chore: import upstream snapshot with attribution
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,286 @@
|
||||
import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
|
||||
import { db } from '@sim/db'
|
||||
import { webhook, workflow } from '@sim/db/schema'
|
||||
import { createLogger } from '@sim/logger'
|
||||
import {
|
||||
assertWorkflowMutable,
|
||||
authorizeWorkflowByWorkspacePermission,
|
||||
WorkflowLockedError,
|
||||
} from '@sim/platform-authz/workflow'
|
||||
import { and, eq, isNull } from 'drizzle-orm'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import {
|
||||
deleteWebhookContract,
|
||||
getWebhookContract,
|
||||
updateWebhookContract,
|
||||
} from '@/lib/api/contracts/webhooks'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { PlatformEvents } from '@/lib/core/telemetry'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { captureServerEvent } from '@/lib/posthog/server'
|
||||
import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
|
||||
|
||||
const logger = createLogger('WebhookAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
// Get a specific webhook
|
||||
export const GET = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const parsed = await parseRequest(getWebhookContract, request, context)
|
||||
if (!parsed.success) return parsed.response
|
||||
const { id } = parsed.data.params
|
||||
|
||||
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!auth.success || !auth.userId) {
|
||||
logger.warn(`[${requestId}] Unauthorized webhook access attempt`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
const userId = auth.userId
|
||||
|
||||
const webhooks = await db
|
||||
.select({
|
||||
webhook: webhook,
|
||||
workflow: {
|
||||
id: workflow.id,
|
||||
name: workflow.name,
|
||||
userId: workflow.userId,
|
||||
workspaceId: workflow.workspaceId,
|
||||
},
|
||||
})
|
||||
.from(webhook)
|
||||
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
|
||||
.where(and(eq(webhook.id, id), isNull(webhook.archivedAt)))
|
||||
.limit(1)
|
||||
|
||||
if (webhooks.length === 0) {
|
||||
logger.warn(`[${requestId}] Webhook not found: ${id}`)
|
||||
return NextResponse.json({ error: 'Webhook not found' }, { status: 404 })
|
||||
}
|
||||
|
||||
const webhookData = webhooks[0]
|
||||
|
||||
const authorization = await authorizeWorkflowByWorkspacePermission({
|
||||
workflowId: webhookData.workflow.id,
|
||||
userId,
|
||||
action: 'read',
|
||||
})
|
||||
const hasAccess = authorization.allowed
|
||||
|
||||
if (!hasAccess) {
|
||||
logger.warn(`[${requestId}] User ${userId} denied access to webhook: ${id}`)
|
||||
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
|
||||
}
|
||||
|
||||
logger.info(`[${requestId}] Successfully retrieved webhook: ${id}`)
|
||||
return NextResponse.json({ webhook: webhooks[0] }, { status: 200 })
|
||||
} catch (error) {
|
||||
logger.error(`[${requestId}] Error fetching webhook`, error)
|
||||
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
export const PATCH = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const parsed = await parseRequest(updateWebhookContract, request, context)
|
||||
if (!parsed.success) return parsed.response
|
||||
const { id } = parsed.data.params
|
||||
|
||||
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!auth.success || !auth.userId) {
|
||||
logger.warn(`[${requestId}] Unauthorized webhook update attempt`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
const userId = auth.userId
|
||||
|
||||
const { isActive, failedCount } = parsed.data.body
|
||||
|
||||
const webhooks = await db
|
||||
.select({
|
||||
webhook: webhook,
|
||||
workflow: {
|
||||
id: workflow.id,
|
||||
userId: workflow.userId,
|
||||
workspaceId: workflow.workspaceId,
|
||||
},
|
||||
})
|
||||
.from(webhook)
|
||||
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
|
||||
.where(and(eq(webhook.id, id), isNull(webhook.archivedAt)))
|
||||
.limit(1)
|
||||
|
||||
if (webhooks.length === 0) {
|
||||
logger.warn(`[${requestId}] Webhook not found: ${id}`)
|
||||
return NextResponse.json({ error: 'Webhook not found' }, { status: 404 })
|
||||
}
|
||||
|
||||
const webhookData = webhooks[0]
|
||||
const authorization = await authorizeWorkflowByWorkspacePermission({
|
||||
workflowId: webhookData.workflow.id,
|
||||
userId,
|
||||
action: 'write',
|
||||
})
|
||||
const canModify = authorization.allowed
|
||||
|
||||
if (!canModify) {
|
||||
logger.warn(`[${requestId}] User ${userId} denied permission to modify webhook: ${id}`)
|
||||
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
|
||||
}
|
||||
await assertWorkflowMutable(webhookData.workflow.id)
|
||||
|
||||
const setClause: Partial<typeof webhook.$inferInsert> = {}
|
||||
if (isActive !== undefined && isActive !== webhooks[0].webhook.isActive) {
|
||||
setClause.isActive = isActive
|
||||
}
|
||||
if (failedCount !== undefined && failedCount !== webhooks[0].webhook.failedCount) {
|
||||
setClause.failedCount = failedCount
|
||||
}
|
||||
|
||||
if (Object.keys(setClause).length === 0) {
|
||||
logger.info(`[${requestId}] No-op webhook PATCH (no field changes): ${id}`)
|
||||
return NextResponse.json({ webhook: webhooks[0].webhook }, { status: 200 })
|
||||
}
|
||||
|
||||
setClause.updatedAt = new Date()
|
||||
const updatedWebhook = await db
|
||||
.update(webhook)
|
||||
.set(setClause)
|
||||
.where(eq(webhook.id, id))
|
||||
.returning()
|
||||
|
||||
logger.info(`[${requestId}] Successfully updated webhook: ${id}`)
|
||||
return NextResponse.json({ webhook: updatedWebhook[0] }, { status: 200 })
|
||||
} catch (error) {
|
||||
if (error instanceof WorkflowLockedError) {
|
||||
return NextResponse.json({ error: error.message }, { status: error.status })
|
||||
}
|
||||
|
||||
logger.error(`[${requestId}] Error updating webhook`, error)
|
||||
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
// Delete a webhook
|
||||
export const DELETE = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const parsed = await parseRequest(deleteWebhookContract, request, context)
|
||||
if (!parsed.success) return parsed.response
|
||||
const { id } = parsed.data.params
|
||||
|
||||
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!auth.success || !auth.userId) {
|
||||
logger.warn(`[${requestId}] Unauthorized webhook deletion attempt`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
const userId = auth.userId
|
||||
|
||||
// Find the webhook and check permissions
|
||||
const webhooks = await db
|
||||
.select({
|
||||
webhook: webhook,
|
||||
workflow: {
|
||||
id: workflow.id,
|
||||
userId: workflow.userId,
|
||||
workspaceId: workflow.workspaceId,
|
||||
},
|
||||
})
|
||||
.from(webhook)
|
||||
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
|
||||
.where(eq(webhook.id, id))
|
||||
.limit(1)
|
||||
|
||||
if (webhooks.length === 0) {
|
||||
logger.warn(`[${requestId}] Webhook not found: ${id}`)
|
||||
return NextResponse.json({ error: 'Webhook not found' }, { status: 404 })
|
||||
}
|
||||
|
||||
const webhookData = webhooks[0]
|
||||
|
||||
const authorization = await authorizeWorkflowByWorkspacePermission({
|
||||
workflowId: webhookData.workflow.id,
|
||||
userId,
|
||||
action: 'write',
|
||||
})
|
||||
const canDelete = authorization.allowed
|
||||
|
||||
if (!canDelete) {
|
||||
logger.warn(`[${requestId}] User ${userId} denied permission to delete webhook: ${id}`)
|
||||
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
|
||||
}
|
||||
await assertWorkflowMutable(webhookData.workflow.id)
|
||||
|
||||
const foundWebhook = webhookData.webhook
|
||||
|
||||
await cleanupExternalWebhook(foundWebhook, webhookData.workflow, requestId)
|
||||
await db.delete(webhook).where(eq(webhook.id, id))
|
||||
|
||||
try {
|
||||
PlatformEvents.webhookDeleted({
|
||||
webhookId: id,
|
||||
workflowId: webhookData.workflow.id,
|
||||
})
|
||||
} catch {
|
||||
// Telemetry should not fail the operation
|
||||
}
|
||||
|
||||
logger.info(`[${requestId}] Successfully deleted webhook: ${id}`)
|
||||
|
||||
recordAudit({
|
||||
workspaceId: webhookData.workflow.workspaceId || null,
|
||||
actorId: userId,
|
||||
actorName: auth.userName,
|
||||
actorEmail: auth.userEmail,
|
||||
action: AuditAction.WEBHOOK_DELETED,
|
||||
resourceType: AuditResourceType.WEBHOOK,
|
||||
resourceId: id,
|
||||
resourceName: foundWebhook.provider || 'generic',
|
||||
description: `Deleted ${foundWebhook.provider || 'generic'} webhook`,
|
||||
metadata: {
|
||||
provider: foundWebhook.provider || 'generic',
|
||||
workflowId: webhookData.workflow.id,
|
||||
webhookPath: foundWebhook.path || undefined,
|
||||
blockId: foundWebhook.blockId || undefined,
|
||||
},
|
||||
request,
|
||||
})
|
||||
|
||||
const wsId = webhookData.workflow.workspaceId || undefined
|
||||
captureServerEvent(
|
||||
userId,
|
||||
'webhook_trigger_deleted',
|
||||
{
|
||||
webhook_id: id,
|
||||
workflow_id: webhookData.workflow.id,
|
||||
provider: foundWebhook.provider || 'generic',
|
||||
workspace_id: wsId ?? '',
|
||||
},
|
||||
wsId ? { groups: { workspace: wsId } } : undefined
|
||||
)
|
||||
|
||||
return NextResponse.json({ success: true }, { status: 200 })
|
||||
} catch (error: any) {
|
||||
if (error instanceof WorkflowLockedError) {
|
||||
return NextResponse.json({ error: error.message }, { status: error.status })
|
||||
}
|
||||
|
||||
logger.error(`[${requestId}] Error deleting webhook`, {
|
||||
error: error.message,
|
||||
stack: error.stack,
|
||||
})
|
||||
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
||||
}
|
||||
}
|
||||
)
|
||||
@@ -0,0 +1,374 @@
|
||||
import {
|
||||
db,
|
||||
mothershipInboxAllowedSender,
|
||||
mothershipInboxTask,
|
||||
mothershipInboxWebhook,
|
||||
permissions,
|
||||
user,
|
||||
workspace,
|
||||
} from '@sim/db'
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage } from '@sim/utils/errors'
|
||||
import { generateId } from '@sim/utils/id'
|
||||
import { tasks } from '@trigger.dev/sdk'
|
||||
import { and, eq, gt, isNotNull, ne, sql } from 'drizzle-orm'
|
||||
import { NextResponse } from 'next/server'
|
||||
import { Webhook } from 'svix'
|
||||
import {
|
||||
agentMailEnvelopeSchema,
|
||||
agentMailMessageSchema,
|
||||
webhookSvixHeadersSchema,
|
||||
} from '@/lib/api/contracts/webhooks'
|
||||
import { hasWorkspaceInboxAccess } from '@/lib/billing/core/subscription'
|
||||
import { resolveTriggerRegion } from '@/lib/core/async-jobs/region'
|
||||
import { isTriggerDevEnabled } from '@/lib/core/config/env-flags'
|
||||
import {
|
||||
assertContentLengthWithinLimit,
|
||||
isPayloadSizeLimitError,
|
||||
readStreamToBufferWithLimit,
|
||||
} from '@/lib/core/utils/stream-limits'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { executeInboxTask } from '@/lib/mothership/inbox/executor'
|
||||
import type { AgentMailWebhookPayload, RejectionReason } from '@/lib/mothership/inbox/types'
|
||||
import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
|
||||
|
||||
const logger = createLogger('AgentMailWebhook')
|
||||
|
||||
const AUTOMATED_SENDERS = ['mailer-daemon@', 'noreply@', 'no-reply@', 'postmaster@']
|
||||
const MAX_EMAILS_PER_HOUR = 20
|
||||
|
||||
const AGENTMAIL_BODY_LABEL = 'AgentMail webhook body'
|
||||
|
||||
/**
|
||||
* Bound the unauthenticated AgentMail webhook body before buffering it for Svix
|
||||
* signature verification, so an oversized payload cannot exhaust pod memory.
