chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,133 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { getValidationErrorMessage, isZodError } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import {
|
||||
assertSafeExternalUrl,
|
||||
extractSapConcurError,
|
||||
fetchSapConcurAccessToken,
|
||||
SAP_CONCUR_OUTBOUND_FETCH_TIMEOUT_MS,
|
||||
type SapConcurProxyRequest,
|
||||
SapConcurProxyRequestSchema,
|
||||
} from '@/app/api/tools/sap_concur/shared'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
const logger = createLogger('SapConcurProxyAPI')
|
||||
|
||||
type ProxyRequest = SapConcurProxyRequest
|
||||
|
||||
function buildApiUrl(geolocation: string, req: ProxyRequest): string {
|
||||
const base = geolocation.replace(/\/+$/, '')
|
||||
const subPath = req.path.startsWith('/') ? req.path : `/${req.path}`
|
||||
const url = `${base}${subPath}`
|
||||
|
||||
if (!req.query || Object.keys(req.query).length === 0) {
|
||||
return url
|
||||
}
|
||||
const search = new URLSearchParams()
|
||||
for (const [key, value] of Object.entries(req.query)) {
|
||||
if (value === undefined || value === null) continue
|
||||
search.append(key, String(value))
|
||||
}
|
||||
const queryString = search.toString()
|
||||
if (!queryString) return url
|
||||
return url.includes('?') ? `${url}&${queryString}` : `${url}?${queryString}`
|
||||
}
|
||||
|
||||
interface Invocation {
|
||||
status: number
|
||||
body: unknown
|
||||
raw: string
|
||||
}
|
||||
|
||||
async function callConcur(
|
||||
req: ProxyRequest,
|
||||
accessToken: string,
|
||||
geolocation: string
|
||||
): Promise<Invocation> {
|
||||
const url = assertSafeExternalUrl(buildApiUrl(geolocation, req), 'apiUrl').toString()
|
||||
const hasBody = req.body !== undefined && req.body !== null
|
||||
const headers: Record<string, string> = {
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
Accept: 'application/json',
|
||||
}
|
||||
if (hasBody) headers['Content-Type'] = req.contentType ?? 'application/json'
|
||||
if (req.companyUuid) headers['concur-correlationid'] = req.companyUuid
|
||||
|
||||
const response = await secureFetchWithValidation(
|
||||
url,
|
||||
{
|
||||
method: req.method,
|
||||
headers,
|
||||
body: hasBody
|
||||
? typeof req.body === 'string'
|
||||
? req.body
|
||||
: JSON.stringify(req.body)
|
||||
: undefined,
|
||||
timeout: SAP_CONCUR_OUTBOUND_FETCH_TIMEOUT_MS,
|
||||
},
|
||||
'apiUrl'
|
||||
)
|
||||
|
||||
const raw = await response.text()
|
||||
let parsed: unknown = null
|
||||
if (raw.length > 0) {
|
||||
try {
|
||||
parsed = JSON.parse(raw)
|
||||
} catch {
|
||||
parsed = raw
|
||||
}
|
||||
}
|
||||
return { status: response.status, body: parsed, raw }
|
||||
}
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!authResult.success) {
|
||||
logger.warn(`[${requestId}] Unauthorized Concur proxy request: ${authResult.error}`)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: authResult.error || 'Authentication required' },
|
||||
{ status: 401 }
|
||||
)
|
||||
}
|
||||
|
||||
// boundary-raw-json: internal proxy envelope validated by SapConcurProxyRequestSchema below; not a public boundary
|
||||
const json = await request.json()
|
||||
const proxyReq = SapConcurProxyRequestSchema.parse(json)
|
||||
|
||||
const { accessToken, geolocation } = await fetchSapConcurAccessToken(proxyReq, requestId)
|
||||
const invocation = await callConcur(proxyReq, accessToken, geolocation)
|
||||
|
||||
if (invocation.status >= 200 && invocation.status < 300) {
|
||||
const data = invocation.status === 204 ? null : invocation.body
|
||||
return NextResponse.json({ success: true, output: { status: invocation.status, data } })
|
||||
}
|
||||
|
||||
const message = extractSapConcurError(invocation.body, invocation.status)
|
||||
logger.warn(
|
||||
`[${requestId}] Concur API error (${invocation.status}) ${proxyReq.path}: ${message}`
|
||||
)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: message, status: invocation.status },
