mirror of
https://github.com/simstudioai/sim.git
synced 2026-02-18 18:25:14 -05:00
e37b4a926d
* feat(audit-log): add persistent audit log system with comprehensive route instrumentation
* fix(audit-log): address PR review — nullable workspaceId, enum usage, remove redundant queries
- Make audit_log.workspace_id nullable with ON DELETE SET NULL (logs survive workspace/user deletion)
- Make audit_log.actor_id nullable with ON DELETE SET NULL
- Replace all 53 routes' string literal action/resourceType with AuditAction.X and AuditResourceType.X enums
- Fix empty workspaceId ('') → null for OAuth, form, and org routes to avoid FK violations
- Remove redundant DB queries in chat manage route (use checkChatAccess return data)
- Fix organization routes to pass workspaceId: null instead of organizationId
* fix(audit-log): replace remaining workspaceId '' fallbacks with null
* fix(audit-log): credential-set org IDs, workspace deletion FK, actorId fallback, string literal action
* reran migrations
* fix(mcp,audit): tighten env var domain bypass, add post-resolution check, form workspaceId
- Only bypass MCP domain check when env var is in hostname/authority, not path/query
- Add post-resolution validateMcpDomain call in test-connection endpoint
- Match client-side isDomainAllowed to same hostname-only bypass logic
- Return workspaceId from checkFormAccess, use in form audit logs
- Add 49 comprehensive domain-check tests covering all edge cases
* fix(mcp): stateful regex lastIndex bug, RFC 3986 authority parsing
- Remove /g flag from module-level ENV_VAR_PATTERN to avoid lastIndex state
- Create fresh regex instances per call in server-side hasEnvVarInHostname
- Fix authority extraction to terminate at /, ?, or # per RFC 3986
- Prevents bypass via https://evil.com?token={{SECRET}} (no path)
- Add test cases for query-only and fragment-only env var URLs (53 total)
* fix(audit-log): try/catch for never-throw contract, accept null actorName/Email, fix misleading action
- Wrap recordAudit body in try/catch so nanoid() or header extraction can't throw
- Accept string | null for actorName and actorEmail (session.user.name can be null)
- Normalize null -> undefined before insert to match DB column types
- Fix org members route: ORG_MEMBER_ADDED -> ORG_INVITATION_CREATED (sends invite, not adds member)
* improvement(audit-log): add resource names and specific invitation actions
* fix(audit-log): use validated chat record, add mock sync tests
143 lines
4.5 KiB
TypeScript
143 lines
4.5 KiB
TypeScript
import { db } from '@sim/db'
|
|
import { workflowFolder } from '@sim/db/schema'
|
|
import { createLogger } from '@sim/logger'
|
|
import { and, asc, desc, eq, isNull } from 'drizzle-orm'
|
|
import { type NextRequest, NextResponse } from 'next/server'
|
|
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
|
|
import { getSession } from '@/lib/auth'
|
|
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
|
|
|
|
const logger = createLogger('FoldersAPI')
|
|
|
|
// GET - Fetch folders for a workspace
|
|
export async function GET(request: NextRequest) {
|
|
try {
|
|
const session = await getSession()
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
|
}
|
|
|
|
const { searchParams } = new URL(request.url)
|
|
const workspaceId = searchParams.get('workspaceId')
|
|
|
|
if (!workspaceId) {
|
|
return NextResponse.json({ error: 'Workspace ID is required' }, { status: 400 })
|
|
}
|
|
|
|
// Check if user has workspace permissions
|
|
const workspacePermission = await getUserEntityPermissions(
|
|
session.user.id,
|
|
'workspace',
|
|
workspaceId
|
|
)
|
|
|
|
if (!workspacePermission) {
|
|
return NextResponse.json({ error: 'Access denied to this workspace' }, { status: 403 })
|
|
}
|
|
|
|
// If user has workspace permissions, fetch ALL folders in the workspace
|
|
// This allows shared workspace members to see folders created by other users
|
|
const folders = await db
|
|
.select()
|
|
.from(workflowFolder)
|
|
.where(eq(workflowFolder.workspaceId, workspaceId))
|
|
.orderBy(asc(workflowFolder.sortOrder), asc(workflowFolder.createdAt))
|
|
|
|
return NextResponse.json({ folders })
|
|
} catch (error) {
|
|
logger.error('Error fetching folders:', { error })
|
|
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
|
}
|
|
}
|
|
|
|
// POST - Create a new folder
|
|
export async function POST(request: NextRequest) {
|
|
try {
|
|
const session = await getSession()
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
|
}
|
|
|
|
const body = await request.json()
|
|
const { name, workspaceId, parentId, color, sortOrder: providedSortOrder } = body
|
|
|
|
if (!name || !workspaceId) {
|
|
return NextResponse.json({ error: 'Name and workspace ID are required' }, { status: 400 })
|
|
}
|
|
|
|
// Check if user has workspace permissions (at least 'write' access to create folders)
|
|
const workspacePermission = await getUserEntityPermissions(
|
|
session.user.id,
|
|
'workspace',
|
|
workspaceId
|
|
)
|
|
|
|
if (!workspacePermission || workspacePermission === 'read') {
|
|
return NextResponse.json(
|
|
{ error: 'Write or Admin access required to create folders' },
|
|
{ status: 403 }
|
|
)
|
|
}
|
|
|
|
// Generate a new ID
|
|
const id = crypto.randomUUID()
|
|
|
|
const newFolder = await db.transaction(async (tx) => {
|
|
let sortOrder: number
|
|
if (providedSortOrder !== undefined) {
|
|
sortOrder = providedSortOrder
|
|
} else {
|
|
const existingFolders = await tx
|
|
.select({ sortOrder: workflowFolder.sortOrder })
|
|
.from(workflowFolder)
|
|
.where(
|
|
and(
|
|
eq(workflowFolder.workspaceId, workspaceId),
|
|
parentId ? eq(workflowFolder.parentId, parentId) : isNull(workflowFolder.parentId)
|
|
)
|
|
)
|
|
.orderBy(desc(workflowFolder.sortOrder))
|
|
.limit(1)
|
|
|
|
sortOrder = existingFolders.length > 0 ? existingFolders[0].sortOrder + 1 : 0
|
|
}
|
|
|
|
const [folder] = await tx
|
|
.insert(workflowFolder)
|
|
.values({
|
|
id,
|
|
name: name.trim(),
|
|
userId: session.user.id,
|
|
workspaceId,
|
|
parentId: parentId || null,
|
|
color: color || '#6B7280',
|
|
sortOrder,
|
|
})
|
|
.returning()
|
|
|
|
return folder
|
|
})
|
|
|
|
logger.info('Created new folder:', { id, name, workspaceId, parentId })
|
|
|
|
recordAudit({
|
|
workspaceId,
|
|
actorId: session.user.id,
|
|
actorName: session.user.name,
|
|
actorEmail: session.user.email,
|
|
action: AuditAction.FOLDER_CREATED,
|
|
resourceType: AuditResourceType.FOLDER,
|
|
resourceId: id,
|
|
resourceName: name.trim(),
|
|
description: `Created folder "${name.trim()}"`,
|
|
metadata: { name: name.trim() },
|
|
request,
|
|
})
|
|
|
|
return NextResponse.json({ folder: newFolder })
|
|
} catch (error) {
|
|
logger.error('Error creating folder:', { error })
|
|
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
|
}
|
|
}
|