|
||||
*/
|
||||
async function readAgentMailBody(req: Request): Promise<string> {
|
||||
assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, AGENTMAIL_BODY_LABEL)
|
||||
const buffer = await readStreamToBufferWithLimit(req.body, {
|
||||
maxBytes: WEBHOOK_MAX_BODY_BYTES,
|
||||
label: AGENTMAIL_BODY_LABEL,
|
||||
})
|
||||
return new TextDecoder().decode(buffer)
|
||||
}
|
||||
|
||||
export const POST = withRouteHandler(async (req: Request) => {
|
||||
try {
|
||||
let rawBody: string
|
||||
try {
|
||||
rawBody = await readAgentMailBody(req)
|
||||
} catch (bodyError) {
|
||||
if (isPayloadSizeLimitError(bodyError)) {
|
||||
logger.warn('Rejected oversized AgentMail webhook body', {
|
||||
maxBytes: WEBHOOK_MAX_BODY_BYTES,
|
||||
observedBytes: bodyError.observedBytes,
|
||||
})
|
||||
return NextResponse.json({ error: 'Request body too large' }, { status: 413 })
|
||||
}
|
||||
throw bodyError
|
||||
}
|
||||
const headersResult = webhookSvixHeadersSchema.safeParse({
|
||||
'svix-id': req.headers.get('svix-id'),
|
||||
'svix-timestamp': req.headers.get('svix-timestamp'),
|
||||
'svix-signature': req.headers.get('svix-signature'),
|
||||
})
|
||||
|
||||
if (!headersResult.success) {
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
const webhookCandidates = await db
|
||||
.select({
|
||||
id: workspace.id,
|
||||
inboxEnabled: workspace.inboxEnabled,
|
||||
inboxAddress: workspace.inboxAddress,
|
||||
inboxProviderId: workspace.inboxProviderId,
|
||||
webhookSecret: mothershipInboxWebhook.secret,
|
||||
})
|
||||
.from(workspace)
|
||||
.leftJoin(mothershipInboxWebhook, eq(mothershipInboxWebhook.workspaceId, workspace.id))
|
||||
.where(isNotNull(mothershipInboxWebhook.secret))
|
||||
|
||||
let result: (typeof webhookCandidates)[number] | undefined
|
||||
for (const candidate of webhookCandidates) {
|
||||
if (!candidate.webhookSecret) continue
|
||||
|
||||
try {
|
||||
const wh = new Webhook(candidate.webhookSecret)
|
||||
wh.verify(rawBody, headersResult.data)
|
||||
result = candidate
|
||||
break
|
||||
} catch {}
|
||||
}
|
||||
|
||||
if (!result) {
|
||||
logger.warn('Webhook signature verification failed', {
|
||||
candidateCount: webhookCandidates.length,
|
||||
})
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
const envelopeResult = agentMailEnvelopeSchema.safeParse(JSON.parse(rawBody))
|
||||
if (!envelopeResult.success) {
|
||||
logger.warn('Invalid AgentMail webhook payload', {
|
||||
workspaceId: result.id,
|
||||
issues: envelopeResult.error.issues,
|
||||
})
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid envelope payload', details: envelopeResult.error.issues },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
|
||||
if (envelopeResult.data.event_type !== 'message.received') {
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const messageResult = agentMailMessageSchema.safeParse(envelopeResult.data.message)
|
||||
if (!messageResult.success) {
|
||||
logger.warn('Invalid AgentMail message payload', {
|
||||
workspaceId: result.id,
|
||||
issues: messageResult.error.issues,
|
||||
})
|
||||
return NextResponse.json(
|
||||
{ error: 'Invalid message payload', details: messageResult.error.issues },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
|
||||
const message: AgentMailWebhookPayload['message'] = messageResult.data
|
||||
const inboxId = message.inbox_id
|
||||
if (result.inboxProviderId !== inboxId) {
|
||||
logger.warn('Verified AgentMail payload inbox mismatch', {
|
||||
workspaceId: result.id,
|
||||
verifiedInboxId: result.inboxProviderId,
|
||||
payloadInboxId: inboxId,
|
||||
})
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
if (!result.inboxEnabled) {
|
||||
logger.info('Inbox disabled, rejecting', { workspaceId: result.id })
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const fromEmail = extractSenderEmail(message.from) || ''
|
||||
logger.info('Webhook received', { fromEmail, from_raw: message.from, workspaceId: result.id })
|
||||
|
||||
if (result.inboxAddress && fromEmail === result.inboxAddress.toLowerCase()) {
|
||||
logger.info('Skipping email from inbox itself', { workspaceId: result.id })
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
if (AUTOMATED_SENDERS.some((prefix) => fromEmail.startsWith(prefix))) {
|
||||
await createRejectedTask(result.id, message, 'automated_sender')
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const emailMessageId = message.message_id
|
||||
const inReplyTo = message.in_reply_to || null
|
||||
|
||||
const [existingResult, isAllowed, recentCount, parentTaskResult, isEntitled] =
|
||||
await Promise.all([
|
||||
emailMessageId
|
||||
? db
|
||||
.select({ id: mothershipInboxTask.id })
|
||||
.from(mothershipInboxTask)
|
||||
.where(eq(mothershipInboxTask.emailMessageId, emailMessageId))
|
||||
.limit(1)
|
||||
: Promise.resolve([]),
|
||||
isSenderAllowed(fromEmail, result.id),
|
||||
getRecentTaskCount(result.id),
|
||||
inReplyTo
|
||||
? db
|
||||
.select({ chatId: mothershipInboxTask.chatId })
|
||||
.from(mothershipInboxTask)
|
||||
.where(eq(mothershipInboxTask.responseMessageId, inReplyTo))
|
||||
.limit(1)
|
||||
: Promise.resolve([]),
|
||||
hasWorkspaceInboxAccess(result.id),
|
||||
])
|
||||
|
||||
if (existingResult[0]) {
|
||||
logger.info('Duplicate webhook, skipping', { emailMessageId })
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
if (!isEntitled) {
|
||||
logger.info('Inbox no longer entitled, rejecting', { workspaceId: result.id })
|
||||
await createRejectedTask(result.id, message, 'not_entitled')
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
if (!isAllowed) {
|
||||
await createRejectedTask(result.id, message, 'sender_not_allowed')
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
if (recentCount >= MAX_EMAILS_PER_HOUR) {
|
||||
await createRejectedTask(result.id, message, 'rate_limit_exceeded')
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const chatId = parentTaskResult[0]?.chatId ?? null
|
||||
|
||||
const fromName = extractDisplayName(message.from)
|
||||
|
||||
const taskId = generateId()
|
||||
const bodyText = message.text?.substring(0, 50_000) || null
|
||||
const bodyHtml = message.html?.substring(0, 50_000) || null
|
||||
const bodyPreview = (bodyText || '')?.substring(0, 200) || null
|
||||
|
||||
await db.insert(mothershipInboxTask).values({
|
||||
id: taskId,
|
||||
workspaceId: result.id,
|
||||
fromEmail,
|
||||
fromName,
|
||||
subject: message.subject || '(no subject)',
|
||||
bodyPreview,
|
||||
bodyText,
|
||||
bodyHtml,
|
||||
emailMessageId,
|
||||
inReplyTo,
|
||||
agentmailMessageId: message.message_id,
|
||||
status: 'received',
|
||||
chatId,
|
||||
hasAttachments: (message.attachments?.length ?? 0) > 0,
|
||||
ccRecipients: message.cc?.length ? JSON.stringify(message.cc) : null,
|
||||
})
|
||||
|
||||
if (isTriggerDevEnabled) {
|
||||
try {
|
||||
const handle = await tasks.trigger(
|
||||
'mothership-inbox-execution',
|
||||
{ taskId },
|
||||
{
|
||||
tags: [`workspaceId:${result.id}`, `taskId:${taskId}`],
|
||||
region: await resolveTriggerRegion(),
|
||||
}
|
||||
)
|
||||
await db
|
||||
.update(mothershipInboxTask)
|
||||
.set({ triggerJobId: handle.id })
|
||||
.where(eq(mothershipInboxTask.id, taskId))
|
||||
} catch (triggerError) {
|
||||
logger.warn('Trigger.dev dispatch failed, falling back to local execution', {
|
||||
taskId,
|
||||
triggerError,
|
||||
})
|
||||
executeInboxTask(taskId).catch((err) => {
|
||||
logger.error('Local inbox task execution failed', {
|
||||
taskId,
|
||||
error: getErrorMessage(err, 'Unknown error'),
|
||||
})
|
||||
})
|
||||
}
|
||||
} else {
|
||||
logger.info('Trigger.dev not available, executing inbox task locally', { taskId })
|
||||
executeInboxTask(taskId).catch((err) => {
|
||||
logger.error('Local inbox task execution failed', {
|
||||
taskId,
|
||||
error: getErrorMessage(err, 'Unknown error'),
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
return NextResponse.json({ ok: true })
|
||||
} catch (error) {
|
||||
logger.error('AgentMail webhook error', {
|
||||
error: getErrorMessage(error, 'Unknown error'),
|
||||
})
|
||||
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
||||
}
|
||||
})
|
||||
|
||||
async function isSenderAllowed(email: string, workspaceId: string): Promise<boolean> {
|
||||
const [allowedSenderResult, memberResult] = await Promise.all([
|
||||
db
|
||||
.select({ id: mothershipInboxAllowedSender.id })
|
||||
.from(mothershipInboxAllowedSender)
|
||||
.where(
|
||||
and(
|
||||
eq(mothershipInboxAllowedSender.workspaceId, workspaceId),
|
||||
eq(mothershipInboxAllowedSender.email, email)
|
||||
)
|
||||
)
|
||||
.limit(1),
|
||||
db
|
||||
.select({ userId: permissions.userId })
|
||||
.from(permissions)
|
||||
.innerJoin(user, eq(permissions.userId, user.id))
|
||||
.where(
|
||||
and(
|
||||
eq(permissions.entityType, 'workspace'),
|
||||
eq(permissions.entityId, workspaceId),
|
||||
sql`lower(${user.email}) = ${email}`
|
||||
)
|
||||
)
|
||||
.limit(1),
|
||||
])
|
||||
|
||||
return !!(allowedSenderResult[0] || memberResult[0])
|
||||
}
|
||||
|
||||
async function getRecentTaskCount(workspaceId: string): Promise<number> {
|
||||
const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000)
|
||||
const [result] = await db
|
||||
.select({ count: sql<number>`count(*)::int` })
|
||||
.from(mothershipInboxTask)
|
||||
.where(
|
||||
and(
|
||||
eq(mothershipInboxTask.workspaceId, workspaceId),
|
||||
gt(mothershipInboxTask.createdAt, oneHourAgo),
|
||||
ne(mothershipInboxTask.status, 'rejected')
|
||||
)
|
||||
)
|
||||
return result?.count ?? 0
|
||||
}
|
||||
|
||||
async function createRejectedTask(
|
||||
workspaceId: string,
|
||||
message: AgentMailWebhookPayload['message'],
|
||||
reason: RejectionReason
|
||||
): Promise<void> {
|
||||
await db.insert(mothershipInboxTask).values({
|
||||
id: generateId(),
|
||||
workspaceId,
|
||||
fromEmail: extractSenderEmail(message.from) || 'unknown',
|
||||
fromName: extractDisplayName(message.from),
|
||||
subject: message.subject || '(no subject)',
|
||||
bodyPreview: (message.text || '').substring(0, 200) || null,
|
||||
emailMessageId: message.message_id,
|
||||
agentmailMessageId: message.message_id,
|
||||
status: 'rejected',
|
||||
rejectionReason: reason,
|
||||
hasAttachments: (message.attachments?.length ?? 0) > 0,
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Extract the raw email address from AgentMail's from field.
|
||||
* Format: "username@domain.com" or "Display Name <username@domain.com>"
|
||||
*/
|
||||
function extractSenderEmail(from: string): string {
|
||||
const openBracket = from.indexOf('<')
|
||||
const closeBracket = from.indexOf('>', openBracket + 1)
|
||||
if (openBracket !== -1 && closeBracket !== -1) {
|
||||
return from
|
||||
.substring(openBracket + 1, closeBracket)
|
||||
.toLowerCase()
|
||||
.trim()
|
||||
}
|
||||
return from.toLowerCase().trim()
|
||||
}
|
||||
|
||||
function extractDisplayName(from: string): string | null {
|
||||
const openBracket = from.indexOf('<')
|
||||
if (openBracket <= 0) return null
|
||||
const name = from.substring(0, openBracket).trim()
|
||||
if (!name) return null
|
||||
if (name.startsWith('"') && name.endsWith('"')) {
|
||||
return name.slice(1, -1) || null
|
||||
}
|
||||
return name
|
||||
}
|
||||
@@ -0,0 +1,66 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { verifyCronAuth } from '@/lib/auth/internal'
|
||||
import { cleanupExpiredIdempotencyKeys, getIdempotencyKeyStats } from '@/lib/core/idempotency'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
|
||||
const logger = createLogger('IdempotencyCleanupAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const maxDuration = 300 // Allow up to 5 minutes for cleanup
|
||||
|
||||
export const GET = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
logger.info(`Idempotency cleanup triggered (${requestId})`)
|
||||
|
||||
try {
|
||||
const authError = verifyCronAuth(request, 'Idempotency key cleanup')
|
||||
if (authError) {
|
||||
return authError
|
||||
}
|
||||
|
||||
const statsBefore = await getIdempotencyKeyStats()
|
||||
logger.info(
|
||||
`Pre-cleanup stats: ${statsBefore.totalKeys} keys across ${Object.keys(statsBefore.keysByNamespace).length} namespaces`
|
||||
)
|
||||
|
||||
const result = await cleanupExpiredIdempotencyKeys({
|
||||
maxAgeSeconds: 7 * 24 * 60 * 60, // 7 days
|
||||
batchSize: 1000,
|
||||
})
|
||||
|
||||
const statsAfter = await getIdempotencyKeyStats()
|
||||
logger.info(`Post-cleanup stats: ${statsAfter.totalKeys} keys remaining`)
|
||||
|
||||
return NextResponse.json({
|
||||
success: true,
|
||||
message: 'Idempotency key cleanup completed',
|
||||
requestId,
|
||||
result: {
|
||||
deleted: result.deleted,
|
||||
errors: result.errors,
|
||||
statsBefore: {
|
||||
totalKeys: statsBefore.totalKeys,
|
||||
keysByNamespace: statsBefore.keysByNamespace,
|
||||
},
|
||||
statsAfter: {
|
||||
totalKeys: statsAfter.totalKeys,
|
||||
keysByNamespace: statsAfter.keysByNamespace,
|
||||
},
|
||||
},
|
||||
})
|
||||
} catch (error) {
|
||||
logger.error(`Error during idempotency cleanup (${requestId}):`, error)
|
||||
return NextResponse.json(
|
||||
{
|
||||
success: false,
|
||||
message: 'Idempotency cleanup failed',
|
||||
error: getErrorMessage(error, 'Unknown error'),
|
||||
requestId,
|
||||
},
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,63 @@
|
||||
import { db } from '@sim/db'
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { verifyCronAuth } from '@/lib/auth/internal'
|
||||
import { billingOutboxHandlers } from '@/lib/billing/webhooks/outbox-handlers'
|
||||
import { processOutboxEvents } from '@/lib/core/outbox/service'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { workflowDeploymentOutboxHandlers } from '@/lib/workflows/deployment-outbox'
|
||||
import { reapStaleBackgroundWork } from '@/ee/workspace-forking/lib/background-work/store'
|
||||
|
||||
const logger = createLogger('OutboxProcessorAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const maxDuration = 120
|
||||
|
||||
const handlers = {
|
||||
...billingOutboxHandlers,
|
||||
...workflowDeploymentOutboxHandlers,
|
||||
} as const
|
||||
|
||||
export const GET = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const authError = verifyCronAuth(request, 'Outbox processor')
|
||||
if (authError) {
|
||||
return authError
|
||||
}
|
||||
|
||||
const result = await processOutboxEvents(handlers, {
|
||||
batchSize: 20,
|
||||
maxRuntimeMs: 110_000,
|
||||
minRemainingMs: 95_000,
|
||||
})
|
||||
|
||||
// Reap fork background-work rows stuck `processing` past their TTL (worker crash /
|
||||
// restart has no in-task hook). Independent of the outbox; a failure here must not
|
||||
// fail the outbox run, so it's guarded separately.
|
||||
let reapedBackgroundWork = 0
|
||||
try {
|
||||
reapedBackgroundWork = await reapStaleBackgroundWork(db)
|
||||
} catch (error) {
|
||||
logger.error('Background-work reap failed', { requestId, error: toError(error).message })
|
||||
}
|
||||
|
||||
logger.info('Outbox processing completed', { requestId, ...result, reapedBackgroundWork })
|
||||
|
||||
return NextResponse.json({
|
||||
success: true,
|
||||
requestId,
|
||||
result,
|
||||
reapedBackgroundWork,
|
||||
})
|
||||
} catch (error) {
|
||||
logger.error('Outbox processing failed', { requestId, error: toError(error).message })
|
||||
return NextResponse.json(
|
||||
{ success: false, requestId, error: toError(error).message },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,108 @@
|
||||
/**
|
||||
* Tests for the webhook polling cron route.