|
||||
{ status: invocation.status }
|
||||
)
|
||||
} catch (error) {
|
||||
if (isZodError(error)) {
|
||||
logger.warn(`[${requestId}] Validation error:`, error.issues)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: getValidationErrorMessage(error, 'Validation failed') },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
logger.error(`[${requestId}] Unexpected Concur proxy error:`, error)
|
||||
return NextResponse.json({ success: false, error: toError(error).message }, { status: 500 })
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,305 @@
|
||||
import { createHash } from 'node:crypto'
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { z } from 'zod'
|
||||
import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
|
||||
import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
|
||||
|
||||
const logger = createLogger('SapConcurShared')
|
||||
|
||||
export const SAP_CONCUR_ALLOWED_DATACENTERS = new Set([
|
||||
'us.api.concursolutions.com',
|
||||
'us2.api.concursolutions.com',
|
||||
'eu.api.concursolutions.com',
|
||||
'eu2.api.concursolutions.com',
|
||||
'cn.api.concursolutions.com',
|
||||
'emea.api.concursolutions.com',
|
||||
])
|
||||
|
||||
export const SapConcurDatacenterSchema = z
|
||||
.string()
|
||||
.min(1)
|
||||
.refine((d) => SAP_CONCUR_ALLOWED_DATACENTERS.has(d), {
|
||||
message: `datacenter must be one of: ${Array.from(SAP_CONCUR_ALLOWED_DATACENTERS).join(', ')}`,
|
||||
})
|
||||
|
||||
export const SapConcurGrantTypeSchema = z.enum(['client_credentials', 'password'])
|
||||
|
||||
export const SapConcurAuthSchema = z.object({
|
||||
datacenter: SapConcurDatacenterSchema.default('us.api.concursolutions.com'),
|
||||
grantType: SapConcurGrantTypeSchema.default('client_credentials'),
|
||||
clientId: z.string().min(1, 'clientId is required'),
|
||||
clientSecret: z.string().min(1, 'clientSecret is required'),
|
||||
username: z.string().optional(),
|
||||
password: z.string().optional(),
|
||||
companyUuid: z.string().optional(),
|
||||
})
|
||||
|
||||
export type SapConcurAuth = z.infer<typeof SapConcurAuthSchema>
|
||||
|
||||
export const SapConcurHttpMethod = z.enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE'])
|
||||
|
||||
export const SapConcurProxyPath = z
|
||||
.string()
|
||||
.min(1, 'path is required')
|
||||
.refine(
|
||||
(p) =>
|
||||
!p.split(/[/\\]/).some((seg) => seg === '..' || seg === '.') &&
|
||||
!p.includes('#') &&
|
||||
!/%(?:2[eEfF]|5[cC]|23)/.test(p),
|
||||
{
|
||||
message:
|
||||
'path must not contain ".." or "." segments, "#", or percent-encoded path/fragment characters',
|
||||
}
|
||||
)
|
||||
|
||||
export const SapConcurProxyRequestSchema = SapConcurAuthSchema.extend({
|
||||
path: SapConcurProxyPath,
|
||||
method: SapConcurHttpMethod.default('GET'),
|
||||
query: z.record(z.string(), z.union([z.string(), z.number(), z.boolean()])).optional(),
|
||||
body: z.unknown().optional(),
|
||||
contentType: z.string().optional(),
|
||||
}).superRefine((req, ctx) => {
|
||||
if (req.grantType === 'password') {
|
||||
if (!req.username) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
path: ['username'],
|
||||
message: 'username is required for password grant',
|
||||
})
|
||||
}
|
||||
if (!req.password) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
path: ['password'],
|
||||
message: 'password is required for password grant',
|
||||
})
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
export type SapConcurProxyRequest = z.infer<typeof SapConcurProxyRequestSchema>
|
||||
|
||||
export const SapConcurUploadOperation = z.enum([
|
||||
'upload_receipt_image',
|
||||
'create_quick_expense_with_image',
|
||||
])
|
||||
|
||||
export const SapConcurUploadRequestSchema = SapConcurAuthSchema.extend({
|
||||
operation: SapConcurUploadOperation,
|
||||
userId: z.string().min(1, 'userId is required'),
|
||||
contextType: z.string().optional(),
|
||||
receipt: FileInputSchema,
|
||||
