim/app/api/workflows/route.test.ts):

• Added 4 new tests covering pagination metadata, custom limit/offset, max limit clamping, and empty workspace response

Backward Compatibility

• Clients that don't pass limit/offset get the first 200 results with hasMore indicating whether more exist
• The data array format is unchanged — only pagination is added alongside it
• The frontend automatically fetches all pages, so users see no behavior change

AI Disclosure: This PR was authored by an AI (Claude Opus 4.6, Anthropic). I am pursuing employment as an AI contributor — transparently, not impersonating a human.

Test plan

• All 6 tests pass (2 existing POST tests + 4 new GET pagination tests)
• Biome lint/format passes on all changed files
• Manual: Create a workspace, verify workflows load correctly with default pagination
• Manual: Verify workspace export still includes all workflows across pages
• Manual: Verify MCP server workflow list still shows deployed workflows

🤖 Generated with Claude Code

[cursor]

PR Summary

Medium Risk
Changes the semantics and shape of a widely-used API response (defaulting to 200 items) and adds extra DB queries (COUNT) which could impact performance or break any un-migrated callers.

Overview
Prevents unbounded workflow fetches by adding limit/offset (default 200, max 500) to GET /api/workflows, running a parallel COUNT(*), and returning pagination metadata (total, limit, offset, hasMore). Empty no-workspace results now also include pagination.

Frontend consumers that previously fetched all workflows in one call now use a shared fetchAllPages() helper to retrieve all pages for workspace export and workflow/deployed-workflow queries. Tests were expanded to cover pagination metadata, custom params, max-limit clamping, and empty responses.

^{Written by Cursor Bugbot for commit d960465. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 9, 2026 6:27am

[greptile-apps]

Greptile Summary

This PR adds server-side pagination to GET /api/workflows to prevent unbounded memory usage, and introduces a shared fetchAllPages utility that transparently re-assembles all pages on the frontend so existing callers see no behavior change.

Key changes:

• route.ts: Accepts limit (default 200, max 500) and offset query params; runs a parallel COUNT(*) alongside the paginated SELECT and returns a pagination envelope.
• paginated-fetch.ts: New fetchAllPages<T> utility that loops through pages until hasMore is false.
• Three callers (workflows.ts, workflow-mcp-servers.ts, use-export-workspace.ts) updated to use fetchAllPages.
• Four new GET pagination tests added.

Critical issues to address:

• route.ts (lines 36–40): Non-numeric limit/offset query params (e.g., ?limit=abc) produce NaN via Number('abc'), which bypasses clamping and causes a database error. Add Number.isFinite() validation.
• paginated-fetch.ts (lines 16–32): The while (true) loop has no maximum-iteration guard—a misbehaving API that always returns hasMore: true will loop indefinitely. Also, json.data is spread without a null/undefined check, which will throw if the response omits the field.
• route.test.ts (lines 199–210): The Proxy-based mock chain does not capture arguments to .limit() and .offset(), so the tests confirm response shape but cannot detect if pagination params are actually forwarded to DB queries.

Confidence Score: 1/5

• Multiple critical issues block merging: NaN validation bug causes 500 errors on malformed params; unbounded loop risks infinite requests; missing null check on json.data causes crashes.
• The PR implements pagination correctly in concept, but three critical issues must be fixed before merge:

1. NaN validation bug (route.ts, lines 36–40): Non-numeric query params bypass validation and cause database 500 errors — a production bug affecting any client passing ?limit=abc.

2. Unbounded pagination loop (paginated-fetch.ts, lines 16–32): No iteration cap means a misbehaving API always returning hasMore: true will loop indefinitely, exhausting memory or hitting timeouts.

3. Missing null check (paginated-fetch.ts, lines 23–25): If the API omits the data field, spreading undefined throws a TypeError, crashing the frontend.

Test coverage also has a gap: assertions verify response shape but not whether pagination params actually reach the database.

All three backend issues must be fixed; the test improvement is strongly recommended.

