mirror of
https://github.com/simstudioai/sim.git
synced 2026-02-11 23:14:58 -05:00
193 lines
5.2 KiB
TypeScript
193 lines
5.2 KiB
TypeScript
import { db } from '@sim/db'
|
|
import { form, workflow } from '@sim/db/schema'
|
|
import { createLogger } from '@sim/logger'
|
|
import { eq } from 'drizzle-orm'
|
|
import type { NextRequest, NextResponse } from 'next/server'
|
|
import {
|
|
isEmailAllowed,
|
|
setDeploymentAuthCookie,
|
|
validateAuthToken,
|
|
} from '@/lib/core/security/deployment'
|
|
import { decryptSecret } from '@/lib/core/security/encryption'
|
|
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
|
|
|
|
const logger = createLogger('FormAuthUtils')
|
|
|
|
export function setFormAuthCookie(
|
|
response: NextResponse,
|
|
formId: string,
|
|
type: string,
|
|
encryptedPassword?: string | null
|
|
): void {
|
|
setDeploymentAuthCookie(response, 'form', formId, type, encryptedPassword)
|
|
}
|
|
|
|
/**
|
|
* Check if user has permission to create a form for a specific workflow
|
|
*/
|
|
export async function checkWorkflowAccessForFormCreation(
|
|
workflowId: string,
|
|
userId: string
|
|
): Promise<{ hasAccess: boolean; workflow?: any }> {
|
|
const authorization = await authorizeWorkflowByWorkspacePermission({
|
|
workflowId,
|
|
userId,
|
|
action: 'admin',
|
|
})
|
|
|
|
if (!authorization.workflow) {
|
|
return { hasAccess: false }
|
|
}
|
|
|
|
if (authorization.allowed) {
|
|
return { hasAccess: true, workflow: authorization.workflow }
|
|
}
|
|
|
|
return { hasAccess: false }
|
|
}
|
|
|
|
/**
|
|
* Check if user has access to view/edit/delete a specific form
|
|
*/
|
|
export async function checkFormAccess(
|
|
formId: string,
|
|
userId: string
|
|
): Promise<{ hasAccess: boolean; form?: any }> {
|
|
const formData = await db
|
|
.select({ form: form, workflowWorkspaceId: workflow.workspaceId })
|
|
.from(form)
|
|
.innerJoin(workflow, eq(form.workflowId, workflow.id))
|
|
.where(eq(form.id, formId))
|
|
.limit(1)
|
|
|
|
if (formData.length === 0) {
|
|
return { hasAccess: false }
|
|
}
|
|
|
|
const { form: formRecord, workflowWorkspaceId } = formData[0]
|
|
if (!workflowWorkspaceId) {
|
|
return { hasAccess: false }
|
|
}
|
|
|
|
const authorization = await authorizeWorkflowByWorkspacePermission({
|
|
workflowId: formRecord.workflowId,
|
|
userId,
|
|
action: 'admin',
|
|
})
|
|
|
|
return authorization.allowed ? { hasAccess: true, form: formRecord } : { hasAccess: false }
|
|
}
|
|
|
|
export async function validateFormAuth(
|
|
requestId: string,
|
|
deployment: any,
|
|
request: NextRequest,
|
|
parsedBody?: any
|
|
): Promise<{ authorized: boolean; error?: string }> {
|
|
const authType = deployment.authType || 'public'
|
|
|
|
if (authType === 'public') {
|
|
return { authorized: true }
|
|
}
|
|
|
|
const cookieName = `form_auth_${deployment.id}`
|
|
const authCookie = request.cookies.get(cookieName)
|
|
|
|
if (authCookie && validateAuthToken(authCookie.value, deployment.id, deployment.password)) {
|
|
return { authorized: true }
|
|
}
|
|
|
|
if (authType === 'password') {
|
|
if (request.method === 'GET') {
|
|
return { authorized: false, error: 'auth_required_password' }
|
|
}
|
|
|
|
try {
|
|
if (!parsedBody) {
|
|
return { authorized: false, error: 'Password is required' }
|
|
}
|
|
|
|
const { password, formData } = parsedBody
|
|
|
|
if (formData && !password) {
|
|
return { authorized: false, error: 'auth_required_password' }
|
|
}
|
|
|
|
if (!password) {
|
|
return { authorized: false, error: 'Password is required' }
|
|
}
|
|
|
|
if (!deployment.password) {
|
|
logger.error(`[${requestId}] No password set for password-protected form: ${deployment.id}`)
|
|
return { authorized: false, error: 'Authentication configuration error' }
|
|
}
|
|
|
|
const { decrypted } = await decryptSecret(deployment.password)
|
|
if (password !== decrypted) {
|
|
return { authorized: false, error: 'Invalid password' }
|
|
}
|
|
|
|
return { authorized: true }
|
|
} catch (error) {
|
|
logger.error(`[${requestId}] Error validating password:`, error)
|
|
return { authorized: false, error: 'Authentication error' }
|
|
}
|
|
}
|
|
|
|
if (authType === 'email') {
|
|
if (request.method === 'GET') {
|
|
return { authorized: false, error: 'auth_required_email' }
|
|
}
|
|
|
|
try {
|
|
if (!parsedBody) {
|
|
return { authorized: false, error: 'Email is required' }
|
|
}
|
|
|
|
const { email, formData } = parsedBody
|
|
|
|
if (formData && !email) {
|
|
return { authorized: false, error: 'auth_required_email' }
|
|
}
|
|
|
|
if (!email) {
|
|
return { authorized: false, error: 'Email is required' }
|
|
}
|
|
|
|
const allowedEmails: string[] = deployment.allowedEmails || []
|
|
|
|
if (isEmailAllowed(email, allowedEmails)) {
|
|
return { authorized: true }
|
|
}
|
|
|
|
return { authorized: false, error: 'Email not authorized for this form' }
|
|
} catch (error) {
|
|
logger.error(`[${requestId}] Error validating email:`, error)
|
|
return { authorized: false, error: 'Authentication error' }
|
|
}
|
|
}
|
|
|
|
return { authorized: false, error: 'Unsupported authentication type' }
|
|
}
|
|
|
|
/**
|
|
* Form customizations interface
|
|
*/
|
|
export interface FormCustomizations {
|
|
primaryColor?: string
|
|
welcomeMessage?: string
|
|
thankYouTitle?: string
|
|
thankYouMessage?: string
|
|
logoUrl?: string
|
|
}
|
|
|
|
/**
|
|
* Default form customizations
|
|
* Note: primaryColor is intentionally undefined to allow thank you screen to use its green default
|
|
*/
|
|
export const DEFAULT_FORM_CUSTOMIZATIONS: FormCustomizations = {
|
|
welcomeMessage: '',
|
|
thankYouTitle: 'Thank you!',
|
|
thankYouMessage: 'Your response has been submitted successfully.',
|
|
}
|