forwardId: z.string().max(40).optional(),
|
||||
body: z.union([z.record(z.string(), z.unknown()), z.string()]).optional(),
|
||||
})
|
||||
|
||||
export type SapConcurUploadRequest = z.infer<typeof SapConcurUploadRequestSchema>
|
||||
|
||||
const FORBIDDEN_HOSTS = new Set([
|
||||
'localhost',
|
||||
'0.0.0.0',
|
||||
'127.0.0.1',
|
||||
'169.254.169.254',
|
||||
'metadata.google.internal',
|
||||
'metadata',
|
||||
'[::1]',
|
||||
'[::]',
|
||||
'[::ffff:127.0.0.1]',
|
||||
'[fd00:ec2::254]',
|
||||
])
|
||||
|
||||
function isPrivateIPv4(host: string): boolean {
|
||||
const match = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/)
|
||||
if (!match) return false
|
||||
const octets = match.slice(1, 5).map(Number) as [number, number, number, number]
|
||||
if (octets.some((o) => o < 0 || o > 255)) return false
|
||||
const [a, b] = octets
|
||||
if (a === 10) return true
|
||||
if (a === 172 && b >= 16 && b <= 31) return true
|
||||
if (a === 192 && b === 168) return true
|
||||
if (a === 127) return true
|
||||
if (a === 169 && b === 254) return true
|
||||
if (a === 0) return true
|
||||
return false
|
||||
}
|
||||
|
||||
function isPrivateOrLoopbackIPv6(host: string): boolean {
|
||||
const stripped = host.startsWith('[') && host.endsWith(']') ? host.slice(1, -1) : host
|
||||
const lower = stripped.toLowerCase()
|
||||
if (lower === '::' || lower === '::1') return true
|
||||
if (/^fc[0-9a-f]{2}:/.test(lower) || /^fd[0-9a-f]{2}:/.test(lower)) return true
|
||||
if (lower.startsWith('fe80:')) return true
|
||||
return false
|
||||
}
|
||||
|
||||
/** Validate a URL is https and not pointing to a private/loopback host. */
|
||||
export function assertSafeExternalUrl(rawUrl: string, label: string): URL {
|
||||
let parsed: URL
|
||||
try {
|
||||
parsed = new URL(rawUrl)
|
||||
} catch {
|
||||
throw new Error(`${label} must be a valid URL`)
|
||||
}
|
||||
if (parsed.protocol !== 'https:') {
|
||||
throw new Error(`${label} must use https://`)
|
||||
}
|
||||
const host = parsed.hostname.toLowerCase()
|
||||
if (FORBIDDEN_HOSTS.has(host) || FORBIDDEN_HOSTS.has(`[${host}]`)) {
|
||||
throw new Error(`${label} host is not allowed`)
|
||||
}
|
||||
if (isPrivateIPv4(host)) {
|
||||
throw new Error(`${label} host is not allowed (private/loopback range)`)
|
||||
}
|
||||
if (isPrivateOrLoopbackIPv6(host)) {
|
||||
throw new Error(`${label} host is not allowed (IPv6 private/loopback)`)
|
||||
}
|
||||
return parsed
|
||||
}
|
||||
|
||||
interface CachedToken {
|
||||
accessToken: string
|
||||
geolocation: string
|
||||
expiresAt: number
|
||||
}
|
||||
|
||||
const TOKEN_CACHE = new Map<string, CachedToken>()
|
||||
const TOKEN_CACHE_MAX_ENTRIES = 500
|
||||
const TOKEN_SAFETY_WINDOW_MS = 60_000
|
||||
export const SAP_CONCUR_OUTBOUND_FETCH_TIMEOUT_MS = 30_000
|
||||
|
||||
function tokenCacheKey(req: SapConcurAuth): string {
|
||||
const secretHash = createHash('sha256').update(req.clientSecret).digest('hex').slice(0, 16)
|
||||
const userHash = req.username
|
||||
? createHash('sha256').update(req.username).digest('hex').slice(0, 12)
|
||||
: ''
|
||||
return `${req.datacenter}::${req.grantType}::${req.clientId}::${secretHash}::${userHash}`
|
||||
}
|
||||
|
||||
function rememberToken(key: string, token: CachedToken): void {
|
||||
if (TOKEN_CACHE.has(key)) TOKEN_CACHE.delete(key)
|
||||
TOKEN_CACHE.set(key, token)
|
||||
while (TOKEN_CACHE.size > TOKEN_CACHE_MAX_ENTRIES) {
|
||||
const oldestKey = TOKEN_CACHE.keys().next().value
|
||||
if (oldestKey === undefined) break
|
||||
TOKEN_CACHE.delete(oldestKey)
|
||||
}
|
||||
}
|
||||
|
||||
function normalizeGeolocation(raw: string | undefined, fallback: string): string {
|
||||
if (!raw) return `https://${fallback}`
|
||||
const trimmed = raw.replace(/\/+$/, '')
|
||||
if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) return trimmed
|
||||
return `https://${trimmed}`
|
||||
}
|
||||
|
||||
/**
|
||||
* Acquire a Concur access token, sharing a cache with the proxy route.