|
||||
*
|
||||
* @vitest-environment node
|
||||
*/
|
||||
import { createMockRequest, redisConfigMock, redisConfigMockFns } from '@sim/testing'
|
||||
import { sleep } from '@sim/utils/helpers'
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
const { mockVerifyCronAuth, mockPollProvider } = vi.hoisted(() => ({
|
||||
mockVerifyCronAuth: vi.fn().mockReturnValue(null),
|
||||
mockPollProvider: vi.fn().mockResolvedValue({ processed: 0 }),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/auth/internal', () => ({
|
||||
verifyCronAuth: mockVerifyCronAuth,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/config/redis', () => redisConfigMock)
|
||||
|
||||
vi.mock('@/lib/webhooks/polling', () => ({
|
||||
pollProvider: mockPollProvider,
|
||||
VALID_POLLING_PROVIDERS: new Set(['gmail', 'outlook', 'rss']),
|
||||
}))
|
||||
|
||||
import { GET } from './route'
|
||||
|
||||
function createRequest() {
|
||||
return createMockRequest('GET', undefined, {}, 'http://localhost:3000/api/webhooks/poll/gmail')
|
||||
}
|
||||
|
||||
function createContext(provider: string) {
|
||||
return { params: Promise.resolve({ provider }) }
|
||||
}
|
||||
|
||||
const flushMicrotasks = () => sleep(0)
|
||||
|
||||
describe('webhook polling route (fire-and-forget)', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
redisConfigMockFns.mockAcquireLock.mockResolvedValue(true)
|
||||
redisConfigMockFns.mockReleaseLock.mockResolvedValue(true)
|
||||
mockVerifyCronAuth.mockReturnValue(null)
|
||||
mockPollProvider.mockResolvedValue({ processed: 0 })
|
||||
})
|
||||
|
||||
it('returns the auth error when cron auth fails', async () => {
|
||||
mockVerifyCronAuth.mockReturnValueOnce(
|
||||
new Response(null, { status: 401 }) as unknown as Response
|
||||
)
|
||||
|
||||
const response = await GET(createRequest(), createContext('gmail'))
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(mockPollProvider).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('returns 404 for an unknown provider', async () => {
|
||||
const response = await GET(createRequest(), createContext('unknown'))
|
||||
|
||||
expect(response.status).toBe(404)
|
||||
expect(redisConfigMockFns.mockAcquireLock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('acknowledges with 202 and polls in the background after acquiring the lock', async () => {
|
||||
const response = await GET(createRequest(), createContext('gmail'))
|
||||
|
||||
expect(response.status).toBe(202)
|
||||
const data = await response.json()
|
||||
expect(data).toMatchObject({ status: 'started' })
|
||||
expect(redisConfigMockFns.mockAcquireLock).toHaveBeenCalledWith(
|
||||
'gmail-polling-lock',
|
||||
expect.any(String),
|
||||
expect.any(Number)
|
||||
)
|
||||
|
||||
await flushMicrotasks()
|
||||
expect(mockPollProvider).toHaveBeenCalledWith('gmail')
|
||||
expect(redisConfigMockFns.mockReleaseLock).toHaveBeenCalledWith(
|
||||
'gmail-polling-lock',
|
||||
expect.any(String)
|
||||
)
|
||||
})
|
||||
|
||||
it('skips with 202 when the lock is already held', async () => {
|
||||
redisConfigMockFns.mockAcquireLock.mockResolvedValueOnce(false)
|
||||
|
||||
const response = await GET(createRequest(), createContext('gmail'))
|
||||
|
||||
expect(response.status).toBe(202)
|
||||
const data = await response.json()
|
||||
expect(data).toMatchObject({ status: 'skip' })
|
||||
expect(mockPollProvider).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('releases the lock even when polling throws', async () => {
|
||||
mockPollProvider.mockRejectedValueOnce(new Error('poll failed'))
|
||||
|
||||
const response = await GET(createRequest(), createContext('gmail'))
|
||||
|
||||
expect(response.status).toBe(202)
|
||||
await flushMicrotasks()
|
||||
expect(redisConfigMockFns.mockReleaseLock).toHaveBeenCalledWith(
|
||||
'gmail-polling-lock',
|
||||
expect.any(String)
|
||||
)
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,88 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage } from '@sim/utils/errors'
|
||||
import { generateShortId } from '@sim/utils/id'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { webhookPollingContract } from '@/lib/api/contracts/webhooks'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import { verifyCronAuth } from '@/lib/auth/internal'
|
||||
import { acquireLock, releaseLock } from '@/lib/core/config/redis'
|
||||
import { runDetached } from '@/lib/core/utils/background'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { pollProvider, VALID_POLLING_PROVIDERS } from '@/lib/webhooks/polling'
|
||||
|
||||
const logger = createLogger('PollingAPI')
|
||||
|
||||
/** Lock TTL in seconds — must match maxDuration so the lock auto-expires if the function times out. */
|
||||
const LOCK_TTL_SECONDS = 180
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const maxDuration = 180
|
||||
|
||||
export const GET = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ provider: string }> }) => {
|
||||
const requestId = generateShortId()
|
||||
let provider: string | undefined
|
||||
|
||||
try {
|
||||
const authError = verifyCronAuth(request, 'webhook polling')
|
||||
if (authError) return authError
|
||||
|
||||
const parsed = await parseRequest(webhookPollingContract, request, context)
|
||||
if (!parsed.success) return parsed.response
|
||||
provider = parsed.data.params.provider
|
||||
|
||||
if (!VALID_POLLING_PROVIDERS.has(provider)) {
|
||||
return NextResponse.json(
|
||||
{ error: `Unknown polling provider: ${provider}` },
|
||||
{ status: 404 }
|
||||
)
|
||||
}
|
||||
|
||||
const LOCK_KEY = `${provider}-polling-lock`
|
||||
const lockValue = requestId
|
||||
const locked = await acquireLock(LOCK_KEY, lockValue, LOCK_TTL_SECONDS)
|
||||
if (!locked) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
success: true,
|
||||
message: 'Polling already in progress – skipped',
|
||||
requestId,
|
||||
status: 'skip',
|
||||
},
|
||||
{ status: 202 }
|
||||
)
|
||||
}
|
||||
|
||||
const pollingProvider = provider
|
||||
runDetached(`${pollingProvider}-polling`, async () => {
|
||||
try {
|
||||
await pollProvider(pollingProvider)
|
||||
} finally {
|
||||
await releaseLock(LOCK_KEY, lockValue).catch(() => {})
|
||||
}
|
||||
})
|
||||
|
||||
return NextResponse.json(
|
||||
{
|
||||
success: true,
|
||||
message: `${provider} polling started`,
|
||||
requestId,
|
||||
status: 'started',
|
||||
},
|
||||
{ status: 202 }
|
||||
)
|
||||
} catch (error) {
|
||||
const providerLabel = provider ?? 'webhook'
|
||||
logger.error(`Error during ${providerLabel} polling (${requestId}):`, error)
|
||||
return NextResponse.json(
|
||||
{
|
||||
success: false,
|
||||
message: `${providerLabel} polling failed`,
|
||||
error: getErrorMessage(error, 'Unknown error'),
|
||||
requestId,
|
||||
},
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
}
|
||||
)
|
||||
@@ -0,0 +1,601 @@
|
||||
import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
|
||||
import { db } from '@sim/db'
|
||||
import { webhook, workflow, workflowDeploymentVersion } from '@sim/db/schema'
|
||||
import { createLogger } from '@sim/logger'
|
||||
import {
|
||||
assertWorkflowMutable,
|
||||
authorizeWorkflowByWorkspacePermission,
|
||||
WorkflowLockedError,
|
||||
} from '@sim/platform-authz/workflow'
|
||||
import { getErrorMessage } from '@sim/utils/errors'
|
||||
import { generateId, generateShortId } from '@sim/utils/id'
|
||||
import { and, desc, eq, inArray, isNull, or } from 'drizzle-orm'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { listWebhooksContract, upsertWebhookContract } from '@/lib/api/contracts/webhooks'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import { getSession } from '@/lib/auth'
|
||||
import { PlatformEvents } from '@/lib/core/telemetry'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { captureServerEvent } from '@/lib/posthog/server'
|
||||
import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
|
||||
import {
|
||||
cleanupExternalWebhook,
|
||||
createExternalWebhookSubscription,
|
||||
shouldRecreateExternalWebhookSubscription,
|
||||
} from '@/lib/webhooks/provider-subscriptions'
|
||||
import { getProviderHandler } from '@/lib/webhooks/providers'
|
||||
import { mergeNonUserFields } from '@/lib/webhooks/utils'
|
||||
import { findConflictingWebhookPathOwner } from '@/lib/webhooks/utils.server'
|
||||
import { listAccessibleWorkspaceRowsForUser } from '@/lib/workspaces/utils'
|
||||
|
||||
const logger = createLogger('WebhooksAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
async function revertSavedWebhook(
|
||||
savedWebhook: any,
|
||||
existingWebhook: any,
|
||||
requestId: string
|
||||
): Promise<void> {
|
||||
if (existingWebhook) {
|
||||
await db
|
||||
.update(webhook)
|
||||
.set({
|
||||
workflowId: existingWebhook.workflowId,
|
||||
blockId: existingWebhook.blockId,
|
||||
path: existingWebhook.path,
|
||||
provider: existingWebhook.provider,
|
||||
providerConfig: existingWebhook.providerConfig,
|
||||
isActive: existingWebhook.isActive,
|
||||
archivedAt: existingWebhook.archivedAt,
|
||||
updatedAt: existingWebhook.updatedAt,
|
||||
})
|
||||
.where(eq(webhook.id, savedWebhook.id))
|
||||
logger.info(`[${requestId}] Restored previous webhook configuration after failed re-save`, {
|
||||
webhookId: savedWebhook.id,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
await db.delete(webhook).where(eq(webhook.id, savedWebhook.id))
|
||||
}
|
||||
|
||||
// Get all webhooks for the current user
|
||||
export const GET = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const session = await getSession()
|
||||
if (!session?.user?.id) {
|
||||
logger.warn(`[${requestId}] Unauthorized webhooks access attempt`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
const parsed = await parseRequest(listWebhooksContract, request, {})
|
||||
if (!parsed.success) return parsed.response
|
||||
const { workflowId, blockId } = parsed.data.query
|
||||
|
||||
if (workflowId && blockId) {
|
||||
// Collaborative-aware path: allow collaborators with read access to view webhooks
|
||||
// Fetch workflow to verify access
|
||||
const wf = await db
|
||||
.select({ id: workflow.id, userId: workflow.userId, workspaceId: workflow.workspaceId })
|
||||
.from(workflow)
|
||||
.where(eq(workflow.id, workflowId))
|
||||
.limit(1)
|
||||
|
||||
if (!wf.length) {
|
||||
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
|
||||
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
|
||||
}
|
||||
|
||||
const wfRecord = wf[0]
|
||||
const authorization = await authorizeWorkflowByWorkspacePermission({
|
||||
workflowId: wfRecord.id,
|
||||
userId: session.user.id,
|
||||
action: 'read',
|
||||
})
|
||||
const canRead = authorization.allowed
|
||||
|
||||
if (!canRead) {
|
||||
logger.warn(
|
||||
`[${requestId}] User ${session.user.id} denied permission to read webhooks for workflow ${workflowId}`
|
||||
)
|
||||
return NextResponse.json({ webhooks: [] }, { status: 200 })
|
||||
}
|
||||
|
||||
const webhooks = await db
|
||||
.select({
|
||||
webhook: webhook,
|
||||
workflow: {
|
||||
id: workflow.id,
|
||||
name: workflow.name,
|
||||
},
|
||||
})
|
||||
.from(webhook)
|
||||
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
|
||||
.leftJoin(
|
||||
workflowDeploymentVersion,
|
||||
and(
|
||||
eq(workflowDeploymentVersion.workflowId, workflow.id),
|
||||
eq(workflowDeploymentVersion.isActive, true)
|
||||
)
|
||||
)
|
||||
.where(
|
||||
and(
|
||||
eq(webhook.workflowId, workflowId),
|
||||
eq(webhook.blockId, blockId),
|
||||
isNull(webhook.archivedAt),
|
||||
or(
|
||||
eq(webhook.deploymentVersionId, workflowDeploymentVersion.id),
|
||||
and(isNull(workflowDeploymentVersion.id), isNull(webhook.deploymentVersionId))
|
||||
)
|
||||
)
|
||||
)
|
||||
.orderBy(desc(webhook.updatedAt))
|
||||
|
||||
logger.info(
|
||||
`[${requestId}] Retrieved ${webhooks.length} webhooks for workflow ${workflowId} block ${blockId}`
|
||||
)
|
||||
return NextResponse.json({ webhooks }, { status: 200 })
|
||||
}
|
||||
|
||||
if (workflowId && !blockId) {
|
||||
// For now, allow the call but return empty results to avoid breaking the UI
|
||||
return NextResponse.json({ webhooks: [] }, { status: 200 })
|
||||
}
|
||||
|
||||
const accessibleRows = await listAccessibleWorkspaceRowsForUser(session.user.id, 'all')
|
||||
const workspaceIds = accessibleRows.map((row) => row.workspace.id)
|
||||
if (workspaceIds.length === 0) {
|
||||
return NextResponse.json({ webhooks: [] }, { status: 200 })
|
||||
}
|
||||
|
||||
const webhooks = await db
|
||||
.select({
|
||||
webhook: webhook,
|
||||
workflow: {
|
||||
id: workflow.id,
|
||||
name: workflow.name,
|
||||
},
|
||||
})
|
||||
.from(webhook)
|
||||
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
|
||||
.where(and(inArray(workflow.workspaceId, workspaceIds), isNull(webhook.archivedAt)))
|
||||
|
||||
logger.info(`[${requestId}] Retrieved ${webhooks.length} workspace-accessible webhooks`)
|
||||
return NextResponse.json({ webhooks }, { status: 200 })
|
||||
} catch (error) {
|
||||
logger.error(`[${requestId}] Error fetching webhooks`, error)
|
||||
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
||||
}
|
||||
})
|
||||
|
||||
// Create or Update a webhook
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
const session = await getSession()
|
||||
const userId = session?.user?.id
|
||||
|
||||
if (!userId) {
|
||||
logger.warn(`[${requestId}] Unauthorized webhook creation attempt`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
try {
|
||||
const parsed = await parseRequest(upsertWebhookContract, request, {})
|
||||
if (!parsed.success) return parsed.response
|
||||
|
||||
const body = parsed.data.body
|
||||
const { workflowId, path, providerConfig, blockId } = body
|
||||
const provider = body.provider || ''
|
||||
|
||||
// Validate input
|
||||
if (!workflowId) {
|
||||
logger.warn(`[${requestId}] Missing required fields for webhook creation`, {
|
||||
hasWorkflowId: !!workflowId,
|
||||
hasPath: !!path,
|
||||
})
|
||||
return NextResponse.json({ error: 'Missing required fields' }, { status: 400 })
|
||||
}
|
||||
|
||||
// Determine final path with special handling for credential-based providers
|
||||
// to avoid generating a new path on every save.
