github/sim
1
1
Fork 0
mirror of https://github.com/simstudioai/sim.git synced 2026-04-28 03:00:29 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
158d5236bc6adac9d62fa1ec00bdff5a181611da
sim/apps/sim/app/api/workspaces/[id]/byok-keys/route.ts
Theodore Li 158d5236bc feat(hosted key): Add exa hosted key (#3221) 
* feat(hosted keys): Implement serper hosted key

* Handle required fields correctly for hosted keys

* Add rate limiting (3 tries, exponential backoff)

* Add custom pricing, switch to exa as first hosted key

* Add telemetry

* Consolidate byok type definitions

* Add warning comment if default calculation is used

* Record usage to user stats table

* Fix unit tests, use cost property

* Include more metadata in cost output

* Fix disabled tests

* Fix spacing

* Fix lint

* Move knowledge cost restructuring away from generic block handler

* Migrate knowledge unit tests

* Lint

* Fix broken tests

* Add user based hosted key throttling

* Refactor hosted key handling. Add optimistic handling of throttling for custom throttle rules.

* Remove research as hosted key. Recommend BYOK if throtttling occurs

* Make adding api keys adjustable via env vars

* Remove vestigial fields from research

* Make billing actor id required for throttling

* Switch to round robin for api key distribution

* Add helper method for adding hosted key cost

* Strip leading double underscores to avoid breaking change

* Lint fix

* Remove falsy check in favor for explicit null check

* Add more detailed metrics for different throttling types

* Fix _costDollars field

* Handle hosted agent tool calls

* Fail loudly if cost field isn't found

* Remove any type

* Fix type error

* Fix lint

* Fix usage log double logging data

* Fix test

---------

Co-authored-by: Theodore Li <teddy@zenobiapay.com>
2026-03-07 13:06:57 -05:00

285 lines
8.5 KiB
TypeScript
Raw Blame History

import { db } from '@sim/db'
import { workspaceBYOKKeys } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import { nanoid } from 'nanoid'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
import { getSession } from '@/lib/auth'
import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
import { generateRequestId } from '@/lib/core/utils/request'
import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
const logger = createLogger('WorkspaceBYOKKeysAPI')
const VALID_PROVIDERS = ['openai', 'anthropic', 'google', 'mistral', 'exa'] as const
const UpsertKeySchema = z.object({
providerId: z.enum(VALID_PROVIDERS),
apiKey: z.string().min(1, 'API key is required'),
})
const DeleteKeySchema = z.object({
providerId: z.enum(VALID_PROVIDERS),
})
function maskApiKey(key: string): string {
if (key.length <= 8) {
return '•'.repeat(8)
}
if (key.length <= 12) {
return `${key.slice(0, 4)}...${key.slice(-4)}`
}
return `${key.slice(0, 6)}...${key.slice(-4)}`
}
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
const requestId = generateRequestId()
const workspaceId = (await params).id
try {
const session = await getSession()
if (!session?.user?.id) {
logger.warn(`[${requestId}] Unauthorized BYOK keys access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const ws = await getWorkspaceById(workspaceId)
if (!ws) {
return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
}
const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (!permission) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const byokKeys = await db
.select({
id: workspaceBYOKKeys.id,
providerId: workspaceBYOKKeys.providerId,
encryptedApiKey: workspaceBYOKKeys.encryptedApiKey,
createdBy: workspaceBYOKKeys.createdBy,
createdAt: workspaceBYOKKeys.createdAt,
updatedAt: workspaceBYOKKeys.updatedAt,
})
.from(workspaceBYOKKeys)
.where(eq(workspaceBYOKKeys.workspaceId, workspaceId))
.orderBy(workspaceBYOKKeys.providerId)
const formattedKeys = await Promise.all(
byokKeys.map(async (key) => {
try {
const { decrypted } = await decryptSecret(key.encryptedApiKey)
return {
id: key.id,
providerId: key.providerId,
maskedKey: maskApiKey(decrypted),
createdBy: key.createdBy,
createdAt: key.createdAt,
updatedAt: key.updatedAt,
}
} catch (error) {
logger.error(`[${requestId}] Failed to decrypt BYOK key for provider ${key.providerId}`, {
error,
})
return {
id: key.id,
providerId: key.providerId,