|
||||
* Validates that the geolocation returned by Concur is a safe external URL.
|
||||
*/
|
||||
export async function fetchSapConcurAccessToken(
|
||||
auth: SapConcurAuth,
|
||||
requestId: string
|
||||
): Promise<{ accessToken: string; geolocation: string }> {
|
||||
if (auth.grantType === 'password') {
|
||||
if (!auth.username) throw new Error('username is required for password grant')
|
||||
if (!auth.password) throw new Error('password is required for password grant')
|
||||
}
|
||||
|
||||
const cacheKey = tokenCacheKey(auth)
|
||||
const cached = TOKEN_CACHE.get(cacheKey)
|
||||
if (cached && cached.expiresAt - TOKEN_SAFETY_WINDOW_MS > Date.now()) {
|
||||
return { accessToken: cached.accessToken, geolocation: cached.geolocation }
|
||||
}
|
||||
|
||||
const tokenUrl = assertSafeExternalUrl(
|
||||
`https://${auth.datacenter}/oauth2/v0/token`,
|
||||
'tokenUrl'
|
||||
).toString()
|
||||
|
||||
const params = new URLSearchParams()
|
||||
params.set('client_id', auth.clientId)
|
||||
params.set('client_secret', auth.clientSecret)
|
||||
params.set('grant_type', auth.grantType)
|
||||
if (auth.grantType === 'password') {
|
||||
params.set('username', auth.username ?? '')
|
||||
params.set('password', auth.password ?? '')
|
||||
if (auth.companyUuid) params.set('credtype', 'authtoken')
|
||||
}
|
||||
|
||||
const response = await secureFetchWithValidation(
|
||||
tokenUrl,
|
||||
{
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
Accept: 'application/json',
|
||||
},
|
||||
body: params.toString(),
|
||||
timeout: SAP_CONCUR_OUTBOUND_FETCH_TIMEOUT_MS,
|
||||
},
|
||||
'tokenUrl'
|
||||
)
|
||||
|
||||
if (!response.ok) {
|
||||
const text = await response.text().catch(() => '')
|
||||
logger.warn(`[${requestId}] Concur token fetch failed (${response.status}): ${text}`)
|
||||
throw new Error(`Concur token request failed: HTTP ${response.status}`)
|
||||
}
|
||||
|
||||
const data = (await response.json()) as {
|
||||
access_token?: string
|
||||
expires_in?: number
|
||||
geolocation?: string
|
||||
}
|
||||
|
||||
if (!data.access_token) {
|
||||
throw new Error('Concur token response missing access_token')
|
||||
}
|
||||
|
||||
const geolocation = normalizeGeolocation(data.geolocation, auth.datacenter)
|
||||
const geolocationUrl = assertSafeExternalUrl(geolocation, 'geolocation')
|
||||
if (!SAP_CONCUR_ALLOWED_DATACENTERS.has(geolocationUrl.hostname.toLowerCase())) {
|
||||
throw new Error(
|
||||
`Concur geolocation host is not in the allowed datacenter list: ${geolocationUrl.hostname}`
|
||||
)
|
||||
}
|
||||
|
||||
const expiresInMs = (data.expires_in ?? 3600) * 1000
|
||||
rememberToken(cacheKey, {
|
||||
accessToken: data.access_token,
|
||||
geolocation,
|
||||
expiresAt: Date.now() + expiresInMs,
|
||||
})
|
||||
return { accessToken: data.access_token, geolocation }
|
||||
}
|
||||
|
||||
/** Extract a meaningful error message from a Concur error response body. */
|
||||
export function extractSapConcurError(body: unknown, status: number): string {
|
||||
if (body && typeof body === 'object') {
|
||||
const obj = body as Record<string, unknown>
|
||||
if (typeof obj.error === 'string' && obj.error.length > 0) {
|
||||
const desc = typeof obj.error_description === 'string' ? `: ${obj.error_description}` : ''
|
||||
return `${obj.error}${desc}`
|
||||
}
|
||||
if (typeof obj.message === 'string' && obj.message.length > 0) {
|
||||
return obj.message
|
||||
}
|
||||
const errors = obj.errors
|
||||
if (Array.isArray(errors) && errors.length > 0) {
|
||||
return errors
|
||||
.map((e) => {
|
||||