|
||||
let finalPath = path
|
||||
const credentialBasedProviders = ['gmail', 'outlook']
|
||||
const isCredentialBased = credentialBasedProviders.includes(provider)
|
||||
// Treat Microsoft Teams chat subscription as credential-based for path generation purposes
|
||||
const isMicrosoftTeamsChatSubscription =
|
||||
provider === 'microsoft-teams' &&
|
||||
typeof providerConfig === 'object' &&
|
||||
providerConfig?.triggerId === 'microsoftteams_chat_subscription'
|
||||
|
||||
// If path is missing
|
||||
if (!finalPath || finalPath.trim() === '') {
|
||||
if (isCredentialBased || isMicrosoftTeamsChatSubscription) {
|
||||
// Try to reuse existing path for this workflow+block if one exists
|
||||
if (blockId) {
|
||||
const existingForBlock = await db
|
||||
.select({ id: webhook.id, path: webhook.path })
|
||||
.from(webhook)
|
||||
.leftJoin(
|
||||
workflowDeploymentVersion,
|
||||
and(
|
||||
eq(workflowDeploymentVersion.workflowId, workflowId),
|
||||
eq(workflowDeploymentVersion.isActive, true)
|
||||
)
|
||||
)
|
||||
.where(
|
||||
and(
|
||||
eq(webhook.workflowId, workflowId),
|
||||
eq(webhook.blockId, blockId),
|
||||
isNull(webhook.archivedAt),
|
||||
or(
|
||||
eq(webhook.deploymentVersionId, workflowDeploymentVersion.id),
|
||||
and(isNull(workflowDeploymentVersion.id), isNull(webhook.deploymentVersionId))
|
||||
)
|
||||
)
|
||||
)
|
||||
.limit(1)
|
||||
|
||||
if (existingForBlock.length > 0) {
|
||||
finalPath = existingForBlock[0].path ?? ''
|
||||
logger.info(
|
||||
`[${requestId}] Reusing existing generated path for ${provider} trigger: ${finalPath}`
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
// If still no path, generate a new dummy path (first-time save)
|
||||
if (!finalPath || finalPath.trim() === '') {
|
||||
finalPath = `${provider}-${generateId()}`
|
||||
logger.info(`[${requestId}] Generated webhook path for ${provider} trigger: ${finalPath}`)
|
||||
}
|
||||
} else {
|
||||
logger.warn(`[${requestId}] Missing path for webhook creation`, {
|
||||
hasWorkflowId: !!workflowId,
|
||||
hasPath: !!path,
|
||||
})
|
||||
return NextResponse.json({ error: 'Missing required path' }, { status: 400 })
|
||||
}
|
||||
}
|
||||
|
||||
// Check if the workflow exists and user has permission to modify it
|
||||
const workflowData = await db
|
||||
.select({
|
||||
id: workflow.id,
|
||||
userId: workflow.userId,
|
||||
workspaceId: workflow.workspaceId,
|
||||
})
|
||||
.from(workflow)
|
||||
.where(eq(workflow.id, workflowId))
|
||||
.limit(1)
|
||||
|
||||
if (workflowData.length === 0) {
|
||||
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
|
||||
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
|
||||
}
|
||||
|
||||
const workflowRecord = workflowData[0]
|
||||
|
||||
const authorization = await authorizeWorkflowByWorkspacePermission({
|
||||
workflowId,
|
||||
userId,
|
||||
action: 'write',
|
||||
})
|
||||
const canModify = authorization.allowed
|
||||
|
||||
if (!canModify) {
|
||||
logger.warn(
|
||||
`[${requestId}] User ${userId} denied permission to modify webhook for workflow ${workflowId}`
|
||||
)
|
||||
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
|
||||
}
|
||||
await assertWorkflowMutable(workflowId)
|
||||
|
||||
// Determine existing webhook to update (prefer by workflow+block for credential-based providers)
|
||||
let targetWebhookId: string | null = null
|
||||
if (isCredentialBased && blockId) {
|
||||
const existingForBlock = await db
|
||||
.select({ id: webhook.id })
|
||||
.from(webhook)
|
||||
.leftJoin(
|
||||
workflowDeploymentVersion,
|
||||
and(
|
||||
eq(workflowDeploymentVersion.workflowId, workflowId),
|
||||
eq(workflowDeploymentVersion.isActive, true)
|
||||
)
|
||||
)
|
||||
.where(
|
||||
and(
|
||||
eq(webhook.workflowId, workflowId),
|
||||
eq(webhook.blockId, blockId),
|
||||
isNull(webhook.archivedAt),
|
||||
or(
|
||||
eq(webhook.deploymentVersionId, workflowDeploymentVersion.id),
|
||||
and(isNull(workflowDeploymentVersion.id), isNull(webhook.deploymentVersionId))
|
||||
)
|
||||
)
|
||||
)
|
||||
.limit(1)
|
||||
if (existingForBlock.length > 0) {
|
||||
targetWebhookId = existingForBlock[0].id
|
||||
}
|
||||
}
|
||||
if (!targetWebhookId) {
|
||||
const conflictingOwner = await findConflictingWebhookPathOwner({
|
||||
path: finalPath,
|
||||
workflowId,
|
||||
})
|
||||
if (conflictingOwner) {
|
||||
logger.warn(`[${requestId}] Webhook path conflict: ${finalPath}`)
|
||||
return NextResponse.json(
|
||||
{ error: 'Webhook path already exists.', code: 'PATH_EXISTS' },
|
||||
{ status: 409 }
|
||||
)
|
||||
}
|
||||
|
||||
const ownExisting = await db
|
||||
.select({ id: webhook.id })
|
||||
.from(webhook)
|
||||
.where(
|
||||
and(
|
||||
eq(webhook.path, finalPath),
|
||||
eq(webhook.workflowId, workflowId),
|
||||
isNull(webhook.archivedAt)
|
||||
)
|
||||
)
|
||||
.limit(1)
|
||||
if (ownExisting.length > 0) {
|
||||
targetWebhookId = ownExisting[0].id
|
||||
}
|
||||
}
|
||||
|
||||
let savedWebhook: any = null
|
||||
let existingWebhook: any = null
|
||||
const originalProviderConfig = providerConfig || {}
|
||||
let resolvedProviderConfig = await resolveEnvVarsInObject(
|
||||
originalProviderConfig,
|
||||
userId,
|
||||
workflowRecord.workspaceId || undefined
|
||||
)
|
||||
|
||||
let externalSubscriptionCreated = false
|
||||
const createTempWebhookData = (providerConfigOverride = resolvedProviderConfig) => ({
|
||||
id: targetWebhookId || generateShortId(),
|
||||
path: finalPath,
|
||||
provider,
|
||||
providerConfig: providerConfigOverride,
|
||||
})
|
||||
|
||||
const userProvided = originalProviderConfig as Record<string, unknown>
|
||||
const configToSave: Record<string, unknown> = { ...userProvided }
|
||||
|
||||
if (targetWebhookId) {
|
||||
const existingRows = await db
|
||||
.select()
|
||||
.from(webhook)
|
||||
.where(eq(webhook.id, targetWebhookId))
|
||||
.limit(1)
|
||||
existingWebhook = existingRows[0] || null
|
||||
}
|
||||
|
||||
const shouldRecreateSubscription =
|
||||
existingWebhook &&
|
||||
shouldRecreateExternalWebhookSubscription({
|
||||
previousProvider: existingWebhook.provider as string,
|
||||
nextProvider: provider,
|
||||
previousConfig: ((existingWebhook.providerConfig as Record<string, unknown>) ||
|
||||
{}) as Record<string, unknown>,
|
||||
nextConfig: resolvedProviderConfig,
|
||||
})
|
||||
|
||||
if (!existingWebhook || shouldRecreateSubscription) {
|
||||
try {
|
||||
const result = await createExternalWebhookSubscription(
|
||||
request,
|
||||
createTempWebhookData(),
|
||||
workflowRecord,
|
||||
userId,
|
||||
requestId
|
||||
)
|
||||
const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
|
||||
mergeNonUserFields(configToSave, updatedConfig, userProvided)
|
||||
resolvedProviderConfig = updatedConfig
|
||||
externalSubscriptionCreated = result.externalSubscriptionCreated
|
||||
} catch (err) {
|
||||
logger.error(`[${requestId}] Error creating external webhook subscription`, err)
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: 'Failed to create external webhook subscription',
|
||||
details: getErrorMessage(err, 'Unknown error'),
|
||||
},
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
} else {
|
||||
mergeNonUserFields(
|
||||
configToSave,
|
||||
(existingWebhook.providerConfig as Record<string, unknown>) || {},
|
||||
userProvided
|
||||
)
|
||||
}
|
||||
|
||||
try {
|
||||
if (targetWebhookId) {
|
||||
logger.info(`[${requestId}] Updating existing webhook for path: ${finalPath}`, {
|
||||
webhookId: targetWebhookId,
|
||||
provider,
|
||||
hasCredentialId: !!(configToSave as any)?.credentialId,
|
||||
credentialId: (configToSave as any)?.credentialId,
|
||||
})
|
||||
const updatedResult = await db
|
||||
.update(webhook)
|
||||
.set({
|
||||
blockId,
|
||||
provider,
|
||||
providerConfig: configToSave,
|
||||
isActive: true,
|
||||
updatedAt: new Date(),
|
||||
})
|
||||
.where(eq(webhook.id, targetWebhookId))
|
||||
.returning()
|
||||
savedWebhook = updatedResult[0]
|
||||
logger.info(`[${requestId}] Webhook updated successfully`, {
|
||||
webhookId: savedWebhook.id,
|
||||
savedProviderConfig: savedWebhook.providerConfig,
|
||||
})
|
||||
} else {
|
||||
// Create a new webhook
|
||||
const webhookId = generateShortId()
|
||||
logger.info(`[${requestId}] Creating new webhook with ID: ${webhookId}`)
|
||||
const newResult = await db
|
||||
.insert(webhook)
|
||||
.values({
|
||||
id: webhookId,
|
||||
workflowId,
|
||||
blockId,
|
||||
path: finalPath,
|
||||
provider,
|
||||
providerConfig: configToSave,
|
||||
isActive: true,
|
||||
createdAt: new Date(),
|
||||
updatedAt: new Date(),
|
||||
})
|
||||
.returning()
|
||||
savedWebhook = newResult[0]
|
||||
}
|
||||
} catch (dbError) {
|
||||
if (externalSubscriptionCreated) {
|
||||
logger.error(`[${requestId}] DB save failed, cleaning up external subscription`, dbError)
|
||||
try {
|
||||
await cleanupExternalWebhook(
|
||||
createTempWebhookData(configToSave),
|
||||
workflowRecord,
|
||||
requestId
|
||||
)
|
||||
} catch (cleanupError) {
|
||||
logger.error(
|
||||
`[${requestId}] Failed to cleanup external subscription after DB save failure`,
|
||||
cleanupError
|
||||
)
|
||||
}
|
||||
}
|
||||
throw dbError
|
||||
}
|
||||
|
||||
if (existingWebhook && shouldRecreateSubscription) {
|
||||
try {
|
||||
await cleanupExternalWebhook(existingWebhook, workflowRecord, requestId)
|
||||
} catch (cleanupError) {
|
||||
logger.warn(
|
||||
`[${requestId}] Failed to cleanup previous external webhook subscription ${existingWebhook.id}`,
|
||||
cleanupError
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
if (savedWebhook) {
|
||||
const pollingHandler = getProviderHandler(provider)
|
||||
if (pollingHandler.configurePolling) {
|
||||
logger.info(
|
||||
`[${requestId}] ${provider} provider detected. Setting up polling configuration.`
|
||||
)
|
||||
try {
|
||||
const success = await pollingHandler.configurePolling({
|
||||
webhook: savedWebhook,
|
||||
requestId,
|
||||
})
|
||||
|
||||
if (!success) {
|
||||
logger.error(
|
||||
`[${requestId}] Failed to configure ${provider} polling, rolling back webhook`
|
||||
)
|
||||
await revertSavedWebhook(savedWebhook, existingWebhook, requestId)
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: `Failed to configure ${provider} polling`,
|
||||
details: 'Please check your account permissions and try again',
|
||||
},
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
|
||||
logger.info(`[${requestId}] Successfully configured ${provider} polling`)
|
||||
} catch (err) {
|
||||
logger.error(
|
||||
`[${requestId}] Error setting up ${provider} webhook configuration, rolling back webhook`,
|
||||
err
|
||||
)
|
||||
await revertSavedWebhook(savedWebhook, existingWebhook, requestId)
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: `Failed to configure ${provider} webhook`,
|
||||
details: getErrorMessage(err, 'Unknown error'),
|
||||
},
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!targetWebhookId && savedWebhook) {
|
||||
try {
|
||||
PlatformEvents.webhookCreated({
|
||||
webhookId: savedWebhook.id,
|
||||
workflowId: workflowId,
|
||||
provider: provider || 'generic',
|
||||
workspaceId: workflowRecord.workspaceId || undefined,
|
||||
})
|
||||
} catch {
|
||||
// Telemetry should not fail the operation
|
||||
}
|
||||
|
||||
recordAudit({
|
||||
workspaceId: workflowRecord.workspaceId || null,
|
||||
actorId: userId,
|
||||
actorName: session?.user?.name ?? undefined,
|
||||
actorEmail: session?.user?.email ?? undefined,
|
||||
action: AuditAction.WEBHOOK_CREATED,
|
||||
resourceType: AuditResourceType.WEBHOOK,
|
||||
resourceId: savedWebhook.id,
|
||||
resourceName: provider || 'generic',
|
||||
description: `Created ${provider || 'generic'} webhook`,
|
||||
metadata: {
|
||||
provider: provider || 'generic',
|
||||
workflowId,
|
||||
webhookPath: finalPath,
|
||||
blockId: blockId || undefined,
|
||||
},
|
||||
request,
|
||||
})
|
||||
|
||||
const wsId = workflowRecord.workspaceId || undefined
|
||||
captureServerEvent(
|
||||
userId,
|
||||
'webhook_trigger_created',
|
||||
{
|
||||
webhook_id: savedWebhook.id,
|
||||
workflow_id: workflowId,
|
||||
provider: provider || 'generic',
|
||||
workspace_id: wsId ?? '',
|
||||
},
|
||||
wsId ? { groups: { workspace: wsId } } : undefined
|
||||
)
|
||||
}
|
||||
|
||||
const status = targetWebhookId ? 200 : 201
|
||||
return NextResponse.json({ webhook: savedWebhook }, { status })
|
||||
} catch (error: any) {
|
||||
if (error instanceof WorkflowLockedError) {
|
||||
return NextResponse.json({ error: error.message }, { status: error.status })
|
||||
}
|
||||
|
||||
logger.error(`[${requestId}] Error creating/updating webhook`, {
|
||||
message: error.message,
|
||||
stack: error.stack,
|
||||
})
|
||||
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,136 @@
|
||||
/**
|
||||
* @vitest-environment node
|
||||
*/
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
const {
|
||||
mockParseWebhookBody,
|
||||
mockFindWebhooksByRoutingKey,
|
||||
mockDispatchResolvedWebhookTarget,
|
||||
mockGetSlackBotCredential,
|
||||
mockHandleChallenge,
|
||||
mockVerifySignature,
|
||||
} = vi.hoisted(() => ({
|
||||
mockParseWebhookBody: vi.fn(),
|
||||
mockFindWebhooksByRoutingKey: vi.fn(),
|
||||
mockDispatchResolvedWebhookTarget: vi.fn(),
|
||||
mockGetSlackBotCredential: vi.fn(),
|
||||
mockHandleChallenge: vi.fn(),
|
||||
mockVerifySignature: vi.fn(),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/admission/gate', () => ({
|
||||
tryAdmit: () => ({ release: vi.fn() }),
|
||||
admissionRejectedResponse: () => new Response(null, { status: 503 }),
|
||||
}))
|
||||
|
||||
vi.mock('@/app/api/auth/oauth/utils', () => ({
|
||||
getSlackBotCredential: mockGetSlackBotCredential,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/webhooks/processor', () => ({
|
||||
parseWebhookBody: mockParseWebhookBody,
|
||||
findWebhooksByRoutingKey: mockFindWebhooksByRoutingKey,
|
||||
dispatchResolvedWebhookTarget: mockDispatchResolvedWebhookTarget,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/webhooks/providers/slack', () => ({
|
||||
handleSlackChallenge: mockHandleChallenge,
|
||||
