mirror of
https://github.com/simstudioai/sim.git
synced 2026-02-19 02:34:37 -05:00
e37b4a926d
* feat(audit-log): add persistent audit log system with comprehensive route instrumentation
* fix(audit-log): address PR review — nullable workspaceId, enum usage, remove redundant queries
- Make audit_log.workspace_id nullable with ON DELETE SET NULL (logs survive workspace/user deletion)
- Make audit_log.actor_id nullable with ON DELETE SET NULL
- Replace all 53 routes' string literal action/resourceType with AuditAction.X and AuditResourceType.X enums
- Fix empty workspaceId ('') → null for OAuth, form, and org routes to avoid FK violations
- Remove redundant DB queries in chat manage route (use checkChatAccess return data)
- Fix organization routes to pass workspaceId: null instead of organizationId
* fix(audit-log): replace remaining workspaceId '' fallbacks with null
* fix(audit-log): credential-set org IDs, workspace deletion FK, actorId fallback, string literal action
* reran migrations
* fix(mcp,audit): tighten env var domain bypass, add post-resolution check, form workspaceId
- Only bypass MCP domain check when env var is in hostname/authority, not path/query
- Add post-resolution validateMcpDomain call in test-connection endpoint
- Match client-side isDomainAllowed to same hostname-only bypass logic
- Return workspaceId from checkFormAccess, use in form audit logs
- Add 49 comprehensive domain-check tests covering all edge cases
* fix(mcp): stateful regex lastIndex bug, RFC 3986 authority parsing
- Remove /g flag from module-level ENV_VAR_PATTERN to avoid lastIndex state
- Create fresh regex instances per call in server-side hasEnvVarInHostname
- Fix authority extraction to terminate at /, ?, or # per RFC 3986
- Prevents bypass via https://evil.com?token={{SECRET}} (no path)
- Add test cases for query-only and fragment-only env var URLs (53 total)
* fix(audit-log): try/catch for never-throw contract, accept null actorName/Email, fix misleading action
- Wrap recordAudit body in try/catch so nanoid() or header extraction can't throw
- Accept string | null for actorName and actorEmail (session.user.name can be null)
- Normalize null -> undefined before insert to match DB column types
- Fix org members route: ORG_MEMBER_ADDED -> ORG_INVITATION_CREATED (sends invite, not adds member)
* improvement(audit-log): add resource names and specific invitation actions
* fix(audit-log): use validated chat record, add mock sync tests
151 lines
4.2 KiB
TypeScript
151 lines
4.2 KiB
TypeScript
import { db } from '@sim/db'
|
|
import { member, organization } from '@sim/db/schema'
|
|
import { createLogger } from '@sim/logger'
|
|
import { and, eq, or } from 'drizzle-orm'
|
|
import { NextResponse } from 'next/server'
|
|
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
|
|
import { getSession } from '@/lib/auth'
|
|
import { createOrganizationForTeamPlan } from '@/lib/billing/organization'
|
|
|
|
const logger = createLogger('OrganizationsAPI')
|
|
|
|
export async function GET() {
|
|
try {
|
|
const session = await getSession()
|
|
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
|
}
|
|
|
|
const userOrganizations = await db
|
|
.select({
|
|
id: organization.id,
|
|
name: organization.name,
|
|
role: member.role,
|
|
})
|
|
.from(member)
|
|
.innerJoin(organization, eq(member.organizationId, organization.id))
|
|
.where(
|
|
and(
|
|
eq(member.userId, session.user.id),
|
|
or(eq(member.role, 'owner'), eq(member.role, 'admin'))
|
|
)
|
|
)
|
|
|
|
const anyMembership = await db
|
|
.select({ id: member.id })
|
|
.from(member)
|
|
.where(eq(member.userId, session.user.id))
|
|
.limit(1)
|
|
|
|
return NextResponse.json({
|
|
organizations: userOrganizations,
|
|
isMemberOfAnyOrg: anyMembership.length > 0,
|
|
})
|
|
} catch (error) {
|
|
logger.error('Failed to fetch organizations', {
|
|
error: error instanceof Error ? error.message : 'Unknown error',
|
|
stack: error instanceof Error ? error.stack : undefined,
|
|
})
|
|
|
|
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
|
}
|
|
}
|
|
|
|
export async function POST(request: Request) {
|
|
try {
|
|
const session = await getSession()
|
|
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: 'Unauthorized - no active session' }, { status: 401 })
|
|
}
|
|
|
|
const user = session.user
|
|
|
|
// Parse request body for optional name and slug
|
|
let organizationName = user.name
|
|
let organizationSlug: string | undefined
|
|
|
|
try {
|
|
const body = await request.json()
|
|
if (body.name && typeof body.name === 'string') {
|
|
organizationName = body.name
|
|
}
|
|
if (body.slug && typeof body.slug === 'string') {
|
|
organizationSlug = body.slug
|
|
}
|
|
} catch {
|
|
// If no body or invalid JSON, use defaults
|
|
}
|
|
|
|
logger.info('Creating organization for team plan', {
|
|
userId: user.id,
|
|
userName: user.name,
|
|
userEmail: user.email,
|
|
organizationName,
|
|
organizationSlug,
|
|
})
|
|
|
|
// Enforce: a user can only belong to one organization at a time
|
|
const existingOrgMembership = await db
|
|
.select({ id: member.id })
|
|
.from(member)
|
|
.where(eq(member.userId, user.id))
|
|
.limit(1)
|
|
|
|
if (existingOrgMembership.length > 0) {
|
|
return NextResponse.json(
|
|
{
|
|
error:
|
|
'You are already a member of an organization. Leave your current organization before creating a new one.',
|
|
},
|
|
{ status: 409 }
|
|
)
|
|
}
|
|
|
|
// Create organization and make user the owner/admin
|
|
const organizationId = await createOrganizationForTeamPlan(
|
|
user.id,
|
|
organizationName || undefined,
|
|
user.email,
|
|
organizationSlug
|
|
)
|
|
|
|
logger.info('Successfully created organization for team plan', {
|
|
userId: user.id,
|
|
organizationId,
|
|
})
|
|
|
|
recordAudit({
|
|
workspaceId: null,
|
|
actorId: user.id,
|
|
action: AuditAction.ORGANIZATION_CREATED,
|
|
resourceType: AuditResourceType.ORGANIZATION,
|
|
resourceId: organizationId,
|
|
actorName: user.name ?? undefined,
|
|
actorEmail: user.email ?? undefined,
|
|
resourceName: organizationName ?? undefined,
|
|
description: `Created organization "${organizationName}"`,
|
|
request,
|
|
})
|
|
|
|
return NextResponse.json({
|
|
success: true,
|
|
organizationId,
|
|
})
|
|
} catch (error) {
|
|
logger.error('Failed to create organization for team plan', {
|
|
error: error instanceof Error ? error.message : 'Unknown error',
|
|
stack: error instanceof Error ? error.stack : undefined,
|
|
})
|
|
|
|
return NextResponse.json(
|
|
{
|
|
error: 'Failed to create organization',
|
|
message: error instanceof Error ? error.message : 'Unknown error',
|
|
},
|
|
{ status: 500 }
|
|
)
|
|
}
|
|
}
|