• • apps/sim/app/api/workflows/route.ts — NaN validation required
• apps/sim/hooks/queries/utils/paginated-fetch.ts — Unbounded loop guard + null check required
• apps/sim/app/api/workflows/route.test.ts — Test coverage improvement recommended

Important Files Changed

Filename	Overview
apps/sim/app/api/workflows/route.ts	Adds paginated GET handler with parallel COUNT + SELECT. Contains a critical NaN validation bug: passing non-numeric limit/offset params (e.g., ?limit=abc) returns NaN from Number(), which propagates unchanged through Math.max/min and causes a database-level 500 error instead of graceful rejection. Requires immediate Number.isFinite() validation.
apps/sim/hooks/queries/utils/paginated-fetch.ts	New shared pagination utility with a critical flaw: the while (true) loop has no iteration cap. A misbehaving API that always returns hasMore: true will loop indefinitely. Additionally, json.data is spread without checking for null/undefined, causing a TypeError if the response omits the field. Both issues must be fixed.
apps/sim/app/api/workflows/route.test.ts	Adds 4 GET pagination tests covering main happy paths. The Proxy-based mock chain confirms response shape is correct but does not capture arguments passed to .limit() and .offset(), so the tests cannot detect if pagination parameters are actually forwarded to Drizzle. Suggest adding spies to capture these calls for stronger assertions.
apps/sim/hooks/queries/workflows.ts	Straightforward replacement of single-fetch pattern with fetchAllPages. No issues found.
apps/sim/hooks/queries/workflow-mcp-servers.ts	Updated to use fetchAllPages for deployed workflows. No issues found.
apps/sim/app/workspace/[workspaceId]/w/hooks/use-export-workspace.ts	Export hook updated to use fetchAllPages for fetching all workflows across pages. No issues found.

Sequence Diagram

sequenceDiagram
    participant C as Client (fetchAllPages)
    participant API as GET /api/workflows
    participant DB as Database

    loop until hasMore = false
        C->>API: GET /api/workflows?workspaceId=ws-1&limit=200&offset=N
        API->>API: Parse & validate limit / offset
        API->>API: checkSessionOrInternalAuth
        API->>API: verifyWorkspaceMembership

        par Parallel queries
            API->>DB: SELECT COUNT(*) WHERE workspaceId = ws-1
            DB-->>API: total
        and
            API->>DB: SELECT * WHERE workspaceId = ws-1 ORDER BY ... LIMIT 200 OFFSET N
            DB-->>API: rows
        end

        API-->>C: { data: [...], pagination: { total, limit, offset, hasMore } }

        alt hasMore = true
            C->>C: offset += pageSize
        else hasMore = false
            C->>C: return allItems
        end
    end

Loading

_{Last reviewed commit: be9c5df}

[greptile-apps]

Non-numeric limit/offset query params will cause a 500 error instead of being rejected gracefully.

When a client passes ?limit=abc, Number('abc') returns NaN, which propagates through Math.max and Math.min unchanged (both return NaN when given NaN as input). Drizzle then receives NaN for the LIMIT clause, causing a database error.

Add validation to ensure both params are finite numbers before clamping:

Suggested change

	const limit = Math.min(
	Math.max(1, rawLimit ? Number(rawLimit) : DEFAULT_PAGE_LIMIT),
	MAX_PAGE_LIMIT
	)
	const offset = Math.max(0, rawOffset ? Number(rawOffset) : 0)
	const rawLimit = url.searchParams.get('limit')
	const rawOffset = url.searchParams.get('offset')
	const parsedLimit = rawLimit !== null ? Number(rawLimit) : DEFAULT_PAGE_LIMIT
	const parsedOffset = rawOffset !== null ? Number(rawOffset) : 0
	const limit = Number.isFinite(parsedLimit)
	? Math.min(Math.max(1, parsedLimit), MAX_PAGE_LIMIT)
	: DEFAULT_PAGE_LIMIT
	const offset = Number.isFinite(parsedOffset) ? Math.max(0, parsedOffset) : 0

[greptile-apps]

Two reliability issues in the pagination loop:

1. Unbounded loop: If the server misbehaves and always returns hasMore: true, this will make unbounded HTTP requests until the tab crashes. No iteration cap exists.

