github/sim
1
0
Fork 0
mirror of https://github.com/simstudioai/sim.git synced 2026-02-11 07:04:58 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
be3cdcf9816ced8af9a2e107a23c5955d5159676
sim/apps/sim/app/api/tools/custom/route.ts
Vikhyath Mondreti be3cdcf981 Merge pull request #3179 from simstudioai/improvement/file-download-timeouts 
improvement(timeouts): files/base64 should use max timeouts + auth centralization
2026-02-10 15:57:06 -08:00

275 lines
9.8 KiB
TypeScript
Raw Blame History

import { db } from '@sim/db'
import { customTools } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, desc, eq, isNull, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
const logger = createLogger('CustomToolsAPI')
const CustomToolSchema = z.object({
tools: z.array(
z.object({
id: z.string().optional(),
title: z.string().min(1, 'Tool title is required'),
schema: z.object({
type: z.literal('function'),
function: z.object({
name: z.string().min(1, 'Function name is required'),
description: z.string().optional(),
parameters: z.object({
type: z.string(),
properties: z.record(z.any()),
required: z.array(z.string()).optional(),
}),
}),
}),
code: z.string(),
})
),
workspaceId: z.string().optional(),
})
// GET - Fetch all custom tools for the workspace
export async function GET(request: NextRequest) {
const requestId = generateRequestId()
const searchParams = request.nextUrl.searchParams
const workspaceId = searchParams.get('workspaceId')
const workflowId = searchParams.get('workflowId')
try {
// Use session/internal auth to support session and internal JWT (no API key access)
const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!authResult.success || !authResult.userId) {
logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = authResult.userId
let resolvedWorkspaceId: string | null = workspaceId
let resolvedFromWorkflowAuthorization = false
if (!resolvedWorkspaceId && workflowId) {
const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
if (!workflowAuthorization.allowed) {
logger.warn(`[${requestId}] Workflow authorization failed for custom tools`, {
workflowId,
userId,
status: workflowAuthorization.status,
})
return NextResponse.json(
{ error: workflowAuthorization.message || 'Access denied' },
{ status: workflowAuthorization.status }
)
}
resolvedWorkspaceId = workflowAuthorization.workflow?.workspaceId ?? null
resolvedFromWorkflowAuthorization = true
}
// Check workspace permissions for all auth types
if (resolvedWorkspaceId && !resolvedFromWorkflowAuthorization) {
const userPermission = await getUserEntityPermissions(
userId,
'workspace',
resolvedWorkspaceId
)
if (!userPermission) {
logger.warn(
`[${requestId}] User ${userId} does not have access to workspace ${resolvedWorkspaceId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
}
// Build query to fetch tools
// 1. Workspace-scoped tools: tools with matching workspaceId
// 2. User-scoped legacy tools: tools with null workspaceId and matching userId
const conditions = []
if (resolvedWorkspaceId) {
conditions.push(eq(customTools.workspaceId, resolvedWorkspaceId))
}
// Always include legacy user-scoped tools for backward compatibility
conditions.push(and(isNull(customTools.workspaceId), eq(customTools.userId, userId)))
const result = await db
.select()
.from(customTools)
.where(or(...conditions))
.orderBy(desc(customTools.createdAt))
return NextResponse.json({ data: result }, { status: 200 })
} catch (error) {
logger.error(`[${requestId}] Error fetching custom tools:`, error)
return NextResponse.json({ error: 'Failed to fetch custom tools' }, { status: 500 })
}
}
// POST - Create or update custom tools
export async function POST(req: NextRequest) {
const requestId = generateRequestId()
try {
// Use session/internal auth (no API key access)
const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!authResult.success || !authResult.userId) {
logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = authResult.userId
const body = await req.json()
try {
// Validate the request body
const { tools, workspaceId } = CustomToolSchema.parse(body)
if (!workspaceId) {
logger.warn(`[${requestId}] Missing workspaceId in request body`)
return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
}
// Check workspace permissions
const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (!userPermission) {
logger.warn(
`[${requestId}] User ${userId} does not have access to workspace ${workspaceId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
// Check write permission
if (userPermission !== 'admin' && userPermission !== 'write') {
logger.warn(
`[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
)
return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
}
// Use the extracted upsert function
const resultTools = await upsertCustomTools({
tools,
workspaceId,
userId,
requestId,
})
return NextResponse.json({ success: true, data: resultTools })
} catch (validationError) {
if (validationError instanceof z.ZodError) {
logger.warn(`[${requestId}] Invalid custom tools data`, {
errors: validationError.errors,
})
return NextResponse.json(
{ error: 'Invalid request data', details: validationError.errors },
{ status: 400 }
)
}
throw validationError
}
} catch (error) {
logger.error(`[${requestId}] Error updating custom tools`, error)
const errorMessage = error instanceof Error ? error.message : 'Failed to update custom tools'
return NextResponse.json({ error: errorMessage }, { status: 500 })
}
}
// DELETE - Delete a custom tool by ID
export async function DELETE(request: NextRequest) {
const requestId = generateRequestId()
const searchParams = request.nextUrl.searchParams
const toolId = searchParams.get('id')
const workspaceId = searchParams.get('workspaceId')
if (!toolId) {
logger.warn(`[${requestId}] Missing tool ID for deletion`)
return NextResponse.json({ error: 'Tool ID is required' }, { status: 400 })
}
try {
// Use session/internal auth (no API key access)
const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!authResult.success || !authResult.userId) {
logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = authResult.userId
// Check if the tool exists
const existingTool = await db
.select()
.from(customTools)
.where(eq(customTools.id, toolId))
.limit(1)
if (existingTool.length === 0) {
logger.warn(`[${requestId}] Tool not found: ${toolId}`)
return NextResponse.json({ error: 'Tool not found' }, { status: 404 })
}
const tool = existingTool[0]
// Handle workspace-scoped tools
if (tool.workspaceId) {
if (!workspaceId) {
logger.warn(`[${requestId}] Missing workspaceId for workspace-scoped tool`)
return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
}
// Check workspace permissions
const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (!userPermission) {
logger.warn(
`[${requestId}] User ${userId} does not have access to workspace ${workspaceId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
// Check write permission
if (userPermission !== 'admin' && userPermission !== 'write') {
logger.warn(
`[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
)
return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
}
// Verify tool belongs to this workspace
if (tool.workspaceId !== workspaceId) {
logger.warn(`[${requestId}] Tool ${toolId} does not belong to workspace ${workspaceId}`)
return NextResponse.json({ error: 'Tool not found' }, { status: 404 })
}
} else {
// Handle legacy user-scoped tools (no workspaceId)
// Only allow deletion if user owns the tool
if (tool.userId !== userId) {
logger.warn(
`[${requestId}] User ${userId} attempted to delete tool they don't own: ${toolId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
}
// Delete the tool
await db.delete(customTools).where(eq(customTools.id, toolId))
logger.info(`[${requestId}] Deleted tool: ${toolId}`)
return NextResponse.json({ success: true })
} catch (error) {
logger.error(`[${requestId}] Error deleting custom tool:`, error)
return NextResponse.json({ error: 'Failed to delete custom tool' }, { status: 500 })
}
}
Reference in New Issue View Git Blame Copy Permalink