chore: import upstream snapshot with attribution
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:20:55 +08:00
commit d25d482dc2
13754 changed files with 4996608 additions and 0 deletions
+286
View File
@@ -0,0 +1,286 @@
import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
import { db } from '@sim/db'
import { webhook, workflow } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import {
assertWorkflowMutable,
authorizeWorkflowByWorkspacePermission,
WorkflowLockedError,
} from '@sim/platform-authz/workflow'
import { and, eq, isNull } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import {
deleteWebhookContract,
getWebhookContract,
updateWebhookContract,
} from '@/lib/api/contracts/webhooks'
import { parseRequest } from '@/lib/api/server'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { captureServerEvent } from '@/lib/posthog/server'
import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
const logger = createLogger('WebhookAPI')
export const dynamic = 'force-dynamic'
// Get a specific webhook
export const GET = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
const requestId = generateRequestId()
try {
const parsed = await parseRequest(getWebhookContract, request, context)
if (!parsed.success) return parsed.response
const { id } = parsed.data.params
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized webhook access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const webhooks = await db
.select({
webhook: webhook,
workflow: {
id: workflow.id,
name: workflow.name,
userId: workflow.userId,
workspaceId: workflow.workspaceId,
},
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.where(and(eq(webhook.id, id), isNull(webhook.archivedAt)))
.limit(1)
if (webhooks.length === 0) {
logger.warn(`[${requestId}] Webhook not found: ${id}`)
return NextResponse.json({ error: 'Webhook not found' }, { status: 404 })
}
const webhookData = webhooks[0]
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: webhookData.workflow.id,
userId,
action: 'read',
})
const hasAccess = authorization.allowed
if (!hasAccess) {
logger.warn(`[${requestId}] User ${userId} denied access to webhook: ${id}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
logger.info(`[${requestId}] Successfully retrieved webhook: ${id}`)
return NextResponse.json({ webhook: webhooks[0] }, { status: 200 })
} catch (error) {
logger.error(`[${requestId}] Error fetching webhook`, error)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
)
export const PATCH = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
const requestId = generateRequestId()
try {
const parsed = await parseRequest(updateWebhookContract, request, context)
if (!parsed.success) return parsed.response
const { id } = parsed.data.params
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized webhook update attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const { isActive, failedCount } = parsed.data.body
const webhooks = await db
.select({
webhook: webhook,
workflow: {
id: workflow.id,
userId: workflow.userId,
workspaceId: workflow.workspaceId,
},
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.where(and(eq(webhook.id, id), isNull(webhook.archivedAt)))
.limit(1)
if (webhooks.length === 0) {
logger.warn(`[${requestId}] Webhook not found: ${id}`)
return NextResponse.json({ error: 'Webhook not found' }, { status: 404 })
}
const webhookData = webhooks[0]
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: webhookData.workflow.id,
userId,
action: 'write',
})
const canModify = authorization.allowed
if (!canModify) {
logger.warn(`[${requestId}] User ${userId} denied permission to modify webhook: ${id}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
await assertWorkflowMutable(webhookData.workflow.id)
const setClause: Partial<typeof webhook.$inferInsert> = {}
if (isActive !== undefined && isActive !== webhooks[0].webhook.isActive) {
setClause.isActive = isActive
}
if (failedCount !== undefined && failedCount !== webhooks[0].webhook.failedCount) {
setClause.failedCount = failedCount
}
if (Object.keys(setClause).length === 0) {
logger.info(`[${requestId}] No-op webhook PATCH (no field changes): ${id}`)
return NextResponse.json({ webhook: webhooks[0].webhook }, { status: 200 })
}
setClause.updatedAt = new Date()
const updatedWebhook = await db
.update(webhook)
.set(setClause)
.where(eq(webhook.id, id))
.returning()
logger.info(`[${requestId}] Successfully updated webhook: ${id}`)
return NextResponse.json({ webhook: updatedWebhook[0] }, { status: 200 })
} catch (error) {
if (error instanceof WorkflowLockedError) {