2. Missing null check: json.data is spread without validation. If the API response omits the data field (due to a stale deployment, bug, or intermediate error response), allItems.push(...undefined) throws a TypeError.

Suggested change

	while (true) {
	const response = await fetch(`${baseUrl}${separator}limit=${pageSize}&offset=${offset}`)
	if (!response.ok) {
	throw new Error(`Failed to fetch from ${baseUrl}: ${response.statusText}`)
	}
	const json = await response.json()
	const data: T[] = json.data
	allItems.push(...data)
	if (!json.pagination?.hasMore) {
	break
	}
	offset += pageSize
	}
	const MAX_PAGES = 100
	let pages = 0
	while (pages < MAX_PAGES) {
	pages++
	const response = await fetch(`${baseUrl}${separator}limit=${pageSize}&offset=${offset}`)
	if (!response.ok) {
	throw new Error(`Failed to fetch from ${baseUrl}: ${response.statusText}`)
	}
	const json = await response.json()
	const data: T[] = Array.isArray(json.data) ? json.data : []
	allItems.push(...data)
	if (!json.pagination?.hasMore) {
	break
	}
	offset += pageSize
	}

[greptile-apps]

The Proxy-based mock doesn't capture arguments passed to .limit() and .offset(). This means the tests confirm the response shape is correct but don't verify that the actual pagination parameters were forwarded to the database queries.

For example, if the route silently ignored the limit param and always used the default, the test would still pass (if the mock data happens to be the right size). Consider capturing these arguments to add stronger assertions:

Suggested change

	function buildSelectChain(resolvedValues: unknown[]) {
	const chain: Record<string, unknown> = {}
	const self = new Proxy(chain, {
	get(_target, prop) {
	if (prop === 'then') {
	return (resolve: (v: unknown) => void) => resolve(resolvedValues)
	}
	return vi.fn().mockReturnValue(self)
	},
	})
	return self
	}
	function buildSelectChain(resolvedValues: unknown[]) {
	const chain: Record<string, unknown> = {}
	const limitSpy = vi.fn().mockReturnValue(chain)
	const offsetSpy = vi.fn().mockReturnValue(chain)
	const self = new Proxy(chain, {
	get(_target, prop) {
	if (prop === 'then') {
	return (resolve: (v: unknown) => void) => resolve(resolvedValues)
	}
	if (prop === 'limit') return limitSpy
	if (prop === 'offset') return offsetSpy
	return vi.fn().mockReturnValue(self)
	},
	})
	return Object.assign(self, { limitSpy, offsetSpy })
	}
	// Then in tests:
	const chain = buildSelectChain([{ count: 5 }])
	// ... after calling GET ...
	expect(chain.limitSpy).toHaveBeenCalledWith(1)
	expect(chain.offsetSpy).toHaveBeenCalledWith(2)

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

NaN propagates to SQL when limit/offset are non-numeric

Medium Severity

When limit or offset query params contain non-numeric strings (e.g. ?limit=abc), Number("abc") returns NaN, which propagates through Math.max and Math.min (both return NaN when any argument is NaN). The resulting NaN is passed to drizzle's .limit() and .offset(), which can produce a database error or bypass the limit protection entirely. The existing parsePaginationParams in apps/sim/app/api/v1/admin/types.ts already handles this correctly with explicit Number.isNaN checks and fallback to defaults.

 

[cursor]

Duplicates existing parsePaginationParams utility without NaN safety

Low Severity

The pagination parameter parsing logic here reimplements what parsePaginationParams in apps/sim/app/api/v1/admin/types.ts already does — extracting limit and offset from URL search params with clamping and defaults — but without the NaN safety that utility includes. Reusing or adapting the existing utility would avoid the divergence and the NaN bug.