if (e && typeof e === 'object') {
|
||||
const eo = e as Record<string, unknown>
|
||||
const code = typeof eo.errorCode === 'string' ? `[${eo.errorCode}] ` : ''
|
||||
const msg = typeof eo.errorMessage === 'string' ? eo.errorMessage : ''
|
||||
return `${code}${msg}`.trim()
|
||||
}
|
||||
return String(e)
|
||||
})
|
||||
.filter(Boolean)
|
||||
.join('; ')
|
||||
}
|
||||
}
|
||||
if (typeof body === 'string' && body.length > 0) return body
|
||||
return `Concur request failed with HTTP ${status}`
|
||||
}
|
||||
@@ -0,0 +1,298 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage, toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { getValidationErrorMessage, isZodError } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { processFilesToUserFiles, type RawFileInput } from '@/lib/uploads/utils/file-utils'
|
||||
import { downloadServableFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
|
||||
import { docNotReadyResponse } from '@/lib/uploads/utils/servable-file-response'
|
||||
import { assertToolFileAccess } from '@/app/api/files/authorization'
|
||||
import {
|
||||
assertSafeExternalUrl,
|
||||
extractSapConcurError,
|
||||
fetchSapConcurAccessToken,
|
||||
SAP_CONCUR_OUTBOUND_FETCH_TIMEOUT_MS,
|
||||
type SapConcurUploadRequest,
|
||||
SapConcurUploadRequestSchema,
|
||||
} from '@/app/api/tools/sap_concur/shared'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
const logger = createLogger('SapConcurUploadAPI')
|
||||
|
||||
type UploadRequest = SapConcurUploadRequest
|
||||
|
||||
const RECEIPT_ALLOWED_MIME_TYPES = new Set([
|
||||
'application/pdf',
|
||||
'image/png',
|
||||
'image/jpeg',
|
||||
'image/jpg',
|
||||
'image/gif',
|
||||
'image/tiff',
|
||||
])
|
||||
|
||||
const QUICK_EXPENSE_ALLOWED_MIME_TYPES = new Set([
|
||||
'application/pdf',
|
||||
'image/png',
|
||||
'image/jpeg',
|
||||
'image/jpg',
|
||||
'image/tiff',
|
||||
])
|
||||
|
||||
const ALLOWED_MIME_TYPES = RECEIPT_ALLOWED_MIME_TYPES
|
||||
|
||||
function inferMimeType(name: string, declared?: string): string {
|
||||
if (declared && ALLOWED_MIME_TYPES.has(declared.toLowerCase())) {
|
||||
return declared.toLowerCase() === 'image/jpg' ? 'image/jpeg' : declared.toLowerCase()
|
||||
}
|
||||
const lower = name.toLowerCase()
|
||||
if (lower.endsWith('.pdf')) return 'application/pdf'
|
||||
if (lower.endsWith('.png')) return 'image/png'
|
||||
if (lower.endsWith('.jpg') || lower.endsWith('.jpeg')) return 'image/jpeg'
|
||||
if (lower.endsWith('.gif')) return 'image/gif'
|
||||
if (lower.endsWith('.tif') || lower.endsWith('.tiff')) return 'image/tiff'
|
||||
return 'application/octet-stream'
|
||||
}
|
||||
|
||||
function stringifyMaybeJson(value: unknown): string {
|
||||
if (typeof value === 'string') return value
|
||||
return JSON.stringify(value ?? {})
|
||||
}
|
||||
|
||||
interface UploadInvocation {
|
||||
status: number
|
||||
body: unknown
|
||||
}
|
||||
|
||||
async function postMultipart(
|
||||
url: string,
|
||||
accessToken: string,
|
||||
formData: FormData,
|
||||
companyUuid: string | undefined,
|
||||
extraHeaders?: Record<string, string>
|
||||
): Promise<UploadInvocation> {
|
||||
const headers: Record<string, string> = {
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
Accept: 'application/json',
|
||||
...(extraHeaders ?? {}),
|
||||
}
|
||||
if (companyUuid) headers['concur-correlationid'] = companyUuid
|
||||
|
||||
// Serialize FormData (with auto-generated multipart boundary) to a Buffer so we can
|
||||
// route through secureFetchWithValidation (which doesn't support FormData bodies directly).