return NextResponse.json({ error: error.message }, { status: error.status })
}
logger.error(`[${requestId}] Error updating webhook`, error)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
)
// Delete a webhook
export const DELETE = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
const requestId = generateRequestId()
try {
const parsed = await parseRequest(deleteWebhookContract, request, context)
if (!parsed.success) return parsed.response
const { id } = parsed.data.params
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized webhook deletion attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
// Find the webhook and check permissions
const webhooks = await db
.select({
webhook: webhook,
workflow: {
id: workflow.id,
userId: workflow.userId,
workspaceId: workflow.workspaceId,
},
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.where(eq(webhook.id, id))
.limit(1)
if (webhooks.length === 0) {
logger.warn(`[${requestId}] Webhook not found: ${id}`)
return NextResponse.json({ error: 'Webhook not found' }, { status: 404 })
}
const webhookData = webhooks[0]
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: webhookData.workflow.id,
userId,
action: 'write',
})
const canDelete = authorization.allowed
if (!canDelete) {
logger.warn(`[${requestId}] User ${userId} denied permission to delete webhook: ${id}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
await assertWorkflowMutable(webhookData.workflow.id)
const foundWebhook = webhookData.webhook
await cleanupExternalWebhook(foundWebhook, webhookData.workflow, requestId)
await db.delete(webhook).where(eq(webhook.id, id))
try {
PlatformEvents.webhookDeleted({
webhookId: id,
workflowId: webhookData.workflow.id,
})
} catch {
// Telemetry should not fail the operation
}
logger.info(`[${requestId}] Successfully deleted webhook: ${id}`)
recordAudit({
workspaceId: webhookData.workflow.workspaceId || null,
actorId: userId,
actorName: auth.userName,
actorEmail: auth.userEmail,
action: AuditAction.WEBHOOK_DELETED,
resourceType: AuditResourceType.WEBHOOK,
resourceId: id,
resourceName: foundWebhook.provider || 'generic',
description: `Deleted ${foundWebhook.provider || 'generic'} webhook`,
metadata: {
provider: foundWebhook.provider || 'generic',
workflowId: webhookData.workflow.id,
webhookPath: foundWebhook.path || undefined,
blockId: foundWebhook.blockId || undefined,
},
request,
})
const wsId = webhookData.workflow.workspaceId || undefined
captureServerEvent(
userId,
'webhook_trigger_deleted',
{
webhook_id: id,
workflow_id: webhookData.workflow.id,
provider: foundWebhook.provider || 'generic',
workspace_id: wsId ?? '',
},
wsId ? { groups: { workspace: wsId } } : undefined
)
return NextResponse.json({ success: true }, { status: 200 })
} catch (error: any) {
if (error instanceof WorkflowLockedError) {
return NextResponse.json({ error: error.message }, { status: error.status })
}
logger.error(`[${requestId}] Error deleting webhook`, {
error: error.message,
stack: error.stack,
})
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
)
@@ -0,0 +1,374 @@
import {
db,
mothershipInboxAllowedSender,
mothershipInboxTask,
mothershipInboxWebhook,
permissions,
user,
workspace,
} from '@sim/db'
import { createLogger } from '@sim/logger'
import { getErrorMessage } from '@sim/utils/errors'
import { generateId } from '@sim/utils/id'
import { tasks } from '@trigger.dev/sdk'
import { and, eq, gt, isNotNull, ne, sql } from 'drizzle-orm'
import { NextResponse } from 'next/server'
import { Webhook } from 'svix'
import {
agentMailEnvelopeSchema,
agentMailMessageSchema,
webhookSvixHeadersSchema,
} from '@/lib/api/contracts/webhooks'
import { hasWorkspaceInboxAccess } from '@/lib/billing/core/subscription'
import { resolveTriggerRegion } from '@/lib/core/async-jobs/region'
import { isTriggerDevEnabled } from '@/lib/core/config/env-flags'
import {
assertContentLengthWithinLimit,
isPayloadSizeLimitError,
readStreamToBufferWithLimit,
} from '@/lib/core/utils/stream-limits'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { executeInboxTask } from '@/lib/mothership/inbox/executor'
import type { AgentMailWebhookPayload, RejectionReason } from '@/lib/mothership/inbox/types'
import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
const logger = createLogger('AgentMailWebhook')
const AUTOMATED_SENDERS = ['mailer-daemon@', 'noreply@', 'no-reply@', 'postmaster@']
const MAX_EMAILS_PER_HOUR = 20
const AGENTMAIL_BODY_LABEL = 'AgentMail webhook body'
/**
* Bound the unauthenticated AgentMail webhook body before buffering it for Svix
* signature verification, so an oversized payload cannot exhaust pod memory.
