mirror of
https://github.com/simstudioai/sim.git
synced 2026-02-18 18:25:14 -05:00
e37b4a926d
* feat(audit-log): add persistent audit log system with comprehensive route instrumentation
* fix(audit-log): address PR review — nullable workspaceId, enum usage, remove redundant queries
- Make audit_log.workspace_id nullable with ON DELETE SET NULL (logs survive workspace/user deletion)
- Make audit_log.actor_id nullable with ON DELETE SET NULL
- Replace all 53 routes' string literal action/resourceType with AuditAction.X and AuditResourceType.X enums
- Fix empty workspaceId ('') → null for OAuth, form, and org routes to avoid FK violations
- Remove redundant DB queries in chat manage route (use checkChatAccess return data)
- Fix organization routes to pass workspaceId: null instead of organizationId
* fix(audit-log): replace remaining workspaceId '' fallbacks with null
* fix(audit-log): credential-set org IDs, workspace deletion FK, actorId fallback, string literal action
* reran migrations
* fix(mcp,audit): tighten env var domain bypass, add post-resolution check, form workspaceId
- Only bypass MCP domain check when env var is in hostname/authority, not path/query
- Add post-resolution validateMcpDomain call in test-connection endpoint
- Match client-side isDomainAllowed to same hostname-only bypass logic
- Return workspaceId from checkFormAccess, use in form audit logs
- Add 49 comprehensive domain-check tests covering all edge cases
* fix(mcp): stateful regex lastIndex bug, RFC 3986 authority parsing
- Remove /g flag from module-level ENV_VAR_PATTERN to avoid lastIndex state
- Create fresh regex instances per call in server-side hasEnvVarInHostname
- Fix authority extraction to terminate at /, ?, or # per RFC 3986
- Prevents bypass via https://evil.com?token={{SECRET}} (no path)
- Add test cases for query-only and fragment-only env var URLs (53 total)
* fix(audit-log): try/catch for never-throw contract, accept null actorName/Email, fix misleading action
- Wrap recordAudit body in try/catch so nanoid() or header extraction can't throw
- Accept string | null for actorName and actorEmail (session.user.name can be null)
- Normalize null -> undefined before insert to match DB column types
- Fix org members route: ORG_MEMBER_ADDED -> ORG_INVITATION_CREATED (sends invite, not adds member)
* improvement(audit-log): add resource names and specific invitation actions
* fix(audit-log): use validated chat record, add mock sync tests
441 lines
14 KiB
TypeScript
441 lines
14 KiB
TypeScript
/**
|
|
* Tests for chat API route
|
|
*
|
|
* @vitest-environment node
|
|
*/
|
|
import { auditMock } from '@sim/testing'
|
|
import { NextRequest } from 'next/server'
|
|
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
|
|
|
|
describe('Chat API Route', () => {
|
|
const mockSelect = vi.fn()
|
|
const mockFrom = vi.fn()
|
|
const mockWhere = vi.fn()
|
|
const mockLimit = vi.fn()
|
|
const mockInsert = vi.fn()
|
|
const mockValues = vi.fn()
|
|
const mockReturning = vi.fn()
|
|
|
|
const mockCreateSuccessResponse = vi.fn()
|
|
const mockCreateErrorResponse = vi.fn()
|
|
const mockEncryptSecret = vi.fn()
|
|
const mockCheckWorkflowAccessForChatCreation = vi.fn()
|
|
const mockDeployWorkflow = vi.fn()
|
|
|
|
beforeEach(() => {
|
|
vi.resetModules()
|
|
|
|
mockSelect.mockReturnValue({ from: mockFrom })
|
|
mockFrom.mockReturnValue({ where: mockWhere })
|
|
mockWhere.mockReturnValue({ limit: mockLimit })
|
|
mockInsert.mockReturnValue({ values: mockValues })
|
|
mockValues.mockReturnValue({ returning: mockReturning })
|
|
|
|
vi.doMock('@/lib/audit/log', () => auditMock)
|
|
|
|
vi.doMock('@sim/db', () => ({
|
|
db: {
|
|
select: mockSelect,
|
|
insert: mockInsert,
|
|
},
|
|
}))
|
|
|
|
vi.doMock('@sim/db/schema', () => ({
|
|
chat: { userId: 'userId', identifier: 'identifier' },
|
|
workflow: { id: 'id', userId: 'userId', isDeployed: 'isDeployed' },
|
|
}))
|
|
|
|
vi.doMock('@sim/logger', () => ({
|
|
createLogger: vi.fn().mockReturnValue({
|
|
info: vi.fn(),
|
|
error: vi.fn(),
|