|
||||
const serialized = new Request('http://localhost/internal-multipart-serializer', {
|
||||
method: 'POST',
|
||||
body: formData,
|
||||
})
|
||||
const contentType = serialized.headers.get('content-type')
|
||||
if (contentType) headers['Content-Type'] = contentType
|
||||
const bodyBuffer = Buffer.from(await serialized.arrayBuffer())
|
||||
|
||||
const response = await secureFetchWithValidation(
|
||||
url,
|
||||
{
|
||||
method: 'POST',
|
||||
headers,
|
||||
body: bodyBuffer,
|
||||
timeout: SAP_CONCUR_OUTBOUND_FETCH_TIMEOUT_MS,
|
||||
},
|
||||
'apiUrl'
|
||||
)
|
||||
|
||||
const raw = await response.text()
|
||||
let parsed: unknown = null
|
||||
if (raw.length > 0) {
|
||||
try {
|
||||
parsed = JSON.parse(raw)
|
||||
} catch {
|
||||
parsed = raw
|
||||
}
|
||||
}
|
||||
// Surface Location/Link headers for receipt endpoints that return 202 with no body.
|
||||
if (
|
||||
parsed === null ||
|
||||
(typeof parsed === 'object' && parsed !== null && Object.keys(parsed).length === 0)
|
||||
) {
|
||||
const location = response.headers.get('Location')
|
||||
const link = response.headers.get('Link')
|
||||
if (location || link) {
|
||||
parsed = { location, link }
|
||||
}
|
||||
}
|
||||
return { status: response.status, body: parsed }
|
||||
}
|
||||
|
||||
async function handleUploadReceiptImage(
|
||||
req: UploadRequest,
|
||||
fileBuffer: Buffer,
|
||||
fileName: string,
|
||||
mimeType: string,
|
||||
accessToken: string,
|
||||
geolocation: string
|
||||
): Promise<UploadInvocation> {
|
||||
const url = assertSafeExternalUrl(
|
||||
`${geolocation.replace(/\/+$/, '')}/receipts/v4/users/${encodeURIComponent(req.userId)}/image-only-receipts`,
|
||||
'apiUrl'
|
||||
).toString()
|
||||
|
||||
const formData = new FormData()
|
||||
formData.append('image', new Blob([new Uint8Array(fileBuffer)], { type: mimeType }), fileName)
|
||||
|
||||
const extraHeaders: Record<string, string> | undefined = req.forwardId
|
||||
? { 'concur-forwardid': req.forwardId }
|
||||
: undefined
|
||||
|
||||
return postMultipart(url, accessToken, formData, req.companyUuid, extraHeaders)
|
||||
}
|
||||
|
||||
async function handleCreateQuickExpenseWithImage(
|
||||
req: UploadRequest,
|
||||
fileBuffer: Buffer,
|
||||
fileName: string,
|
||||
mimeType: string,
|
||||
accessToken: string,
|
||||
geolocation: string
|
||||
): Promise<UploadInvocation> {
|
||||
const contextType = req.contextType?.trim() || 'TRAVELER'
|
||||
const url = assertSafeExternalUrl(
|
||||
`${geolocation.replace(/\/+$/, '')}/quickexpense/v4/users/${encodeURIComponent(
|
||||
req.userId
|
||||
)}/context/${encodeURIComponent(contextType)}/quickexpenses/image`,
|
||||
'apiUrl'
|
||||
).toString()
|
||||
|
||||
const quickExpenseRequest = stringifyMaybeJson(req.body ?? {})
|
||||
|
||||
const formData = new FormData()
|
||||
formData.append('quickExpenseRequest', quickExpenseRequest)
|
||||
formData.append(
|
||||
'fileContent',
|
||||
new Blob([new Uint8Array(fileBuffer)], { type: mimeType }),
|
||||
fileName
|
||||
)
|
||||
|
||||
return postMultipart(url, accessToken, formData, req.companyUuid)
|
||||
}
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!authResult.success || !authResult.userId) {
|
||||
logger.warn(`[${requestId}] Unauthorized Concur upload request: ${authResult.error}`)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: authResult.error || 'Authentication required' },
|
||||
{ status: 401 }
|
||||
)
|
||||
}
|
||||
const userId = authResult.userId
|
||||
|
||||
// boundary-raw-json: internal upload envelope validated by SapConcurUploadRequestSchema below; not a public boundary
|
||||
const json = await request.json()
|
||||
