From 7592df8068fc1661d105e629ada64b0ec001b9c4 Mon Sep 17 00:00:00 2001
From: Ramnique Singh <30795890+ramnique@users.noreply.github.com>
Date: Tue, 5 Aug 2025 17:05:04 +0530
Subject: [PATCH] check authz before consuming project action quota

---
 .../use-cases/conversations/create-cached-turn.use-case.ts  | 6 +++---
 .../use-cases/conversations/create-conversation.use-case.ts | 6 +++---
 .../use-cases/conversations/fetch-cached-turn.use-case.ts   | 6 +++---
 .../conversations/run-conversation-turn.use-case.ts         | 6 +++---
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/apps/rowboat/src/application/use-cases/conversations/create-cached-turn.use-case.ts b/apps/rowboat/src/application/use-cases/conversations/create-cached-turn.use-case.ts
index d1bf4df5..e4612cec 100644
--- a/apps/rowboat/src/application/use-cases/conversations/create-cached-turn.use-case.ts
+++ b/apps/rowboat/src/application/use-cases/conversations/create-cached-turn.use-case.ts
@@ -52,9 +52,6 @@ export class CreateCachedTurnUseCase implements ICreateCachedTurnUseCase {
         // extract projectid from conversation
         const { projectId } = conversation;
 
-        // assert and consume quota
-        await this.usageQuotaPolicy.assertAndConsume(projectId);
-
         // authz check
         await this.projectActionAuthorizationPolicy.authorize({
             caller: data.caller,
@@ -63,6 +60,9 @@ export class CreateCachedTurnUseCase implements ICreateCachedTurnUseCase {
             projectId,
         });
 
+        // assert and consume quota
+        await this.usageQuotaPolicy.assertAndConsume(projectId);
+
         // create cache entry
         const key = nanoid();
         const payload: z.infer<typeof CachedTurnRequest> = {
diff --git a/apps/rowboat/src/application/use-cases/conversations/create-conversation.use-case.ts b/apps/rowboat/src/application/use-cases/conversations/create-conversation.use-case.ts
index 5c06c0c0..2654c10a 100644
--- a/apps/rowboat/src/application/use-cases/conversations/create-conversation.use-case.ts
+++ b/apps/rowboat/src/application/use-cases/conversations/create-conversation.use-case.ts
@@ -44,9 +44,6 @@ export class CreateConversationUseCase implements ICreateConversationUseCase {
         let isLiveWorkflow = Boolean(data.isLiveWorkflow);
         let workflow = data.workflow;
 
-        // assert and consume quota
-        await this.usageQuotaPolicy.assertAndConsume(projectId);
-
         // authz check
         await this.projectActionAuthorizationPolicy.authorize({
             caller,
@@ -55,6 +52,9 @@ export class CreateConversationUseCase implements ICreateConversationUseCase {
             projectId,
         });
 
+        // assert and consume quota
+        await this.usageQuotaPolicy.assertAndConsume(projectId);
+ 
         // if workflow is not provided, fetch workflow
         if (!workflow) {
             const project = await projectsCollection.findOne({
diff --git a/apps/rowboat/src/application/use-cases/conversations/fetch-cached-turn.use-case.ts b/apps/rowboat/src/application/use-cases/conversations/fetch-cached-turn.use-case.ts
index 6e16e5b4..836115b9 100644
--- a/apps/rowboat/src/application/use-cases/conversations/fetch-cached-turn.use-case.ts
+++ b/apps/rowboat/src/application/use-cases/conversations/fetch-cached-turn.use-case.ts
@@ -59,9 +59,6 @@ export class FetchCachedTurnUseCase implements IFetchCachedTurnUseCase {
         // extract projectid from conversation
         const { projectId } = conversation;
 
-        // assert and consume quota
-        await this.usageQuotaPolicy.assertAndConsume(projectId);
-
         // authz check
         await this.projectActionAuthorizationPolicy.authorize({
             caller: data.caller,
@@ -70,6 +67,9 @@ export class FetchCachedTurnUseCase implements IFetchCachedTurnUseCase {
             projectId,
         });
 
+        // assert and consume quota
+        await this.usageQuotaPolicy.assertAndConsume(projectId);
+
         // delete from cache
         await this.cacheService.delete(`turn-${data.key}`);
 
diff --git a/apps/rowboat/src/application/use-cases/conversations/run-conversation-turn.use-case.ts b/apps/rowboat/src/application/use-cases/conversations/run-conversation-turn.use-case.ts
index 824e60ac..39c358b2 100644
--- a/apps/rowboat/src/application/use-cases/conversations/run-conversation-turn.use-case.ts
+++ b/apps/rowboat/src/application/use-cases/conversations/run-conversation-turn.use-case.ts
@@ -51,9 +51,6 @@ export class RunConversationTurnUseCase implements IRunConversationTurnUseCase {
         // extract projectid from conversation
         const { id: conversationId, projectId } = conversation;
 
-        // assert and consume quota
-        await this.usageQuotaPolicy.assertAndConsume(projectId);
-
         // authz check
         await this.projectActionAuthorizationPolicy.authorize({
             caller: data.caller,
@@ -62,6 +59,9 @@ export class RunConversationTurnUseCase implements IRunConversationTurnUseCase {
             projectId,
         });
 
+        // assert and consume quota
+        await this.usageQuotaPolicy.assertAndConsume(projectId);
+
         // Check billing auth
         if (USE_BILLING) {
             // get billing customer id for project