maskedKey: '••••••••',
createdBy: key.createdBy,
createdAt: key.createdAt,
updatedAt: key.updatedAt,
}
}
})
)
return NextResponse.json({ keys: formattedKeys })
} catch (error: unknown) {
logger.error(`[${requestId}] BYOK keys GET error`, error)
return NextResponse.json(
{ error: error instanceof Error ? error.message : 'Failed to load BYOK keys' },
{ status: 500 }
)
}
}
export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
const requestId = generateRequestId()
const workspaceId = (await params).id
try {
const session = await getSession()
if (!session?.user?.id) {
logger.warn(`[${requestId}] Unauthorized BYOK key creation attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (permission !== 'admin') {
return NextResponse.json(
{ error: 'Only workspace admins can manage BYOK keys' },
{ status: 403 }
)
}
const body = await request.json()
const { providerId, apiKey } = UpsertKeySchema.parse(body)
const { encrypted } = await encryptSecret(apiKey)
const existingKey = await db
.select()
.from(workspaceBYOKKeys)
.where(
and(
eq(workspaceBYOKKeys.workspaceId, workspaceId),
eq(workspaceBYOKKeys.providerId, providerId)
)
)
.limit(1)
if (existingKey.length > 0) {
await db
.update(workspaceBYOKKeys)
.set({
encryptedApiKey: encrypted,
updatedAt: new Date(),
})
.where(eq(workspaceBYOKKeys.id, existingKey[0].id))
logger.info(`[${requestId}] Updated BYOK key for ${providerId} in workspace ${workspaceId}`)
return NextResponse.json({
success: true,
key: {
id: existingKey[0].id,
providerId,
maskedKey: maskApiKey(apiKey),
updatedAt: new Date(),
},
})
}
const [newKey] = await db
.insert(workspaceBYOKKeys)
.values({
id: nanoid(),
workspaceId,
providerId,
encryptedApiKey: encrypted,
createdBy: userId,
createdAt: new Date(),
updatedAt: new Date(),
})
.returning({
id: workspaceBYOKKeys.id,
providerId: workspaceBYOKKeys.providerId,
createdAt: workspaceBYOKKeys.createdAt,
})
logger.info(`[${requestId}] Created BYOK key for ${providerId} in workspace ${workspaceId}`)
recordAudit({
workspaceId,
actorId: userId,
actorName: session?.user?.name,
actorEmail: session?.user?.email,
action: AuditAction.BYOK_KEY_CREATED,
resourceType: AuditResourceType.BYOK_KEY,
resourceId: newKey.id,
resourceName: providerId,
description: `Added BYOK key for ${providerId}`,
metadata: { providerId },
request,
})
return NextResponse.json({
success: true,
key: {
...newKey,
maskedKey: maskApiKey(apiKey),
},
})
} catch (error: unknown) {
logger.error(`[${requestId}] BYOK key POST error`, error)
if (error instanceof z.ZodError) {
return NextResponse.json({ error: error.errors[0].message }, { status: 400 })
}
return NextResponse.json(
{ error: error instanceof Error ? error.message : 'Failed to save BYOK key' },
{ status: 500 }
)
}
}
export async function DELETE(
request: NextRequest,
{ params }: { params: Promise<{ id: string }> }
) {
const requestId = generateRequestId()
const workspaceId = (await params).id
try {
const session = await getSession()
if (!session?.user?.id) {
logger.warn(`[${requestId}] Unauthorized BYOK key deletion attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (permission !== 'admin') {
return NextResponse.json(
{ error: 'Only workspace admins can manage BYOK keys' },
{ status: 403 }
)
}
const body = await request.json()
const { providerId } = DeleteKeySchema.parse(body)
const result = await db
.delete(workspaceBYOKKeys)
.where(
and(
eq(workspaceBYOKKeys.workspaceId, workspaceId),
eq(workspaceBYOKKeys.providerId, providerId)
)
)
logger.info(`[${requestId}] Deleted BYOK key for ${providerId} from workspace ${workspaceId}`)
recordAudit({
workspaceId,
actorId: userId,
actorName: session?.user?.name,
actorEmail: session?.user?.email,
action: AuditAction.BYOK_KEY_DELETED,
resourceType: AuditResourceType.BYOK_KEY,
resourceName: providerId,
description: `Removed BYOK key for ${providerId}`,
metadata: { providerId },
request,
})
return NextResponse.json({ success: true })
} catch (error: unknown) {
logger.error(`[${requestId}] BYOK key DELETE error`, error)
if (error instanceof z.ZodError) {
return NextResponse.json({ error: error.errors[0].message }, { status: 400 })
}
return NextResponse.json(
{ error: error instanceof Error ? error.message : 'Failed to delete BYOK key' },
{ status: 500 }
)
}
}
Reference in New Issue View Git Blame Copy Permalink