const uploadReq = SapConcurUploadRequestSchema.parse(json)
|
||||
|
||||
const userFiles = processFilesToUserFiles(
|
||||
[uploadReq.receipt as RawFileInput],
|
||||
requestId,
|
||||
logger
|
||||
)
|
||||
if (userFiles.length === 0) {
|
||||
return NextResponse.json(
|
||||
{ success: false, error: 'Invalid receipt file input' },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
const userFile = userFiles[0]
|
||||
const denied = await assertToolFileAccess(userFile.key, userId, requestId, logger)
|
||||
if (denied) return denied
|
||||
let fileBuffer: Buffer
|
||||
let resolvedContentType: string
|
||||
try {
|
||||
const resolved = await downloadServableFileFromStorage(userFile, requestId, logger)
|
||||
fileBuffer = resolved.buffer
|
||||
resolvedContentType = resolved.contentType
|
||||
} catch (error) {
|
||||
const notReady = docNotReadyResponse(error)
|
||||
if (notReady) return notReady
|
||||
logger.error(`[${requestId}] Failed to download Concur receipt file:`, error)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: getErrorMessage(error, 'Unknown error') },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
const fileName = userFile.name
|
||||
const mimeType = inferMimeType(fileName, resolvedContentType || userFile.type)
|
||||
|
||||
const allowedForOperation =
|
||||
uploadReq.operation === 'create_quick_expense_with_image'
|
||||
? QUICK_EXPENSE_ALLOWED_MIME_TYPES
|
||||
: RECEIPT_ALLOWED_MIME_TYPES
|
||||
if (!allowedForOperation.has(mimeType)) {
|
||||
const allowedLabel =
|
||||
uploadReq.operation === 'create_quick_expense_with_image'
|
||||
? 'pdf, png, jpeg, tiff'
|
||||
: 'pdf, png, jpeg, gif, tiff'
|
||||
return NextResponse.json(
|
||||
{
|
||||
success: false,
|
||||
error: `Unsupported receipt mime type: ${mimeType}. Allowed: ${allowedLabel}`,
|
||||
},
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
|
||||
const { accessToken, geolocation } = await fetchSapConcurAccessToken(uploadReq, requestId)
|
||||
|
||||
let invocation: UploadInvocation
|
||||
if (uploadReq.operation === 'upload_receipt_image') {
|
||||
invocation = await handleUploadReceiptImage(
|
||||
uploadReq,
|
||||
fileBuffer,
|
||||
fileName,
|
||||
mimeType,
|
||||
accessToken,
|
||||
geolocation
|
||||
)
|
||||
} else {
|
||||
invocation = await handleCreateQuickExpenseWithImage(
|
||||
uploadReq,
|
||||
fileBuffer,
|
||||
fileName,
|
||||
mimeType,
|
||||
accessToken,
|
||||
geolocation
|
||||
)
|
||||
}
|
||||
|
||||
if (invocation.status >= 200 && invocation.status < 300) {
|
||||
const data = invocation.status === 204 ? null : invocation.body
|
||||
logger.info(
|
||||
`[${requestId}] Concur ${uploadReq.operation} succeeded: HTTP ${invocation.status}`
|
||||
)
|
||||
return NextResponse.json({ success: true, output: { status: invocation.status, data } })
|
||||
}
|
||||
|
||||
const message = extractSapConcurError(invocation.body, invocation.status)
|
||||
logger.warn(
|
||||
`[${requestId}] Concur upload error (${invocation.status}) ${uploadReq.operation}: ${message}`
|
||||
)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: message, status: invocation.status },
|
||||
{ status: invocation.status }
|
||||
)
|
||||
} catch (error) {
|
||||
if (isZodError(error)) {
|
||||
logger.warn(`[${requestId}] Validation error:`, error.issues)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: getValidationErrorMessage(error, 'Validation failed') },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
logger.error(`[${requestId}] Unexpected Concur upload error:`, error)
|
||||
return NextResponse.json({ success: false, error: toError(error).message }, { status: 500 })
|
||||
}
|
||||
})
|
||||
Reference in New Issue
Block a user