|
warn: vi.fn(),
|
|
debug: vi.fn(),
|
|
}),
|
|
}))
|
|
|
|
vi.doMock('@/app/api/workflows/utils', () => ({
|
|
createSuccessResponse: mockCreateSuccessResponse.mockImplementation((data) => {
|
|
return new Response(JSON.stringify(data), {
|
|
status: 200,
|
|
headers: { 'Content-Type': 'application/json' },
|
|
})
|
|
}),
|
|
createErrorResponse: mockCreateErrorResponse.mockImplementation((message, status = 500) => {
|
|
return new Response(JSON.stringify({ error: message }), {
|
|
status,
|
|
headers: { 'Content-Type': 'application/json' },
|
|
})
|
|
}),
|
|
}))
|
|
|
|
vi.doMock('@/lib/core/security/encryption', () => ({
|
|
encryptSecret: mockEncryptSecret.mockResolvedValue({ encrypted: 'encrypted-password' }),
|
|
}))
|
|
|
|
vi.doMock('uuid', () => ({
|
|
v4: vi.fn().mockReturnValue('test-uuid'),
|
|
}))
|
|
|
|
vi.doMock('@/app/api/chat/utils', () => ({
|
|
checkWorkflowAccessForChatCreation: mockCheckWorkflowAccessForChatCreation,
|
|
}))
|
|
|
|
vi.doMock('@/lib/workflows/persistence/utils', () => ({
|
|
deployWorkflow: mockDeployWorkflow.mockResolvedValue({
|
|
success: true,
|
|
version: 1,
|
|
deployedAt: new Date(),
|
|
}),
|
|
}))
|
|
})
|
|
|
|
afterEach(() => {
|
|
vi.clearAllMocks()
|
|
})
|
|
|
|
describe('GET', () => {
|
|
it('should return 401 when user is not authenticated', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue(null),
|
|
}))
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat')
|
|
const { GET } = await import('@/app/api/chat/route')
|
|
const response = await GET(req)
|
|
|
|
expect(response.status).toBe(401)
|
|
expect(mockCreateErrorResponse).toHaveBeenCalledWith('Unauthorized', 401)
|
|
})
|
|
|
|
it('should return chat deployments for authenticated user', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
const mockDeployments = [{ id: 'deployment-1' }, { id: 'deployment-2' }]
|
|
mockWhere.mockResolvedValue(mockDeployments)
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat')
|
|
const { GET } = await import('@/app/api/chat/route')
|
|
const response = await GET(req)
|
|
|
|
expect(response.status).toBe(200)
|
|
expect(mockCreateSuccessResponse).toHaveBeenCalledWith({ deployments: mockDeployments })
|
|
expect(mockWhere).toHaveBeenCalled()
|
|
})
|
|
|
|
it('should handle errors when fetching deployments', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
mockWhere.mockRejectedValue(new Error('Database error'))
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat')
|
|
const { GET } = await import('@/app/api/chat/route')
|
|
const response = await GET(req)
|
|
|
|
expect(response.status).toBe(500)
|
|
expect(mockCreateErrorResponse).toHaveBeenCalledWith('Database error', 500)
|
|
})
|
|
})
|
|
|
|
describe('POST', () => {
|
|
it('should return 401 when user is not authenticated', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue(null),
|
|
}))
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify({}),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(401)
|
|
expect(mockCreateErrorResponse).toHaveBeenCalledWith('Unauthorized', 401)
|
|
})
|
|
|
|
it('should validate request data', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
const invalidData = { title: 'Test Chat' } // Missing required fields
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(invalidData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(400)
|
|
})
|
|
|
|
it('should reject if identifier already exists', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([{ id: 'existing-chat' }]) // Identifier exists
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(400)
|
|
expect(mockCreateErrorResponse).toHaveBeenCalledWith('Identifier already in use', 400)
|
|
})
|
|
|
|
it('should reject if workflow not found', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([]) // Identifier is available
|
|
mockCheckWorkflowAccessForChatCreation.mockResolvedValue({ hasAccess: false })
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(404)
|
|
expect(mockCreateErrorResponse).toHaveBeenCalledWith(
|
|