verifySlackRequestSignature: mockVerifySignature,
|
||||
resolveSlackEventKey: () => null,
|
||||
}))
|
||||
|
||||
import { POST } from '@/app/api/webhooks/slack/custom/[credentialId]/route'
|
||||
|
||||
const CREDENTIAL_ID = 'cred-123'
|
||||
|
||||
function makeRequest() {
|
||||
return new Request('https://sim.test/api/webhooks/slack/custom/cred-123', {
|
||||
method: 'POST',
|
||||
headers: { 'x-slack-request-timestamp': '1700000000' },
|
||||
}) as unknown as import('next/server').NextRequest
|
||||
}
|
||||
|
||||
const context = { params: Promise.resolve({ credentialId: CREDENTIAL_ID }) }
|
||||
|
||||
const messageBody = {
|
||||
team_id: 'T1',
|
||||
api_app_id: 'A1',
|
||||
event: { type: 'message', channel_type: 'channel', channel: 'C1', ts: '1.1' },
|
||||
}
|
||||
|
||||
function webhook(id: string) {
|
||||
return { webhook: { id, blockId: `blk-${id}`, providerConfig: {} }, workflow: { id: `wf-${id}` } }
|
||||
}
|
||||
|
||||
describe('Slack custom-bot webhook route', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockHandleChallenge.mockReturnValue(null)
|
||||
mockVerifySignature.mockReturnValue(null)
|
||||
mockParseWebhookBody.mockResolvedValue({
|
||||
body: messageBody,
|
||||
rawBody: JSON.stringify(messageBody),
|
||||
})
|
||||
mockGetSlackBotCredential.mockResolvedValue({
|
||||
signingSecret: 'sec',
|
||||
botToken: 'xoxb-x',
|
||||
teamId: 'T1',
|
||||
})
|
||||
mockFindWebhooksByRoutingKey.mockResolvedValue([webhook('wh1')])
|
||||
mockDispatchResolvedWebhookTarget.mockResolvedValue({
|
||||
outcome: 'queued',
|
||||
response: new Response(null, { status: 200 }),
|
||||
reason: 'queued',
|
||||
})
|
||||
})
|
||||
|
||||
it('echoes the url_verification challenge without loading the credential', async () => {
|
||||
mockHandleChallenge.mockReturnValue(new Response('ok', { status: 200 }))
|
||||
await POST(makeRequest(), context)
|
||||
expect(mockGetSlackBotCredential).not.toHaveBeenCalled()
|
||||
expect(mockVerifySignature).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('404s an unknown credential', async () => {
|
||||
mockGetSlackBotCredential.mockResolvedValue(null)
|
||||
const res = await POST(makeRequest(), context)
|
||||
expect(res.status).toBe(404)
|
||||
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('verifies with the credential signing secret and rejects a bad signature', async () => {
|
||||
mockVerifySignature.mockReturnValue(new Response(null, { status: 401 }))
|
||||
const res = await POST(makeRequest(), context)
|
||||
expect(mockVerifySignature).toHaveBeenCalledWith(
|
||||
'sec',
|
||||
expect.anything(),
|
||||
expect.any(String),
|
||||
expect.any(String)
|
||||
)
|
||||
expect(res.status).toBe(401)
|
||||
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('fans out by credential id (provider slack) and dispatches each webhook', async () => {
|
||||
const res = await POST(makeRequest(), context)
|
||||
expect(mockFindWebhooksByRoutingKey).toHaveBeenCalledWith(
|
||||
CREDENTIAL_ID,
|
||||
expect.any(String),
|
||||
'slack'
|
||||
)
|
||||
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
|
||||
expect(res.status).toBe(200)
|
||||
})
|
||||
|
||||
it('still returns 200 when the dispatcher filters the event', async () => {
|
||||
mockDispatchResolvedWebhookTarget.mockResolvedValue({
|
||||
outcome: 'ignored',
|
||||
response: new Response(null, { status: 200 }),
|
||||
reason: 'filtered',
|
||||
})
|
||||
const res = await POST(makeRequest(), context)
|
||||
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
|
||||
expect(res.status).toBe(200)
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,88 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { findWebhooksByRoutingKey, parseWebhookBody } from '@/lib/webhooks/processor'
|
||||
import { handleSlackChallenge, verifySlackRequestSignature } from '@/lib/webhooks/providers/slack'
|
||||
import { dispatchSlackWebhooks } from '@/lib/webhooks/slack-dispatch'
|
||||
import { getSlackBotCredential } from '@/app/api/auth/oauth/utils'
|
||||
|
||||
const logger = createLogger('SlackCustomBotWebhookAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const runtime = 'nodejs'
|
||||
export const maxDuration = 60
|
||||
|
||||
/**
|
||||
* Ingest endpoint for a reusable custom Slack bot. The bot's single Event
|
||||
* Subscriptions Request URL embeds its credential id, so every trigger that
|
||||
* references the same bot credential shares one URL — routed here by
|
||||
* `routingKey = credentialId` (mirrors the native `/api/webhooks/slack`
|
||||
* `team_id` fan-out). Requests are HMAC-verified with the credential's OWN
|
||||
* signing secret (not the shared env secret).
|
||||
*/
|
||||
export const POST = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ credentialId: string }> }) => {
|
||||
const ticket = tryAdmit()
|
||||
if (!ticket) {
|
||||
return admissionRejectedResponse()
|
||||
}
|
||||
try {
|
||||
return await handleSlackCustomBotWebhook(request, context)
|
||||
} finally {
|
||||
ticket.release()
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
async function handleSlackCustomBotWebhook(
|
||||
request: NextRequest,
|
||||
context: { params: Promise<{ credentialId: string }> }
|
||||
): Promise<NextResponse> {
|
||||
const receivedAt = Date.now()
|
||||
const requestId = generateRequestId()
|
||||
const { credentialId } = await context.params
|
||||
|
||||
const parseResult = await parseWebhookBody(request, requestId)
|
||||
if (parseResult instanceof NextResponse) {
|
||||
return parseResult
|
||||
}
|
||||
const { body, rawBody } = parseResult
|
||||
|
||||
// Echo Slack's url_verification challenge unconditionally — this is how Slack
|
||||
// verifies the Request URL when the app is created from the manifest, before
|
||||
// the bot is installed / the credential is finalized.
|
||||
const challenge = handleSlackChallenge(body)
|
||||
if (challenge) {
|
||||
return challenge
|
||||
}
|
||||
|
||||
const botCredential = await getSlackBotCredential(credentialId)
|
||||
if (!botCredential) {
|
||||
logger.warn(`[${requestId}] Unknown Slack bot credential ${credentialId}`)
|
||||
return new NextResponse(null, { status: 404 })
|
||||
}
|
||||
|
||||
const authError = verifySlackRequestSignature(
|
||||
botCredential.signingSecret,
|
||||
request,
|
||||
rawBody,
|
||||
requestId
|
||||
)
|
||||
if (authError) {
|
||||
return authError
|
||||
}
|
||||
|
||||
const webhooks = await findWebhooksByRoutingKey(credentialId, requestId, 'slack')
|
||||
if (webhooks.length === 0) {
|
||||
logger.info(
|
||||
`[${requestId}] No active trigger for bot credential ${credentialId}; nothing to run`
|
||||
)
|
||||
return new NextResponse(null, { status: 200 })
|
||||
}
|
||||
|
||||
await dispatchSlackWebhooks(webhooks, { body, request, requestId, receivedAt })
|
||||
|
||||
return new NextResponse(null, { status: 200 })
|
||||
}
|
||||
@@ -0,0 +1,126 @@
|
||||
/**
|
||||
* @vitest-environment node
|
||||
*/
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
const { mockParseWebhookBody, mockFindWebhooksByRoutingKey, mockDispatchResolvedWebhookTarget } =
|
||||
vi.hoisted(() => ({
|
||||
mockParseWebhookBody: vi.fn(),
|
||||
mockFindWebhooksByRoutingKey: vi.fn(),
|
||||
mockDispatchResolvedWebhookTarget: vi.fn(),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/admission/gate', () => ({
|
||||
tryAdmit: () => ({ release: vi.fn() }),
|
||||
admissionRejectedResponse: () => new Response(null, { status: 503 }),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/config/env', () => ({
|
||||
env: { SLACK_SIGNING_SECRET: 'test-secret' },
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/webhooks/processor', () => ({
|
||||
parseWebhookBody: mockParseWebhookBody,
|
||||
findWebhooksByRoutingKey: mockFindWebhooksByRoutingKey,
|
||||
dispatchResolvedWebhookTarget: mockDispatchResolvedWebhookTarget,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/webhooks/providers/slack', () => ({
|
||||
handleSlackChallenge: () => null,
|
||||
verifySlackRequestSignature: () => null,
|
||||
resolveSlackEventKey: () => null,
|
||||
}))
|
||||
|
||||
import { POST } from '@/app/api/webhooks/slack/route'
|
||||
|
||||
function makeRequest() {
|
||||
return new Request('https://sim.test/api/webhooks/slack', {
|
||||
method: 'POST',
|
||||
headers: { 'x-slack-request-timestamp': '1700000000' },
|
||||
}) as unknown as import('next/server').NextRequest
|
||||
}
|
||||
|
||||
function webhook(id: string) {
|
||||
return { webhook: { id, blockId: `blk-${id}`, providerConfig: {} }, workflow: { id: `wf-${id}` } }
|
||||
}
|
||||
|
||||
async function run(body: Record<string, unknown>) {
|
||||
mockParseWebhookBody.mockResolvedValue({ body, rawBody: JSON.stringify(body) })
|
||||
await POST(makeRequest())
|
||||
}
|
||||
|
||||
const messageBody = {
|
||||
team_id: 'T1',
|
||||
api_app_id: 'A1',
|
||||
event: { type: 'message', channel_type: 'channel', channel: 'C1', ts: '1.1' },
|
||||
}
|
||||
|
||||
describe('Slack app webhook route', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockFindWebhooksByRoutingKey.mockResolvedValue([webhook('wh1')])
|
||||
mockDispatchResolvedWebhookTarget.mockResolvedValue({
|
||||
outcome: 'queued',
|
||||
response: new Response(null, { status: 200 }),
|
||||
reason: 'queued',
|
||||
})
|
||||
})
|
||||
|
||||
it('dispatches each webhook resolved for the event team', async () => {
|
||||
await run(messageBody)
|
||||
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
|
||||
})
|
||||
|
||||
it('continues cleanly when the dispatcher filters the event', async () => {
|
||||
mockDispatchResolvedWebhookTarget.mockResolvedValue({
|
||||
outcome: 'ignored',
|
||||
response: new Response(null, { status: 200 }),
|
||||
reason: 'filtered',
|
||||
})
|
||||
await run(messageBody)
|
||||
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
|
||||
})
|
||||
|
||||
it('routes via Slack Connect authorizations and dedups overlapping webhooks', async () => {
|
||||
// Two candidate teams (outer + authorization) that resolve to overlapping webhooks.
|
||||
mockFindWebhooksByRoutingKey.mockImplementation(async (teamId: string) =>
|
||||
teamId === 'T1' ? [webhook('wh1')] : [webhook('wh1'), webhook('wh2')]
|
||||
)
|
||||
await run({
|
||||
...messageBody,
|
||||
authorizations: [{ team_id: 'T2' }],
|
||||
})
|
||||
expect(mockFindWebhooksByRoutingKey).toHaveBeenCalledTimes(2)
|
||||
// wh1 (in both) is dispatched once, wh2 once — dedup by webhook id.
|
||||
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(2)
|
||||
})
|
||||
|
||||
it('returns 200 with no team_id', async () => {
|
||||
await run({ event: { type: 'message' } })
|
||||
expect(mockFindWebhooksByRoutingKey).not.toHaveBeenCalled()
|
||||
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('routes an interaction payload by payload.team.id', async () => {
|
||||
await run({
|
||||
type: 'block_actions',
|
||||
api_app_id: 'A1',
|
||||
team: { id: 'T1' },
|
||||
user: { id: 'U1' },
|
||||
actions: [{ action_id: 'approve_btn' }],
|
||||
})
|
||||
expect(mockFindWebhooksByRoutingKey).toHaveBeenCalledWith('T1', expect.anything())
|
||||
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
|
||||
})
|
||||
|
||||
it('fails closed on an interaction missing payload.team.id (never routes on user.team_id)', async () => {
|
||||
await run({
|
||||
type: 'block_actions',
|
||||
api_app_id: 'A1',
|
||||
user: { id: 'U1', team_id: 'T_OTHER' },
|
||||
actions: [{ action_id: 'approve_btn' }],
|
||||
})
|
||||
expect(mockFindWebhooksByRoutingKey).not.toHaveBeenCalled()
|
||||
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,112 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
|
||||
import { env } from '@/lib/core/config/env'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { findWebhooksByRoutingKey, parseWebhookBody } from '@/lib/webhooks/processor'
|
||||
import { handleSlackChallenge, verifySlackRequestSignature } from '@/lib/webhooks/providers/slack'
|
||||
import { dispatchSlackWebhooks } from '@/lib/webhooks/slack-dispatch'
|
||||
|
||||
const logger = createLogger('SlackAppWebhookAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const runtime = 'nodejs'
|
||||
export const maxDuration = 60
|
||||
|
||||
/**
|
||||
* Single ingest endpoint for the official Sim Slack app. Every workspace's
|
||||
* events arrive here and are routed to listening workflows by Slack `team_id`
|
||||
* (and Slack Connect `authorizations[].team_id`) after HMAC verification with
|
||||
* the shared app signing secret. This is the request URL configured in the
|
||||
* app's Event Subscriptions.
|
||||
*/
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const ticket = tryAdmit()
|
||||
if (!ticket) {
|
||||
return admissionRejectedResponse()
|
||||
}
|
||||
|
||||
try {
|
||||
return await handleSlackAppWebhook(request)
|
||||
} finally {
|
||||
ticket.release()
|
||||
}
|
||||
})
|
||||
|
||||
async function handleSlackAppWebhook(request: NextRequest): Promise<NextResponse> {
|
||||
const receivedAt = Date.now()
|
||||
const requestId = generateRequestId()
|
||||
|
||||
const parseResult = await parseWebhookBody(request, requestId)
|
||||
if (parseResult instanceof NextResponse) {
|
||||
return parseResult
|
||||
}
|
||||
const { body, rawBody } = parseResult
|
||||
|
||||
// Slack's endpoint verification handshake — echo the challenge back.
|
||||
const challenge = handleSlackChallenge(body)
|
||||
if (challenge) {
|
||||
return challenge
|
||||
}
|
||||
|
||||
const signingSecret = env.SLACK_SIGNING_SECRET
|
||||
if (!signingSecret) {
|
||||
logger.error(`[${requestId}] SLACK_SIGNING_SECRET is not configured`)
|
||||
return new NextResponse('Slack app not configured', { status: 500 })
|
||||
}
|
||||
|
||||
const authError = verifySlackRequestSignature(signingSecret, request, rawBody, requestId)
|
||||
if (authError) {
|
||||
return authError
|
||||
}
|
||||
|
||||
const payload = body as Record<string, unknown>
|
||||
|
||||
// Route by the installed workspace(s). For Slack Connect the outer `team_id`
|
||||
// may be the sender's workspace, so every authorized installation is a
|
||||
// routing candidate. Team ids are Slack-attested (post-signature), never user
|
||||
// input.