*/
async function readAgentMailBody(req: Request): Promise<string> {
assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, AGENTMAIL_BODY_LABEL)
const buffer = await readStreamToBufferWithLimit(req.body, {
maxBytes: WEBHOOK_MAX_BODY_BYTES,
label: AGENTMAIL_BODY_LABEL,
})
return new TextDecoder().decode(buffer)
}
export const POST = withRouteHandler(async (req: Request) => {
try {
let rawBody: string
try {
rawBody = await readAgentMailBody(req)
} catch (bodyError) {
if (isPayloadSizeLimitError(bodyError)) {
logger.warn('Rejected oversized AgentMail webhook body', {
maxBytes: WEBHOOK_MAX_BODY_BYTES,
observedBytes: bodyError.observedBytes,
})
return NextResponse.json({ error: 'Request body too large' }, { status: 413 })
}
throw bodyError
}
const headersResult = webhookSvixHeadersSchema.safeParse({
'svix-id': req.headers.get('svix-id'),
'svix-timestamp': req.headers.get('svix-timestamp'),
'svix-signature': req.headers.get('svix-signature'),
})
if (!headersResult.success) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const webhookCandidates = await db
.select({
id: workspace.id,
inboxEnabled: workspace.inboxEnabled,
inboxAddress: workspace.inboxAddress,
inboxProviderId: workspace.inboxProviderId,
webhookSecret: mothershipInboxWebhook.secret,
})
.from(workspace)
.leftJoin(mothershipInboxWebhook, eq(mothershipInboxWebhook.workspaceId, workspace.id))
.where(isNotNull(mothershipInboxWebhook.secret))
let result: (typeof webhookCandidates)[number] | undefined
for (const candidate of webhookCandidates) {
if (!candidate.webhookSecret) continue
try {
const wh = new Webhook(candidate.webhookSecret)
wh.verify(rawBody, headersResult.data)
result = candidate
break
} catch {}
}
if (!result) {
logger.warn('Webhook signature verification failed', {
candidateCount: webhookCandidates.length,
})
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const envelopeResult = agentMailEnvelopeSchema.safeParse(JSON.parse(rawBody))
if (!envelopeResult.success) {
logger.warn('Invalid AgentMail webhook payload', {
workspaceId: result.id,
issues: envelopeResult.error.issues,
})
return NextResponse.json(
{ error: 'Invalid envelope payload', details: envelopeResult.error.issues },
{ status: 400 }
)
}
if (envelopeResult.data.event_type !== 'message.received') {
return NextResponse.json({ ok: true })
}
const messageResult = agentMailMessageSchema.safeParse(envelopeResult.data.message)
if (!messageResult.success) {
logger.warn('Invalid AgentMail message payload', {
workspaceId: result.id,
issues: messageResult.error.issues,
})
return NextResponse.json(
{ error: 'Invalid message payload', details: messageResult.error.issues },
{ status: 400 }
)
}
const message: AgentMailWebhookPayload['message'] = messageResult.data
const inboxId = message.inbox_id
if (result.inboxProviderId !== inboxId) {
logger.warn('Verified AgentMail payload inbox mismatch', {
workspaceId: result.id,
verifiedInboxId: result.inboxProviderId,
payloadInboxId: inboxId,
})
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
if (!result.inboxEnabled) {
logger.info('Inbox disabled, rejecting', { workspaceId: result.id })
return NextResponse.json({ ok: true })
}
const fromEmail = extractSenderEmail(message.from) || ''
logger.info('Webhook received', { fromEmail, from_raw: message.from, workspaceId: result.id })
if (result.inboxAddress && fromEmail === result.inboxAddress.toLowerCase()) {
logger.info('Skipping email from inbox itself', { workspaceId: result.id })
return NextResponse.json({ ok: true })
}
if (AUTOMATED_SENDERS.some((prefix) => fromEmail.startsWith(prefix))) {
await createRejectedTask(result.id, message, 'automated_sender')
return NextResponse.json({ ok: true })
}
const emailMessageId = message.message_id
const inReplyTo = message.in_reply_to || null
const [existingResult, isAllowed, recentCount, parentTaskResult, isEntitled] =
await Promise.all([
emailMessageId
? db
.select({ id: mothershipInboxTask.id })
.from(mothershipInboxTask)
.where(eq(mothershipInboxTask.emailMessageId, emailMessageId))
.limit(1)
: Promise.resolve([]),
isSenderAllowed(fromEmail, result.id),
getRecentTaskCount(result.id),
inReplyTo
? db
.select({ chatId: mothershipInboxTask.chatId })
.from(mothershipInboxTask)
.where(eq(mothershipInboxTask.responseMessageId, inReplyTo))