'Workflow not found or access denied',
|
|
404
|
|
)
|
|
})
|
|
|
|
it('should allow chat deployment when user owns workflow directly', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id', email: 'user@example.com' },
|
|
}),
|
|
}))
|
|
|
|
vi.doMock('@/lib/core/config/env', async () => {
|
|
const { createEnvMock } = await import('@sim/testing')
|
|
return createEnvMock({
|
|
NODE_ENV: 'development',
|
|
NEXT_PUBLIC_APP_URL: 'http://localhost:3000',
|
|
})
|
|
})
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([]) // Identifier is available
|
|
mockCheckWorkflowAccessForChatCreation.mockResolvedValue({
|
|
hasAccess: true,
|
|
workflow: { userId: 'user-id', workspaceId: null, isDeployed: true },
|
|
})
|
|
mockReturning.mockResolvedValue([{ id: 'test-uuid' }])
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(200)
|
|
expect(mockCheckWorkflowAccessForChatCreation).toHaveBeenCalledWith('workflow-123', 'user-id')
|
|
})
|
|
|
|
it('should allow chat deployment when user has workspace admin permission', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id', email: 'user@example.com' },
|
|
}),
|
|
}))
|
|
|
|
vi.doMock('@/lib/core/config/env', async () => {
|
|
const { createEnvMock } = await import('@sim/testing')
|
|
return createEnvMock({
|
|
NODE_ENV: 'development',
|
|
NEXT_PUBLIC_APP_URL: 'http://localhost:3000',
|
|
})
|
|
})
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([]) // Identifier is available
|
|
mockCheckWorkflowAccessForChatCreation.mockResolvedValue({
|
|
hasAccess: true,
|
|
workflow: { userId: 'other-user-id', workspaceId: 'workspace-123', isDeployed: true },
|
|
})
|
|
mockReturning.mockResolvedValue([{ id: 'test-uuid' }])
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(200)
|
|
expect(mockCheckWorkflowAccessForChatCreation).toHaveBeenCalledWith('workflow-123', 'user-id')
|
|
})
|
|
|
|
it('should reject when workflow is in workspace but user lacks admin permission', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([]) // Identifier is available
|
|
mockCheckWorkflowAccessForChatCreation.mockResolvedValue({
|
|
hasAccess: false,
|
|
})
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(404)
|
|
expect(mockCreateErrorResponse).toHaveBeenCalledWith(
|
|
'Workflow not found or access denied',
|
|
404
|
|
)
|
|
expect(mockCheckWorkflowAccessForChatCreation).toHaveBeenCalledWith('workflow-123', 'user-id')
|
|
})
|
|
|
|
it('should handle workspace permission check errors gracefully', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id' },
|
|
}),
|
|
}))
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([]) // Identifier is available
|
|
mockCheckWorkflowAccessForChatCreation.mockRejectedValue(new Error('Permission check failed'))
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(500)
|
|
expect(mockCheckWorkflowAccessForChatCreation).toHaveBeenCalledWith('workflow-123', 'user-id')
|
|
})
|
|
|
|
it('should auto-deploy workflow if not already deployed', async () => {
|
|
vi.doMock('@/lib/auth', () => ({
|
|
getSession: vi.fn().mockResolvedValue({
|
|
user: { id: 'user-id', email: 'user@example.com' },
|
|
}),
|
|
}))
|
|
|
|
const validData = {
|
|
workflowId: 'workflow-123',
|
|
identifier: 'test-chat',
|
|
title: 'Test Chat',
|
|
customizations: {
|
|
primaryColor: '#000000',
|
|
welcomeMessage: 'Hello',
|
|
},
|
|
}
|
|
|
|
mockLimit.mockResolvedValueOnce([]) // Identifier is available
|
|
mockCheckWorkflowAccessForChatCreation.mockResolvedValue({
|
|
hasAccess: true,
|
|
workflow: { userId: 'user-id', workspaceId: null, isDeployed: false },
|
|
})
|
|
mockReturning.mockResolvedValue([{ id: 'test-uuid' }])
|
|
|
|
const req = new NextRequest('http://localhost:3000/api/chat', {
|
|
method: 'POST',
|
|
body: JSON.stringify(validData),
|
|
})
|
|
const { POST } = await import('@/app/api/chat/route')
|
|
const response = await POST(req)
|
|
|
|
expect(response.status).toBe(200)
|
|
expect(mockDeployWorkflow).toHaveBeenCalledWith({
|
|
workflowId: 'workflow-123',
|
|
deployedBy: 'user-id',
|
|
})
|
|
})
|
|
})
|
|
})
|