|
||||
const teamIds = new Set<string>()
|
||||
if (typeof payload.team_id === 'string' && payload.team_id.length > 0) {
|
||||
teamIds.add(payload.team_id)
|
||||
}
|
||||
const authorizations = Array.isArray(payload.authorizations) ? payload.authorizations : []
|
||||
for (const authorization of authorizations) {
|
||||
const teamId = (authorization as Record<string, unknown>)?.team_id
|
||||
if (typeof teamId === 'string' && teamId.length > 0) {
|
||||
teamIds.add(teamId)
|
||||
}
|
||||
}
|
||||
// Interactivity payloads (block_actions / view_submission) carry no top-level
|
||||
// `team_id` / `authorizations`; the install/context workspace is at
|
||||
// `payload.team.id`. Route on that ONLY — never `payload.user.team_id`, which
|
||||
// in Slack Connect can be a different (external) tenant. Slack-attested,
|
||||
// post-signature, so not user-forgeable.
|
||||
if (teamIds.size === 0) {
|
||||
const interactionTeamId = (payload.team as Record<string, unknown> | undefined)?.id
|
||||
if (typeof interactionTeamId === 'string' && interactionTeamId.length > 0) {
|
||||
teamIds.add(interactionTeamId)
|
||||
}
|
||||
}
|
||||
if (teamIds.size === 0) {
|
||||
logger.warn(`[${requestId}] Slack event missing team_id`)
|
||||
return new NextResponse(null, { status: 200 })
|
||||
}
|
||||
|
||||
const webhooksById = new Map<string, { webhook: any; workflow: any }>()
|
||||
for (const teamId of teamIds) {
|
||||
const found = await findWebhooksByRoutingKey(teamId, requestId)
|
||||
for (const entry of found) {
|
||||
webhooksById.set(entry.webhook.id, entry)
|
||||
}
|
||||
}
|
||||
const webhooks = [...webhooksById.values()]
|
||||
if (webhooks.length === 0) {
|
||||
return new NextResponse(null, { status: 200 })
|
||||
}
|
||||
|
||||
await dispatchSlackWebhooks(webhooks, { body, request, requestId, receivedAt })
|
||||
|
||||
return new NextResponse(null, { status: 200 })
|
||||
}
|
||||
@@ -0,0 +1,116 @@
|
||||
/**
|
||||
* @vitest-environment node
|
||||
*/
|
||||
|
||||
import crypto from 'node:crypto'
|
||||
import { NextRequest } from 'next/server'
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
const { mockEnqueue, mockExecuteTikTokWebhookIngress, mockRelease } = vi.hoisted(() => ({
|
||||
mockEnqueue: vi.fn(),
|
||||
mockExecuteTikTokWebhookIngress: vi.fn(),
|
||||
mockRelease: vi.fn(),
|
||||
}))
|
||||
|
||||
vi.mock('@/background/tiktok-webhook-ingress', () => ({
|
||||
executeTikTokWebhookIngress: mockExecuteTikTokWebhookIngress,
|
||||
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT: 50,
|
||||
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS: 3,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/admission/gate', () => ({
|
||||
admissionRejectedResponse: vi.fn(() => new Response(null, { status: 503 })),
|
||||
tryAdmit: vi.fn(() => ({ release: mockRelease })),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/async-jobs', () => ({
|
||||
getJobQueue: vi.fn(async () => ({ enqueue: mockEnqueue })),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/config/env', () => ({
|
||||
env: {
|
||||
TIKTOK_CLIENT_ID: 'client-key',
|
||||
TIKTOK_CLIENT_SECRET: 'client-secret',
|
||||
},
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/utils/request', () => ({
|
||||
generateRequestId: vi.fn(() => 'request-1'),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/utils/with-route-handler', () => ({
|
||||
withRouteHandler:
|
||||
(handler: (request: NextRequest) => Promise<Response>) => (request: NextRequest) =>
|
||||
handler(request),
|
||||
}))
|
||||
|
||||
import { POST } from '@/app/api/webhooks/tiktok/route'
|
||||
|
||||
function signedRequest(overrides?: { clientKey?: string }): NextRequest {
|
||||
const body = JSON.stringify({
|
||||
client_key: overrides?.clientKey ?? 'client-key',
|
||||
event: 'post.publish.complete',
|
||||
create_time: 1_725_000_000,
|
||||
user_openid: 'act.user',
|
||||
content: '{"publish_id":"publish-1"}',
|
||||
})
|
||||
const timestamp = String(Math.floor(Date.now() / 1000))
|
||||
const signature = crypto
|
||||
.createHmac('sha256', 'client-secret')
|
||||
.update(`${timestamp}.${body}`, 'utf8')
|
||||
.digest('hex')
|
||||
|
||||
return new NextRequest('http://localhost/api/webhooks/tiktok', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'content-type': 'application/json',
|
||||
'TikTok-Signature': `t=${timestamp},s=${signature}`,
|
||||
},
|
||||
body,
|
||||
})
|
||||
}
|
||||
|
||||
describe('TikTok webhook ingress route', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockEnqueue.mockResolvedValue('ingress-job-1')
|
||||
})
|
||||
|
||||
it('returns 200 only after the verified delivery is accepted by the job queue', async () => {
|
||||
const response = await POST(signedRequest())
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
await expect(response.json()).resolves.toEqual({ ok: true })
|
||||
expect(mockEnqueue).toHaveBeenCalledWith(
|
||||
'tiktok-webhook-ingress',
|
||||
expect.objectContaining({
|
||||
envelope: expect.objectContaining({
|
||||
client_key: 'client-key',
|
||||
user_openid: 'act.user',
|
||||
}),
|
||||
requestId: 'request-1',
|
||||
}),
|
||||
expect.objectContaining({
|
||||
maxAttempts: 3,
|
||||
runner: expect.any(Function),
|
||||
})
|
||||
)
|
||||
expect(mockRelease).toHaveBeenCalledOnce()
|
||||
})
|
||||
|
||||
it('returns 503 when durable acceptance fails so TikTok retries', async () => {
|
||||
mockEnqueue.mockRejectedValue(new Error('queue unavailable'))
|
||||
|
||||
const response = await POST(signedRequest())
|
||||
|
||||
expect(response.status).toBe(503)
|
||||
expect(mockRelease).toHaveBeenCalledOnce()
|
||||
})
|
||||
|
||||
it('rejects a signed delivery for a different TikTok app', async () => {
|
||||
const response = await POST(signedRequest({ clientKey: 'other-client-key' }))
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(mockEnqueue).not.toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,135 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { tiktokWebhookEnvelopeSchema } from '@/lib/api/contracts/webhooks'
|
||||
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
|
||||
import { getJobQueue } from '@/lib/core/async-jobs'
|
||||
import { env } from '@/lib/core/config/env'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import {
|
||||
assertContentLengthWithinLimit,
|
||||
isPayloadSizeLimitError,
|
||||
readStreamToBufferWithLimit,
|
||||
} from '@/lib/core/utils/stream-limits'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
|
||||
import { verifyTikTokSignature } from '@/lib/webhooks/providers/tiktok'
|
||||
import {
|
||||
executeTikTokWebhookIngress,
|
||||
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
|
||||
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
|
||||
type TikTokWebhookIngressPayload,
|
||||
} from '@/background/tiktok-webhook-ingress'
|
||||
|
||||
const logger = createLogger('TikTokWebhookIngress')
|
||||
|
||||
const TIKTOK_BODY_LABEL = 'TikTok webhook body'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const runtime = 'nodejs'
|
||||
export const maxDuration = 60
|
||||
|
||||
async function readTikTokBody(req: Request): Promise<string> {
|
||||
assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, TIKTOK_BODY_LABEL)
|
||||
const buffer = await readStreamToBufferWithLimit(req.body, {
|
||||
maxBytes: WEBHOOK_MAX_BODY_BYTES,
|
||||
label: TIKTOK_BODY_LABEL,
|
||||
})
|
||||
return new TextDecoder().decode(buffer)
|
||||
}
|
||||
|
||||
/**
|
||||
* App-level TikTok webhook Callback URL.
|
||||
* Portal: `{APP_URL}/api/webhooks/tiktok` (e.g. https://www.sim.ai/api/webhooks/tiktok).
|
||||
* Verifies TikTok-Signature and durably accepts the delivery before background target fanout.
|
||||
*/
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const ticket = tryAdmit()
|
||||
if (!ticket) {
|
||||
return admissionRejectedResponse()
|
||||
}
|
||||
|
||||
const requestId = generateRequestId()
|
||||
const receivedAt = Date.now()
|
||||
|
||||
try {
|
||||
let rawBody: string
|
||||
try {
|
||||
rawBody = await readTikTokBody(request)
|
||||
} catch (bodyError) {
|
||||
if (isPayloadSizeLimitError(bodyError)) {
|
||||
logger.warn(`[${requestId}] Rejected oversized TikTok webhook body`, {
|
||||
maxBytes: WEBHOOK_MAX_BODY_BYTES,
|
||||
observedBytes: bodyError.observedBytes,
|
||||
})
|
||||
return NextResponse.json({ error: 'Request body too large' }, { status: 413 })
|
||||
}
|
||||
throw bodyError
|
||||
}
|
||||
|
||||
const authError = verifyTikTokSignature(
|
||||
rawBody,
|
||||
request.headers.get('TikTok-Signature'),
|
||||
requestId
|
||||
)
|
||||
if (authError) {
|
||||
return authError
|
||||
}
|
||||
|
||||
let parsedJson: unknown
|
||||
try {
|
||||
parsedJson = rawBody ? JSON.parse(rawBody) : {}
|
||||
} catch {
|
||||
logger.warn(`[${requestId}] TikTok webhook body is not valid JSON`)
|
||||
// Ack to avoid retry storms on malformed payloads after a valid signature.
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const envelopeResult = tiktokWebhookEnvelopeSchema.safeParse(parsedJson)
|
||||
if (!envelopeResult.success) {
|
||||
logger.warn(`[${requestId}] Invalid TikTok webhook envelope`, {
|
||||
issues: envelopeResult.error.issues,
|
||||
})
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const envelope = envelopeResult.data
|
||||
if (!env.TIKTOK_CLIENT_ID || envelope.client_key !== env.TIKTOK_CLIENT_ID) {
|
||||
logger.warn(`[${requestId}] TikTok webhook client_key does not match configured app`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
const payload: TikTokWebhookIngressPayload = {
|
||||
envelope,
|
||||
headers: {
|
||||
'content-type': request.headers.get('content-type') ?? 'application/json',
|
||||
},
|
||||
requestId,
|
||||
receivedAt,
|
||||
}
|
||||
const jobQueue = await getJobQueue()
|
||||
const jobId = await jobQueue.enqueue('tiktok-webhook-ingress', payload, {
|
||||
maxAttempts: TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
|
||||
concurrencyKey: 'tiktok-webhook-ingress',
|
||||
concurrencyLimit: TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
|
||||
runner: async () => {
|
||||
await executeTikTokWebhookIngress(payload)
|
||||
},
|
||||
})
|
||||
|
||||
logger.info(`[${requestId}] Accepted TikTok webhook delivery`, {
|
||||
event: envelope.event,
|
||||
jobId,
|
||||
userOpenIdPrefix: envelope.user_openid.slice(0, 12),
|
||||
})
|
||||
|
||||
return NextResponse.json({ ok: true })
|
||||
} catch (error) {
|
||||
logger.error(`[${requestId}] TikTok webhook ingress error`, {
|
||||
error: getErrorMessage(error, 'Unknown error'),
|
||||
})
|
||||
return NextResponse.json({ error: 'Temporarily unable to accept webhook' }, { status: 503 })
|
||||
} finally {
|
||||
ticket.release()
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,953 @@
|
||||
/**
|
||||
* Integration tests for webhook trigger API route
|
||||
*
|
||||
* @vitest-environment node
|
||||
*/
|
||||
import {
|
||||
createMockRequest,
|
||||
encryptionMock,
|
||||
executionPreprocessingMock,
|
||||
executionPreprocessingMockFns,
|
||||
loggingSessionMock,
|
||||
workflowsPersistenceUtilsMock,
|
||||
workflowsPersistenceUtilsMockFns,
|
||||
workflowsUtilsMock,
|
||||
} from '@sim/testing'
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
vi.mock('@/lib/core/security/encryption', () => encryptionMock)
|
||||
|
||||
vi.mock('@/lib/logs/execution/trace-spans/trace-spans', () => ({
|
||||
buildTraceSpans: vi.fn().mockReturnValue({ traceSpans: [], totalDuration: 100 }),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/workflows/utils', () => workflowsUtilsMock)
|
||||
|
||||
vi.mock('@/serializer', () => ({
|
||||
Serializer: vi.fn().mockImplementation(() => ({
|
||||
serializeWorkflow: vi.fn().mockReturnValue({
|
||||
version: '1.0',
|
||||
blocks: [
|
||||
{
|
||||
id: 'starter-id',
|
||||
metadata: { id: 'starter', name: 'Start' },
|
||||
config: {},
|
||||
inputs: {},
|
||||
outputs: {},
|
||||
position: { x: 100, y: 100 },
|
||||
enabled: true,
|
||||
},
|
||||
{
|
||||
id: 'agent-id',
|
||||
metadata: { id: 'agent', name: 'Agent 1' },
|
||||
config: {},
|
||||
inputs: {},
|
||||
outputs: {},
|
||||
position: { x: 634, y: -167 },
|
||||
enabled: true,
|
||||
},
|
||||
],
|
||||
edges: [
|
||||
{
|
||||
id: 'edge-1',
|
||||
source: 'starter-id',
|
||||
target: 'agent-id',
|
||||
sourceHandle: 'source',
|
||||
targetHandle: 'target',
|
||||
},
|
||||
],
|
||||
loops: {},
|
||||
parallels: {},
|
||||
}),
|
||||
})),
|
||||
}))
|
||||
|
||||
/**
|
||||
* Test data store - isolated per test via beforeEach reset
|
||||
* This replaces the global mutable state pattern with local test data
|
||||
*/
|
||||
const testData = {
|
||||
webhooks: [] as Array<{
|
||||
id: string
|
||||
provider: string
|
||||
path: string
|
||||
isActive: boolean
|
||||
providerConfig?: Record<string, unknown>
|
||||
workflowId: string
|
||||
rateLimitCount?: number
|
||||
rateLimitPeriod?: number
|
||||
}>,
|
||||
workflows: [] as Array<{
|
||||
id: string
|
||||
userId: string
|
||||
workspaceId?: string
|
||||
}>,
|
||||
}
|
||||
|
||||
const {
|
||||
generateRequestHashMock,
|
||||
validateSlackSignatureMock,
|
||||
handleWhatsAppVerificationMock,
|
||||
handleSlackChallengeMock,
|
||||
processWhatsAppDeduplicationMock,
|
||||
processGenericDeduplicationMock,
|
||||
processWebhookMock,
|
||||
executeMock,
|
||||
getWorkspaceBilledAccountUserIdMock,
|
||||
queueWebhookExecutionMock,
|
||||
dispatchResolvedWebhookTargetMock,
|
||||
isWorkspaceApiExecutionEntitledMock,
|
||||
} = vi.hoisted(() => ({
|
||||
generateRequestHashMock: vi.fn().mockResolvedValue('test-hash-123'),
|
||||
validateSlackSignatureMock: vi.fn().mockResolvedValue(true),
|
||||
handleWhatsAppVerificationMock: vi.fn().mockResolvedValue(null),
|
||||
handleSlackChallengeMock: vi.fn().mockReturnValue(null),
|
||||
processWhatsAppDeduplicationMock: vi.fn().mockResolvedValue(null),
|
||||
processGenericDeduplicationMock: vi.fn().mockResolvedValue(null),
|
||||
processWebhookMock: vi.fn().mockResolvedValue(new Response('Webhook processed', { status: 200 })),
|
||||
executeMock: vi.fn().mockResolvedValue({
|
||||
success: true,
|
||||
output: { response: 'Webhook execution success' },
|
||||
logs: [],
|
||||
metadata: {
|
||||
duration: 100,
|
||||
startTime: new Date().toISOString(),
|
||||
endTime: new Date().toISOString(),
|
||||
},
|
||||
}),
|
||||
getWorkspaceBilledAccountUserIdMock: vi
|
||||
.fn()
|
||||
.mockImplementation(async (workspaceId: string | null | undefined) =>
|
||||
workspaceId ? 'test-user-id' : null
|
||||
),
|
||||
queueWebhookExecutionMock: vi.fn().mockImplementation(async () => {