.limit(1)
: Promise.resolve([]),
hasWorkspaceInboxAccess(result.id),
])
if (existingResult[0]) {
logger.info('Duplicate webhook, skipping', { emailMessageId })
return NextResponse.json({ ok: true })
}
if (!isEntitled) {
logger.info('Inbox no longer entitled, rejecting', { workspaceId: result.id })
await createRejectedTask(result.id, message, 'not_entitled')
return NextResponse.json({ ok: true })
}
if (!isAllowed) {
await createRejectedTask(result.id, message, 'sender_not_allowed')
return NextResponse.json({ ok: true })
}
if (recentCount >= MAX_EMAILS_PER_HOUR) {
await createRejectedTask(result.id, message, 'rate_limit_exceeded')
return NextResponse.json({ ok: true })
}
const chatId = parentTaskResult[0]?.chatId ?? null
const fromName = extractDisplayName(message.from)
const taskId = generateId()
const bodyText = message.text?.substring(0, 50_000) || null
const bodyHtml = message.html?.substring(0, 50_000) || null
const bodyPreview = (bodyText || '')?.substring(0, 200) || null
await db.insert(mothershipInboxTask).values({
id: taskId,
workspaceId: result.id,
fromEmail,
fromName,
subject: message.subject || '(no subject)',
bodyPreview,
bodyText,
bodyHtml,
emailMessageId,
inReplyTo,
agentmailMessageId: message.message_id,
status: 'received',
chatId,
hasAttachments: (message.attachments?.length ?? 0) > 0,
ccRecipients: message.cc?.length ? JSON.stringify(message.cc) : null,
})
if (isTriggerDevEnabled) {
try {
const handle = await tasks.trigger(
'mothership-inbox-execution',
{ taskId },
{
tags: [`workspaceId:${result.id}`, `taskId:${taskId}`],
region: await resolveTriggerRegion(),
}
)
await db
.update(mothershipInboxTask)
.set({ triggerJobId: handle.id })
.where(eq(mothershipInboxTask.id, taskId))
} catch (triggerError) {
logger.warn('Trigger.dev dispatch failed, falling back to local execution', {
taskId,
triggerError,
})
executeInboxTask(taskId).catch((err) => {
logger.error('Local inbox task execution failed', {
taskId,
error: getErrorMessage(err, 'Unknown error'),
})
})
}
} else {
logger.info('Trigger.dev not available, executing inbox task locally', { taskId })
executeInboxTask(taskId).catch((err) => {
logger.error('Local inbox task execution failed', {
taskId,
error: getErrorMessage(err, 'Unknown error'),
})
})
}
return NextResponse.json({ ok: true })
} catch (error) {
logger.error('AgentMail webhook error', {
error: getErrorMessage(error, 'Unknown error'),
})
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
})
async function isSenderAllowed(email: string, workspaceId: string): Promise<boolean> {
const [allowedSenderResult, memberResult] = await Promise.all([
db
.select({ id: mothershipInboxAllowedSender.id })
.from(mothershipInboxAllowedSender)
.where(
and(
eq(mothershipInboxAllowedSender.workspaceId, workspaceId),
eq(mothershipInboxAllowedSender.email, email)
)
)
.limit(1),
db
.select({ userId: permissions.userId })
.from(permissions)
.innerJoin(user, eq(permissions.userId, user.id))
.where(
and(
eq(permissions.entityType, 'workspace'),
eq(permissions.entityId, workspaceId),
sql`lower(${user.email}) = ${email}`
)
)
.limit(1),
])
return !!(allowedSenderResult[0] || memberResult[0])
}
async function getRecentTaskCount(workspaceId: string): Promise<number> {
const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000)
const [result] = await db
.select({ count: sql<number>`count(*)::int` })
.from(mothershipInboxTask)
.where(
and(
eq(mothershipInboxTask.workspaceId, workspaceId),
gt(mothershipInboxTask.createdAt, oneHourAgo),
ne(mothershipInboxTask.status, 'rejected')
)
)
return result?.count ?? 0
}
async function createRejectedTask(
workspaceId: string,
message: AgentMailWebhookPayload['message'],
reason: RejectionReason
): Promise<void> {
await db.insert(mothershipInboxTask).values({
id: generateId(),
workspaceId,
fromEmail: extractSenderEmail(message.from) || 'unknown',
fromName: extractDisplayName(message.from),
subject: message.subject || '(no subject)',
bodyPreview: (message.text || '').substring(0, 200) || null,
emailMessageId: message.message_id,
agentmailMessageId: message.message_id,
status: 'rejected',
rejectionReason: reason,
hasAttachments: (message.attachments?.length ?? 0) > 0,
})
}
/**
* Extract the raw email address from AgentMail's from field.
* Format: "username@domain.com" or "Display Name <username@domain.com>"
*/
function extractSenderEmail(from: string): string {
const openBracket = from.indexOf('<')
const closeBracket = from.indexOf('>', openBracket + 1)
if (openBracket !== -1 && closeBracket !== -1) {
return from
.substring(openBracket + 1, closeBracket)
.toLowerCase()
.trim()
}
return from.toLowerCase().trim()
}
function extractDisplayName(from: string): string | null {
const openBracket = from.indexOf('<')
if (openBracket <= 0) return null
const name = from.substring(0, openBracket).trim()
if (!name) return null
if (name.startsWith('"') && name.endsWith('"')) {
return name.slice(1, -1) || null
}
return name
}
@@ -0,0 +1,66 @@
import { createLogger } from '@sim/logger'
import { getErrorMessage } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { verifyCronAuth } from '@/lib/auth/internal'
import { cleanupExpiredIdempotencyKeys, getIdempotencyKeyStats } from '@/lib/core/idempotency'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
const logger = createLogger('IdempotencyCleanupAPI')
export const dynamic = 'force-dynamic'
export const maxDuration = 300 // Allow up to 5 minutes for cleanup
export const GET = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
logger.info(`Idempotency cleanup triggered (${requestId})`)
try {
const authError = verifyCronAuth(request, 'Idempotency key cleanup')
if (authError) {
return authError
}
const statsBefore = await getIdempotencyKeyStats()
logger.info(
`Pre-cleanup stats: ${statsBefore.totalKeys} keys across ${Object.keys(statsBefore.keysByNamespace).length} namespaces`
)
const result = await cleanupExpiredIdempotencyKeys({
maxAgeSeconds: 7 * 24 * 60 * 60, // 7 days
batchSize: 1000,
})
const statsAfter = await getIdempotencyKeyStats()
logger.info(`Post-cleanup stats: ${statsAfter.totalKeys} keys remaining`)
return NextResponse.json({
success: true,
message: 'Idempotency key cleanup completed',
requestId,
result: {
deleted: result.deleted,
errors: result.errors,
statsBefore: {
totalKeys: statsBefore.totalKeys,
keysByNamespace: statsBefore.keysByNamespace,
},
statsAfter: {
totalKeys: statsAfter.totalKeys,
keysByNamespace: statsAfter.keysByNamespace,
},
},
})
} catch (error) {
logger.error(`Error during idempotency cleanup (${requestId}):`, error)
return NextResponse.json(
{
success: false,
message: 'Idempotency cleanup failed',
error: getErrorMessage(error, 'Unknown error'),
requestId,
},
{ status: 500 }
)
}
})
@@ -0,0 +1,63 @@
import { db } from '@sim/db'
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { verifyCronAuth } from '@/lib/auth/internal'
import { billingOutboxHandlers } from '@/lib/billing/webhooks/outbox-handlers'
import { processOutboxEvents } from '@/lib/core/outbox/service'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { workflowDeploymentOutboxHandlers } from '@/lib/workflows/deployment-outbox'
import { reapStaleBackgroundWork } from '@/ee/workspace-forking/lib/background-work/store'
const logger = createLogger('OutboxProcessorAPI')
export const dynamic = 'force-dynamic'
export const maxDuration = 120
const handlers = {
...billingOutboxHandlers,
...workflowDeploymentOutboxHandlers,
} as const
export const GET = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
try {
const authError = verifyCronAuth(request, 'Outbox processor')
if (authError) {
return authError
}
const result = await processOutboxEvents(handlers, {
batchSize: 20,
maxRuntimeMs: 110_000,
minRemainingMs: 95_000,
})
// Reap fork background-work rows stuck `processing` past their TTL (worker crash /
// restart has no in-task hook). Independent of the outbox; a failure here must not
// fail the outbox run, so it's guarded separately.
let reapedBackgroundWork = 0
try {
reapedBackgroundWork = await reapStaleBackgroundWork(db)
} catch (error) {
logger.error('Background-work reap failed', { requestId, error: toError(error).message })
}
logger.info('Outbox processing completed', { requestId, ...result, reapedBackgroundWork })
return NextResponse.json({
success: true,
requestId,
result,
reapedBackgroundWork,
})
} catch (error) {
logger.error('Outbox processing failed', { requestId, error: toError(error).message })
return NextResponse.json(
{ success: false, requestId, error: toError(error).message },
{ status: 500 }
)
}
})
@@ -0,0 +1,108 @@
/**
* Tests for the webhook polling cron route.