|
||||
const { NextResponse } = await import('next/server')
|
||||
return NextResponse.json({ message: 'Webhook processed' })
|
||||
}),
|
||||
dispatchResolvedWebhookTargetMock: vi.fn(),
|
||||
isWorkspaceApiExecutionEntitledMock: vi.fn().mockResolvedValue(true),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/billing/core/api-access', () => ({
|
||||
API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE: 'paid plan required',
|
||||
isWorkspaceApiExecutionEntitled: isWorkspaceApiExecutionEntitledMock,
|
||||
}))
|
||||
|
||||
vi.mock('@trigger.dev/sdk', () => ({
|
||||
tasks: {
|
||||
trigger: vi.fn().mockResolvedValue({ id: 'mock-task-id' }),
|
||||
},
|
||||
task: vi.fn().mockReturnValue({}),
|
||||
}))
|
||||
|
||||
vi.mock('@/background/webhook-execution', () => ({
|
||||
executeWebhookJob: vi.fn().mockResolvedValue({
|
||||
success: true,
|
||||
workflowId: 'test-workflow-id',
|
||||
executionId: 'test-exec-id',
|
||||
output: {},
|
||||
executedAt: new Date().toISOString(),
|
||||
}),
|
||||
}))
|
||||
|
||||
vi.mock('@/background/logs-webhook-delivery', () => ({
|
||||
logsWebhookDelivery: {},
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/webhooks/utils', () => ({
|
||||
handleWhatsAppVerification: handleWhatsAppVerificationMock,
|
||||
handleSlackChallenge: handleSlackChallengeMock,
|
||||
processWhatsAppDeduplication: processWhatsAppDeduplicationMock,
|
||||
processGenericDeduplication: processGenericDeduplicationMock,
|
||||
processWebhook: processWebhookMock,
|
||||
}))
|
||||
|
||||
vi.mock('@/app/api/webhooks/utils', () => ({
|
||||
generateRequestHash: generateRequestHashMock,
|
||||
validateSlackSignature: validateSlackSignatureMock,
|
||||
}))
|
||||
|
||||
vi.mock('@/executor', () => ({
|
||||
Executor: vi.fn().mockImplementation(() => ({
|
||||
execute: executeMock,
|
||||
})),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/execution/preprocessing', () => executionPreprocessingMock)
|
||||
|
||||
vi.mock('@/lib/logs/execution/logging-session', () => loggingSessionMock)
|
||||
|
||||
vi.mock('@/lib/workspaces/utils', () => ({
|
||||
getWorkspaceBillingSettings: vi.fn().mockResolvedValue(null),
|
||||
getWorkspaceBilledAccountUserId: getWorkspaceBilledAccountUserIdMock,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/rate-limiter', () => ({
|
||||
RateLimiter: vi.fn().mockImplementation(() => ({
|
||||
checkRateLimit: vi.fn().mockResolvedValue({
|
||||
allowed: true,
|
||||
remaining: 10,
|
||||
resetAt: new Date(),
|
||||
}),
|
||||
})),
|
||||
RateLimitError: class RateLimitError extends Error {
|
||||
constructor(
|
||||
message: string,
|
||||
public statusCode = 429
|
||||
) {
|
||||
super(message)
|
||||
this.name = 'RateLimitError'
|
||||
}
|
||||
},
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/workflows/persistence/utils', () => workflowsPersistenceUtilsMock)
|
||||
|
||||
vi.mock('@/lib/webhooks/processor', () => ({
|
||||
findAllWebhooksForPath: vi.fn().mockImplementation(async (options: { path: string }) => {
|
||||
// Filter webhooks by path from testData
|
||||
const matchingWebhooks = testData.webhooks.filter(
|
||||
(wh) => wh.path === options.path && wh.isActive
|
||||
)
|
||||
|
||||
if (matchingWebhooks.length === 0) {
|
||||
return []
|
||||
}
|
||||
|
||||
// Return array of {webhook, workflow} objects
|
||||
return matchingWebhooks.map((wh) => {
|
||||
const matchingWorkflow = testData.workflows.find((w) => w.id === wh.workflowId) || {
|
||||
id: wh.workflowId || 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
}
|
||||
return {
|
||||
webhook: wh,
|
||||
workflow: matchingWorkflow,
|
||||
}
|
||||
})
|
||||
}),
|
||||
parseWebhookBody: vi.fn().mockImplementation(async (request: any) => {
|
||||
try {
|
||||
const cloned = request.clone()
|
||||
const rawBody = await cloned.text()
|
||||
const body = rawBody ? JSON.parse(rawBody) : {}
|
||||
return { body, rawBody }
|
||||
} catch {
|
||||
return { body: {}, rawBody: '' }
|
||||
}
|
||||
}),
|
||||
handleProviderChallenges: vi.fn().mockResolvedValue(null),
|
||||
handlePreLookupWebhookVerification: vi
|
||||
.fn()
|
||||
.mockImplementation(
|
||||
async (
|
||||
method: string,
|
||||
body: Record<string, unknown> | undefined,
|
||||
_requestId: string,
|
||||
path: string
|
||||
) => {
|
||||
if (path !== 'pending-verification-path') {
|
||||
return null
|
||||
}
|
||||
|
||||
const isVerificationProbe =
|
||||
method === 'GET' ||
|
||||
method === 'HEAD' ||
|
||||
(method === 'POST' && (!body || Object.keys(body).length === 0 || !body.type))
|
||||
|
||||
if (!isVerificationProbe) {
|
||||
return null
|
||||
}
|
||||
|
||||
const { NextResponse } = require('next/server')
|
||||
return NextResponse.json({ status: 'ok', message: 'Webhook endpoint verified' })
|
||||
}
|
||||
),
|
||||
handleProviderReachabilityTest: vi.fn().mockReturnValue(null),
|
||||
dispatchResolvedWebhookTarget: dispatchResolvedWebhookTargetMock.mockImplementation(
|
||||
async (
|
||||
foundWebhook: unknown,
|
||||
foundWorkflow: unknown,
|
||||
body: unknown,
|
||||
request: unknown,
|
||||
options: unknown
|
||||
) => ({
|
||||
outcome: 'queued',
|
||||
reason: 'queued',
|
||||
response: await queueWebhookExecutionMock(
|
||||
foundWebhook,
|
||||
foundWorkflow,
|
||||
body,
|
||||
request,
|
||||
options
|
||||
),
|
||||
})
|
||||
),
|
||||
verifyProviderAuth: vi
|
||||
.fn()
|
||||
.mockImplementation(
|
||||
async (
|
||||
foundWebhook: any,
|
||||
_foundWorkflow: any,
|
||||
request: any,
|
||||
_rawBody: string,
|
||||
_requestId: string
|
||||
) => {
|
||||
// Implement generic webhook auth verification for tests
|
||||
if (foundWebhook.provider === 'generic') {
|
||||
const providerConfig = foundWebhook.providerConfig || {}
|
||||
if (providerConfig.requireAuth) {
|
||||
const configToken = providerConfig.token
|
||||
const secretHeaderName = providerConfig.secretHeaderName
|
||||
|
||||
if (configToken) {
|
||||
let isTokenValid = false
|
||||
|
||||
if (secretHeaderName) {
|
||||
// Custom header auth
|
||||
const headerValue = request.headers.get(secretHeaderName.toLowerCase())
|
||||
if (headerValue === configToken) {
|
||||
isTokenValid = true
|
||||
}
|
||||
} else {
|
||||
// Bearer token auth
|
||||
const authHeader = request.headers.get('authorization')
|
||||
if (authHeader?.toLowerCase().startsWith('bearer ')) {
|
||||
const token = authHeader.substring(7)
|
||||
if (token === configToken) {
|
||||
isTokenValid = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!isTokenValid) {
|
||||
const { NextResponse } = await import('next/server')
|
||||
return new NextResponse('Unauthorized - Invalid authentication token', {
|
||||
status: 401,
|
||||
})
|
||||
}
|
||||
} else {
|
||||
// Auth required but no token configured
|
||||
const { NextResponse } = await import('next/server')
|
||||
return new NextResponse('Unauthorized - Authentication required but not configured', {
|
||||
status: 401,
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
return null
|
||||
}
|
||||
),
|
||||
checkWebhookPreprocessing: vi.fn().mockResolvedValue({
|
||||
error: null,
|
||||
actorUserId: 'test-user-id',
|
||||
executionId: 'preprocess-execution-id',
|
||||
correlation: {
|
||||
executionId: 'preprocess-execution-id',
|
||||
requestId: 'mock-request-id',
|
||||
source: 'webhook',
|
||||
workflowId: 'test-workflow-id',
|
||||
webhookId: 'generic-webhook-id',
|
||||
path: 'test-path',
|
||||
provider: 'generic',
|
||||
triggerType: 'webhook',
|
||||
},
|
||||
}),
|
||||
formatProviderErrorResponse: vi.fn().mockImplementation((_webhook, error, status) => {
|
||||
const { NextResponse } = require('next/server')
|
||||
return NextResponse.json({ error }, { status })
|
||||
}),
|
||||
shouldSkipWebhookEvent: vi.fn().mockReturnValue(false),
|
||||
handlePreDeploymentVerification: vi.fn().mockReturnValue(null),
|
||||
}))
|
||||
|
||||
vi.mock('drizzle-orm/postgres-js', () => ({
|
||||
drizzle: vi.fn().mockReturnValue({}),
|
||||
}))
|
||||
|
||||
vi.mock('postgres', () => vi.fn().mockReturnValue({}))
|
||||
|
||||
process.env.DATABASE_URL = 'postgresql://test:test@localhost:5432/test'
|
||||
|
||||
import { GET, POST } from '@/app/api/webhooks/trigger/[path]/route'
|
||||
|
||||
describe('Webhook Trigger API Route', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
|
||||
// Reset test data arrays
|
||||
testData.webhooks.length = 0
|
||||
testData.workflows.length = 0
|
||||
|
||||
executionPreprocessingMockFns.mockPreprocessExecution.mockResolvedValue({
|
||||
success: true,
|
||||
actorUserId: 'test-user-id',
|
||||
workflowRecord: {
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
isDeployed: true,
|
||||
workspaceId: 'test-workspace-id',
|
||||
},
|
||||
userSubscription: {
|
||||
plan: 'pro',
|
||||
status: 'active',
|
||||
},
|
||||
rateLimitInfo: {
|
||||
allowed: true,
|
||||
remaining: 100,
|
||||
resetAt: new Date(),
|
||||
},
|
||||
})
|
||||
|
||||
workflowsPersistenceUtilsMockFns.mockLoadWorkflowFromNormalizedTables.mockResolvedValue({
|
||||
blocks: {},
|
||||
edges: [],
|
||||
loops: {},
|
||||
parallels: {},
|
||||
isFromNormalizedTables: true,
|
||||
})
|
||||
workflowsPersistenceUtilsMockFns.mockBlockExistsInDeployment.mockResolvedValue(true)
|
||||
isWorkspaceApiExecutionEntitledMock.mockResolvedValue(true)
|
||||
|
||||
// Set up default workflow for tests
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
|
||||
handleWhatsAppVerificationMock.mockResolvedValue(null)
|
||||
processGenericDeduplicationMock.mockResolvedValue(null)
|
||||
processWebhookMock.mockResolvedValue(new Response('Webhook processed', { status: 200 }))
|
||||
})
|
||||
|
||||
it('should handle 404 for non-existent webhooks', async () => {
|
||||
const req = createMockRequest('POST', { type: 'event.test' })
|
||||
|
||||
const params = Promise.resolve({ path: 'non-existent-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(404)
|
||||
|
||||
const text = await response.text()
|
||||
expect(text).toMatch(/not found/i)
|
||||
})
|
||||
|
||||
it('should return 405 for GET requests on unknown webhook paths', async () => {
|
||||
const req = createMockRequest(
|
||||
'GET',
|
||||
undefined,
|
||||
{},
|
||||
'http://localhost:3000/api/webhooks/trigger/non-existent-path'
|
||||
)
|
||||
|
||||
const params = Promise.resolve({ path: 'non-existent-path' })
|
||||
|
||||
const response = await GET(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(405)
|
||||
})
|
||||
|
||||
it('should return 200 for GET verification probes on registered pending paths', async () => {
|
||||
const req = createMockRequest(
|
||||
'GET',
|
||||
undefined,
|
||||
{},
|
||||
'http://localhost:3000/api/webhooks/trigger/pending-verification-path'
|
||||
)
|
||||
|
||||
const params = Promise.resolve({ path: 'pending-verification-path' })
|
||||
|
||||
const response = await GET(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
await expect(response.json()).resolves.toMatchObject({
|
||||
status: 'ok',
|
||||
message: 'Webhook endpoint verified',
|
||||
})
|
||||
})
|
||||
|
||||
it('should return 200 for empty POST verification probes on registered pending paths', async () => {
|
||||
const req = createMockRequest(
|
||||
'POST',
|
||||
undefined,
|
||||
{},
|
||||
'http://localhost:3000/api/webhooks/trigger/pending-verification-path'
|
||||
)
|
||||
|
||||
const params = Promise.resolve({ path: 'pending-verification-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
await expect(response.json()).resolves.toMatchObject({
|
||||
status: 'ok',
|
||||
message: 'Webhook endpoint verified',
|
||||
})
|
||||
})
|
||||
|
||||
it('should return 404 for POST requests without type on unknown webhook paths', async () => {
|
||||
const req = createMockRequest('POST', { event: 'test' })
|
||||
|
||||
const params = Promise.resolve({ path: 'non-existent-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(404)
|
||||
|
||||
const text = await response.text()
|
||||
expect(text).toMatch(/not found/i)
|
||||
})
|
||||
|
||||
describe('Non-path trigger providers', () => {
|
||||
it.each(['sim', 'table', 'tiktok'])(
|
||||
'rejects HTTP deliveries to %s trigger paths with 404',
|
||||
async (provider) => {
|
||||
testData.webhooks.push({
|
||||
id: `${provider}-webhook-id`,
|
||||
provider,
|
||||
path: 'internal-path',
|
||||
isActive: true,
|
||||
providerConfig: { eventType: 'execution_error' },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const req = createMockRequest('POST', { event: 'execution_error', forged: true })
|
||||
const params = Promise.resolve({ path: 'internal-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(404)
|
||||
expect(queueWebhookExecutionMock).not.toHaveBeenCalled()
|
||||
}
|
||||
)
|
||||
|
||||
it('does not affect normal provider paths', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'normal-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: false },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const req = createMockRequest('POST', { event: 'test' })
|
||||
const params = Promise.resolve({ path: 'normal-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
expect(queueWebhookExecutionMock).toHaveBeenCalledOnce()
|
||||
})
|
||||
})
|
||||
|
||||
describe('Generic Webhook Authentication', () => {
|
||||
it('passes request context into shared webhook dispatch', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: false },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
expect(queueWebhookExecutionMock).toHaveBeenCalledOnce()
|
||||
const call = dispatchResolvedWebhookTargetMock.mock.calls[0]
|
||||
expect(call[0]).toEqual(expect.objectContaining({ id: 'generic-webhook-id' }))
|
||||
expect(call[1]).toEqual(expect.objectContaining({ id: 'test-workflow-id' }))
|
||||
expect(call[2]).toEqual(expect.objectContaining({ event: 'test', id: 'test-123' }))
|
||||
expect(call[4]).toEqual(
|
||||
expect.objectContaining({
|
||||
requestId: 'mock-request-id',
|
||||
path: 'test-path',
|
||||
})
|
||||
)
|
||||
})
|
||||
|
||||
it('should process generic webhook without authentication', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: false },
|
||||
workflowId: 'test-workflow-id',
|
||||
rateLimitCount: 100,
|
||||
rateLimitPeriod: 60,
|
||||
})
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
|
||||
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
|
||||
const data = await response.json()
|
||||
expect(data.message).toBe('Webhook processed')
|
||||
})
|
||||
|
||||
it('blocks a generic webhook when the workspace is on the free plan', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: false },
|
||||
workflowId: 'test-workflow-id',
|
||||