*
* @vitest-environment node
*/
import { createMockRequest, redisConfigMock, redisConfigMockFns } from '@sim/testing'
import { sleep } from '@sim/utils/helpers'
import { beforeEach, describe, expect, it, vi } from 'vitest'
const { mockVerifyCronAuth, mockPollProvider } = vi.hoisted(() => ({
mockVerifyCronAuth: vi.fn().mockReturnValue(null),
mockPollProvider: vi.fn().mockResolvedValue({ processed: 0 }),
}))
vi.mock('@/lib/auth/internal', () => ({
verifyCronAuth: mockVerifyCronAuth,
}))
vi.mock('@/lib/core/config/redis', () => redisConfigMock)
vi.mock('@/lib/webhooks/polling', () => ({
pollProvider: mockPollProvider,
VALID_POLLING_PROVIDERS: new Set(['gmail', 'outlook', 'rss']),
}))
import { GET } from './route'
function createRequest() {
return createMockRequest('GET', undefined, {}, 'http://localhost:3000/api/webhooks/poll/gmail')
}
function createContext(provider: string) {
return { params: Promise.resolve({ provider }) }
}
const flushMicrotasks = () => sleep(0)
describe('webhook polling route (fire-and-forget)', () => {
beforeEach(() => {
vi.clearAllMocks()
redisConfigMockFns.mockAcquireLock.mockResolvedValue(true)
redisConfigMockFns.mockReleaseLock.mockResolvedValue(true)
mockVerifyCronAuth.mockReturnValue(null)
mockPollProvider.mockResolvedValue({ processed: 0 })
})
it('returns the auth error when cron auth fails', async () => {
mockVerifyCronAuth.mockReturnValueOnce(
new Response(null, { status: 401 }) as unknown as Response
)
const response = await GET(createRequest(), createContext('gmail'))
expect(response.status).toBe(401)
expect(mockPollProvider).not.toHaveBeenCalled()
})
it('returns 404 for an unknown provider', async () => {
const response = await GET(createRequest(), createContext('unknown'))
expect(response.status).toBe(404)
expect(redisConfigMockFns.mockAcquireLock).not.toHaveBeenCalled()
})
it('acknowledges with 202 and polls in the background after acquiring the lock', async () => {
const response = await GET(createRequest(), createContext('gmail'))
expect(response.status).toBe(202)
const data = await response.json()
expect(data).toMatchObject({ status: 'started' })
expect(redisConfigMockFns.mockAcquireLock).toHaveBeenCalledWith(
'gmail-polling-lock',
expect.any(String),
expect.any(Number)
)
await flushMicrotasks()
expect(mockPollProvider).toHaveBeenCalledWith('gmail')
expect(redisConfigMockFns.mockReleaseLock).toHaveBeenCalledWith(
'gmail-polling-lock',
expect.any(String)
)
})
it('skips with 202 when the lock is already held', async () => {
redisConfigMockFns.mockAcquireLock.mockResolvedValueOnce(false)
const response = await GET(createRequest(), createContext('gmail'))
expect(response.status).toBe(202)
const data = await response.json()
expect(data).toMatchObject({ status: 'skip' })
expect(mockPollProvider).not.toHaveBeenCalled()
})
it('releases the lock even when polling throws', async () => {
mockPollProvider.mockRejectedValueOnce(new Error('poll failed'))
const response = await GET(createRequest(), createContext('gmail'))
expect(response.status).toBe(202)
await flushMicrotasks()
expect(redisConfigMockFns.mockReleaseLock).toHaveBeenCalledWith(
'gmail-polling-lock',
expect.any(String)
)
})
})
@@ -0,0 +1,88 @@
import { createLogger } from '@sim/logger'
import { getErrorMessage } from '@sim/utils/errors'
import { generateShortId } from '@sim/utils/id'
import { type NextRequest, NextResponse } from 'next/server'
import { webhookPollingContract } from '@/lib/api/contracts/webhooks'
import { parseRequest } from '@/lib/api/server'
import { verifyCronAuth } from '@/lib/auth/internal'
import { acquireLock, releaseLock } from '@/lib/core/config/redis'
import { runDetached } from '@/lib/core/utils/background'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { pollProvider, VALID_POLLING_PROVIDERS } from '@/lib/webhooks/polling'
const logger = createLogger('PollingAPI')
/** Lock TTL in seconds — must match maxDuration so the lock auto-expires if the function times out. */
const LOCK_TTL_SECONDS = 180
export const dynamic = 'force-dynamic'
export const maxDuration = 180
export const GET = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ provider: string }> }) => {
const requestId = generateShortId()
let provider: string | undefined
try {
const authError = verifyCronAuth(request, 'webhook polling')
if (authError) return authError
const parsed = await parseRequest(webhookPollingContract, request, context)
if (!parsed.success) return parsed.response
provider = parsed.data.params.provider
if (!VALID_POLLING_PROVIDERS.has(provider)) {
return NextResponse.json(
{ error: `Unknown polling provider: ${provider}` },
{ status: 404 }
)
}
const LOCK_KEY = `${provider}-polling-lock`
const lockValue = requestId
const locked = await acquireLock(LOCK_KEY, lockValue, LOCK_TTL_SECONDS)
if (!locked) {
return NextResponse.json(
{
success: true,
message: 'Polling already in progress skipped',
requestId,
status: 'skip',
},
{ status: 202 }
)
}
const pollingProvider = provider
runDetached(`${pollingProvider}-polling`, async () => {
try {
await pollProvider(pollingProvider)
} finally {
await releaseLock(LOCK_KEY, lockValue).catch(() => {})
}
})
return NextResponse.json(
{
success: true,
message: `${provider} polling started`,
requestId,
status: 'started',
},
{ status: 202 }
)
} catch (error) {
const providerLabel = provider ?? 'webhook'
logger.error(`Error during ${providerLabel} polling (${requestId}):`, error)
return NextResponse.json(
{
success: false,
message: `${providerLabel} polling failed`,
error: getErrorMessage(error, 'Unknown error'),
requestId,
},
{ status: 500 }
)
}
}
)
+601
View File
@@ -0,0 +1,601 @@
import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
import { db } from '@sim/db'
import { webhook, workflow, workflowDeploymentVersion } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import {
assertWorkflowMutable,
authorizeWorkflowByWorkspacePermission,
WorkflowLockedError,
} from '@sim/platform-authz/workflow'
import { getErrorMessage } from '@sim/utils/errors'
import { generateId, generateShortId } from '@sim/utils/id'
import { and, desc, eq, inArray, isNull, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { listWebhooksContract, upsertWebhookContract } from '@/lib/api/contracts/webhooks'
import { parseRequest } from '@/lib/api/server'
import { getSession } from '@/lib/auth'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { captureServerEvent } from '@/lib/posthog/server'
import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
import {
cleanupExternalWebhook,
createExternalWebhookSubscription,
shouldRecreateExternalWebhookSubscription,
} from '@/lib/webhooks/provider-subscriptions'
import { getProviderHandler } from '@/lib/webhooks/providers'
import { mergeNonUserFields } from '@/lib/webhooks/utils'
import { findConflictingWebhookPathOwner } from '@/lib/webhooks/utils.server'
import { listAccessibleWorkspaceRowsForUser } from '@/lib/workspaces/utils'
const logger = createLogger('WebhooksAPI')
export const dynamic = 'force-dynamic'
async function revertSavedWebhook(
savedWebhook: any,
existingWebhook: any,
requestId: string
): Promise<void> {
if (existingWebhook) {
await db
.update(webhook)
.set({
workflowId: existingWebhook.workflowId,
blockId: existingWebhook.blockId,
path: existingWebhook.path,
provider: existingWebhook.provider,
providerConfig: existingWebhook.providerConfig,
isActive: existingWebhook.isActive,
archivedAt: existingWebhook.archivedAt,
updatedAt: existingWebhook.updatedAt,
})
.where(eq(webhook.id, savedWebhook.id))
logger.info(`[${requestId}] Restored previous webhook configuration after failed re-save`, {
webhookId: savedWebhook.id,
})
return
}
await db.delete(webhook).where(eq(webhook.id, savedWebhook.id))
}
// Get all webhooks for the current user
export const GET = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
try {
const session = await getSession()
if (!session?.user?.id) {
logger.warn(`[${requestId}] Unauthorized webhooks access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const parsed = await parseRequest(listWebhooksContract, request, {})
if (!parsed.success) return parsed.response
const { workflowId, blockId } = parsed.data.query
if (workflowId && blockId) {
// Collaborative-aware path: allow collaborators with read access to view webhooks
// Fetch workflow to verify access
const wf = await db
.select({ id: workflow.id, userId: workflow.userId, workspaceId: workflow.workspaceId })
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
if (!wf.length) {
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const wfRecord = wf[0]
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: wfRecord.id,
userId: session.user.id,
action: 'read',
})
const canRead = authorization.allowed
if (!canRead) {
logger.warn(
`[${requestId}] User ${session.user.id} denied permission to read webhooks for workflow ${workflowId}`
)
return NextResponse.json({ webhooks: [] }, { status: 200 })
}
const webhooks = await db
.select({
webhook: webhook,
workflow: {
id: workflow.id,
name: workflow.name,
},
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.leftJoin(
workflowDeploymentVersion,
and(
eq(workflowDeploymentVersion.workflowId, workflow.id),
eq(workflowDeploymentVersion.isActive, true)