rateLimitCount: 100,
|
||||
rateLimitPeriod: 60,
|
||||
})
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
isWorkspaceApiExecutionEntitledMock.mockResolvedValueOnce(false)
|
||||
|
||||
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(402)
|
||||
})
|
||||
|
||||
it('returns 402 (not 500) when every webhook in a shared path is generic and free', async () => {
|
||||
testData.webhooks.push(
|
||||
{
|
||||
id: 'generic-webhook-a',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: false },
|
||||
workflowId: 'test-workflow-id',
|
||||
rateLimitCount: 100,
|
||||
rateLimitPeriod: 60,
|
||||
},
|
||||
{
|
||||
id: 'generic-webhook-b',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: false },
|
||||
workflowId: 'test-workflow-id',
|
||||
rateLimitCount: 100,
|
||||
rateLimitPeriod: 60,
|
||||
}
|
||||
)
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
isWorkspaceApiExecutionEntitledMock.mockResolvedValue(false)
|
||||
|
||||
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(402)
|
||||
})
|
||||
|
||||
it('should authenticate with Bearer token when no custom header is configured', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: true, token: 'test-token-123' },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
Authorization: 'Bearer test-token-123',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'bearer.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
})
|
||||
|
||||
it('should authenticate with custom header when configured', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: {
|
||||
requireAuth: true,
|
||||
token: 'secret-token-456',
|
||||
secretHeaderName: 'X-Custom-Auth',
|
||||
},
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
'X-Custom-Auth': 'secret-token-456',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'custom.header.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
})
|
||||
|
||||
it('should handle case insensitive Bearer token authentication', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: true, token: 'case-test-token' },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
|
||||
const testCases = [
|
||||
'Bearer case-test-token',
|
||||
'bearer case-test-token',
|
||||
'BEARER case-test-token',
|
||||
'BeArEr case-test-token',
|
||||
]
|
||||
|
||||
for (const authHeader of testCases) {
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
Authorization: authHeader,
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'case.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
}
|
||||
})
|
||||
|
||||
it('should handle case insensitive custom header authentication', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: {
|
||||
requireAuth: true,
|
||||
token: 'custom-token-789',
|
||||
secretHeaderName: 'X-Secret-Key',
|
||||
},
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
testData.workflows.push({
|
||||
id: 'test-workflow-id',
|
||||
userId: 'test-user-id',
|
||||
workspaceId: 'test-workspace-id',
|
||||
})
|
||||
|
||||
const testCases = ['X-Secret-Key', 'x-secret-key', 'X-SECRET-KEY', 'x-Secret-Key']
|
||||
|
||||
for (const headerName of testCases) {
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
[headerName]: 'custom-token-789',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'custom.case.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
}
|
||||
})
|
||||
|
||||
it('should reject wrong Bearer token', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: true, token: 'correct-token' },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
Authorization: 'Bearer wrong-token',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'wrong.token.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
|
||||
expect(processWebhookMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('should reject wrong custom header token', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: {
|
||||
requireAuth: true,
|
||||
token: 'correct-custom-token',
|
||||
secretHeaderName: 'X-Auth-Key',
|
||||
},
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
'X-Auth-Key': 'wrong-custom-token',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'wrong.custom.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
|
||||
expect(processWebhookMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('should reject missing authentication when required', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: true, token: 'required-token' },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const req = createMockRequest('POST', { event: 'no.auth.test' })
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
|
||||
expect(processWebhookMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('should reject Bearer token when custom header is configured', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: {
|
||||
requireAuth: true,
|
||||
token: 'exclusive-token',
|
||||
secretHeaderName: 'X-Only-Header',
|
||||
},
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
Authorization: 'Bearer exclusive-token',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'exclusivity.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
|
||||
expect(processWebhookMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('should reject wrong custom header name', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: {
|
||||
requireAuth: true,
|
||||
token: 'correct-token',
|
||||
secretHeaderName: 'X-Expected-Header',
|
||||
},
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
'X-Wrong-Header': 'correct-token',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'wrong.header.name.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
|
||||
expect(processWebhookMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('should reject when auth is required but no token is configured', async () => {
|
||||
testData.webhooks.push({
|
||||
id: 'generic-webhook-id',
|
||||
provider: 'generic',
|
||||
path: 'test-path',
|
||||
isActive: true,
|
||||
providerConfig: { requireAuth: true },
|
||||
workflowId: 'test-workflow-id',
|
||||
})
|
||||
testData.workflows.push({ id: 'test-workflow-id', userId: 'test-user-id' })
|
||||
|
||||
const headers = {
|
||||
'Content-Type': 'application/json',
|
||||
Authorization: 'Bearer any-token',
|
||||
}
|
||||
const req = createMockRequest('POST', { event: 'no.token.config.test' }, headers)
|
||||
const params = Promise.resolve({ path: 'test-path' })
|
||||
|
||||
const response = await POST(req as any, { params })
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(await response.text()).toContain(
|
||||
'Unauthorized - Authentication required but not configured'
|
||||
)
|
||||
expect(processWebhookMock).not.toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,220 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { webhookTriggerGetContract, webhookTriggerPostContract } from '@/lib/api/contracts/webhooks'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import {
|
||||
API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE,
|
||||
isWorkspaceApiExecutionEntitled,
|
||||
} from '@/lib/billing/core/api-access'
|
||||
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import {
|
||||
dispatchResolvedWebhookTarget,
|
||||
findAllWebhooksForPath,
|
||||
handlePreLookupWebhookVerification,
|
||||
handleProviderChallenges,
|
||||
handleProviderReachabilityTest,
|
||||
parseWebhookBody,
|
||||
verifyProviderAuth,
|
||||
} from '@/lib/webhooks/processor'
|
||||
import { acceptsPathWebhookDelivery } from '@/lib/webhooks/providers'
|
||||
import { isInternalTriggerProvider } from '@/triggers/constants'
|
||||
|
||||
const logger = createLogger('WebhookTriggerAPI')
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const runtime = 'nodejs'
|
||||
export const maxDuration = 60
|
||||
|
||||
export const GET = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ path: string }> }) => {
|
||||
const requestId = generateRequestId()
|
||||
const parsed = await parseRequest(webhookTriggerGetContract, request, context)
|
||||
if (!parsed.success) return parsed.response
|
||||
const { path } = parsed.data.params
|
||||
|
||||
// Handle provider-specific GET verifications (Microsoft Graph, WhatsApp, etc.)
|
||||
const challengeResponse = await handleProviderChallenges({}, request, requestId, path)
|
||||
if (challengeResponse) {
|
||||
return challengeResponse
|
||||
}
|
||||
|
||||
return (
|
||||
(await handlePreLookupWebhookVerification(request.method, undefined, requestId, path)) ||
|
||||
new NextResponse('Method not allowed', { status: 405 })
|
||||
)
|
||||
}
|
||||
)
|
||||
|
||||
export const POST = withRouteHandler(
|
||||
async (request: NextRequest, context: { params: Promise<{ path: string }> }) => {
|
||||
const ticket = tryAdmit()
|
||||
if (!ticket) {
|
||||
return admissionRejectedResponse()
|
||||
}
|
||||
|
||||
try {
|
||||
return await handleWebhookPost(request, context)
|
||||
} finally {
|
||||
ticket.release()
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
async function handleWebhookPost(
|
||||
request: NextRequest,
|
||||
context: { params: Promise<{ path: string }> }
|
||||
): Promise<NextResponse> {
|
||||
const receivedAt = Date.now()
|
||||
/**
|
||||
* Slack signs every interactive request with the originating interaction time.
|
||||
* Capturing it lets the executor surface the true trigger_id age (the window
|
||||
* that expires at 3s) instead of only the in-workflow block timings.
|
||||
*/
|
||||
const slackRequestTimestamp = request.headers.get('x-slack-request-timestamp')
|
||||
const triggerTimestampMs = slackRequestTimestamp
|
||||
? Number(slackRequestTimestamp) * 1000
|
||||
: undefined
|
||||
|
||||
const requestId = generateRequestId()
|
||||
const parsed = await parseRequest(webhookTriggerPostContract, request, context)
|
||||
if (!parsed.success) return parsed.response
|
||||
const { path } = parsed.data.params
|
||||
|
||||
const earlyChallenge = await handleProviderChallenges({}, request, requestId, path)
|
||||
if (earlyChallenge) {
|
||||
return earlyChallenge
|
||||
}
|
||||
|
||||
const parseResult = await parseWebhookBody(request, requestId)
|
||||
|
||||
// Check if parseWebhookBody returned an error response
|
||||
if (parseResult instanceof NextResponse) {
|
||||
return parseResult
|
||||
}
|
||||
|
||||
const { body, rawBody } = parseResult
|
||||
|
||||
const challengeResponse = await handleProviderChallenges(body, request, requestId, path, rawBody)
|
||||
if (challengeResponse) {
|
||||
return challengeResponse
|
||||
}
|
||||
|
||||
// Find all webhooks for this path (multiple webhooks in one workflow may share a path)
|
||||
const allWebhooksForPath = await findAllWebhooksForPath({ requestId, path })
|
||||
|
||||
/** Exclude in-process triggers and providers that own an app-level ingress route. */
|
||||
const webhooksForPath = allWebhooksForPath.filter(
|
||||
({ webhook: foundWebhook }) =>
|
||||
!isInternalTriggerProvider(foundWebhook.provider) &&
|
||||
acceptsPathWebhookDelivery(foundWebhook.provider)
|
||||
)
|
||||
|
||||
if (allWebhooksForPath.length > 0 && webhooksForPath.length === 0) {
|
||||
logger.warn(`[${requestId}] Rejected HTTP delivery to non-path trigger: ${path}`)
|
||||
return new NextResponse('Not Found', { status: 404 })
|
||||
}
|
||||
|
||||
if (webhooksForPath.length === 0) {
|
||||
const verificationResponse = await handlePreLookupWebhookVerification(
|
||||
request.method,
|
||||
body as Record<string, unknown> | undefined,
|
||||
requestId,
|
||||
path
|
||||
)
|
||||
if (verificationResponse) {
|
||||
return verificationResponse
|
||||
}
|
||||
|
||||
logger.warn(`[${requestId}] Webhook or workflow not found for path: ${path}`)
|
||||
return new NextResponse('Not Found', { status: 404 })
|
||||
}
|
||||
|
||||
// Process each webhook matched on this path
|
||||
const responses: NextResponse[] = []
|
||||
let billingBlocked = false
|
||||
|
||||
for (const { webhook: foundWebhook, workflow: foundWorkflow } of webhooksForPath) {
|
||||
// Generic ("custom") webhooks are an unauthenticated programmatic execution
|
||||
// surface, so they fall under the same paid-plan gate as the API. Provider
|
||||
// webhooks (slack, github, ...) are unaffected.
|
||||
if (
|
||||
foundWebhook.provider === 'generic' &&
|
||||
!(await isWorkspaceApiExecutionEntitled(foundWorkflow.workspaceId))
|
||||
) {
|
||||
logger.warn(`[${requestId}] Generic webhook blocked: workspace on free plan`)
|
||||
billingBlocked = true
|
||||
if (webhooksForPath.length > 1) continue
|
||||
return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
|
||||
}
|
||||
|
||||
const authError = await verifyProviderAuth(
|
||||
foundWebhook,
|
||||
foundWorkflow,
|
||||
request,
|
||||
rawBody,
|
||||
requestId
|
||||
)
|
||||
if (authError) {
|
||||
if (webhooksForPath.length > 1) {
|
||||
logger.warn(`[${requestId}] Auth failed for webhook ${foundWebhook.id}, continuing to next`)
|
||||
continue
|
||||
}
|
||||
return authError
|
||||
}
|
||||
|
||||
const reachabilityResponse = handleProviderReachabilityTest(foundWebhook, body, requestId)
|
||||
if (reachabilityResponse) {
|
||||
return reachabilityResponse
|
||||
}
|
||||
|
||||
const dispatchResult = await dispatchResolvedWebhookTarget(
|
||||
foundWebhook,
|
||||
foundWorkflow,
|
||||
body,
|
||||
request,
|
||||
{
|
||||
requestId,
|
||||
path,
|
||||
receivedAt,
|
||||
triggerTimestampMs: Number.isFinite(triggerTimestampMs) ? triggerTimestampMs : undefined,
|
||||
}
|
||||
)
|
||||
|
||||
if (dispatchResult.reason === 'filtered') {
|
||||
continue
|
||||
}
|
||||
|
||||
if (dispatchResult.outcome === 'failed' || dispatchResult.reason === 'block-missing') {
|
||||
if (webhooksForPath.length > 1) {
|
||||
logger.warn(
|
||||
`[${requestId}] Webhook dispatch failed for ${foundWebhook.id}, continuing to next`,
|
||||
{ reason: dispatchResult.reason, status: dispatchResult.response.status }
|
||||
)
|
||||
continue
|
||||
}
|
||||
return dispatchResult.response
|
||||
}
|
||||
|
||||
responses.push(dispatchResult.response)
|
||||
}
|
||||
|
||||
if (responses.length === 0) {
|
||||
if (billingBlocked) {
|
||||
return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
|
||||
}
|
||||
return new NextResponse('No webhooks processed successfully', { status: 500 })
|
||||
}
|
||||
|
||||
if (responses.length === 1) {
|
||||
return responses[0]
|
||||
}
|
||||
|
||||
// For multiple webhooks, return success if at least one succeeded
|
||||
logger.info(`[${requestId}] Processed ${responses.length} webhooks for path: ${path}`)
|
||||
return NextResponse.json({
|
||||
success: true,
|
||||
webhooksProcessed: responses.length,
|
||||
})
|
||||
}
|
||||
Reference in New Issue
Block a user