)
)
.where(
and(
eq(webhook.workflowId, workflowId),
eq(webhook.blockId, blockId),
isNull(webhook.archivedAt),
or(
eq(webhook.deploymentVersionId, workflowDeploymentVersion.id),
and(isNull(workflowDeploymentVersion.id), isNull(webhook.deploymentVersionId))
)
)
)
.orderBy(desc(webhook.updatedAt))
logger.info(
`[${requestId}] Retrieved ${webhooks.length} webhooks for workflow ${workflowId} block ${blockId}`
)
return NextResponse.json({ webhooks }, { status: 200 })
}
if (workflowId && !blockId) {
// For now, allow the call but return empty results to avoid breaking the UI
return NextResponse.json({ webhooks: [] }, { status: 200 })
}
const accessibleRows = await listAccessibleWorkspaceRowsForUser(session.user.id, 'all')
const workspaceIds = accessibleRows.map((row) => row.workspace.id)
if (workspaceIds.length === 0) {
return NextResponse.json({ webhooks: [] }, { status: 200 })
}
const webhooks = await db
.select({
webhook: webhook,
workflow: {
id: workflow.id,
name: workflow.name,
},
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.where(and(inArray(workflow.workspaceId, workspaceIds), isNull(webhook.archivedAt)))
logger.info(`[${requestId}] Retrieved ${webhooks.length} workspace-accessible webhooks`)
return NextResponse.json({ webhooks }, { status: 200 })
} catch (error) {
logger.error(`[${requestId}] Error fetching webhooks`, error)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
})
// Create or Update a webhook
export const POST = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
const session = await getSession()
const userId = session?.user?.id
if (!userId) {
logger.warn(`[${requestId}] Unauthorized webhook creation attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
try {
const parsed = await parseRequest(upsertWebhookContract, request, {})
if (!parsed.success) return parsed.response
const body = parsed.data.body
const { workflowId, path, providerConfig, blockId } = body
const provider = body.provider || ''
// Validate input
if (!workflowId) {
logger.warn(`[${requestId}] Missing required fields for webhook creation`, {
hasWorkflowId: !!workflowId,
hasPath: !!path,
})
return NextResponse.json({ error: 'Missing required fields' }, { status: 400 })
}
// Determine final path with special handling for credential-based providers
// to avoid generating a new path on every save.
let finalPath = path
const credentialBasedProviders = ['gmail', 'outlook']
const isCredentialBased = credentialBasedProviders.includes(provider)
// Treat Microsoft Teams chat subscription as credential-based for path generation purposes
const isMicrosoftTeamsChatSubscription =
provider === 'microsoft-teams' &&
typeof providerConfig === 'object' &&
providerConfig?.triggerId === 'microsoftteams_chat_subscription'
// If path is missing
if (!finalPath || finalPath.trim() === '') {
if (isCredentialBased || isMicrosoftTeamsChatSubscription) {
// Try to reuse existing path for this workflow+block if one exists
if (blockId) {
const existingForBlock = await db
.select({ id: webhook.id, path: webhook.path })
.from(webhook)
.leftJoin(
workflowDeploymentVersion,
and(
eq(workflowDeploymentVersion.workflowId, workflowId),
eq(workflowDeploymentVersion.isActive, true)
)
)
.where(
and(
eq(webhook.workflowId, workflowId),
eq(webhook.blockId, blockId),
isNull(webhook.archivedAt),
or(
eq(webhook.deploymentVersionId, workflowDeploymentVersion.id),
and(isNull(workflowDeploymentVersion.id), isNull(webhook.deploymentVersionId))
)
)
)
.limit(1)
if (existingForBlock.length > 0) {
finalPath = existingForBlock[0].path ?? ''
logger.info(
`[${requestId}] Reusing existing generated path for ${provider} trigger: ${finalPath}`
)
}
}
// If still no path, generate a new dummy path (first-time save)
if (!finalPath || finalPath.trim() === '') {
finalPath = `${provider}-${generateId()}`
logger.info(`[${requestId}] Generated webhook path for ${provider} trigger: ${finalPath}`)
}
} else {
logger.warn(`[${requestId}] Missing path for webhook creation`, {
hasWorkflowId: !!workflowId,
hasPath: !!path,
})
return NextResponse.json({ error: 'Missing required path' }, { status: 400 })
}
}
// Check if the workflow exists and user has permission to modify it
const workflowData = await db
.select({
id: workflow.id,
userId: workflow.userId,
workspaceId: workflow.workspaceId,
})
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
if (workflowData.length === 0) {
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const workflowRecord = workflowData[0]
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const canModify = authorization.allowed
if (!canModify) {
logger.warn(
`[${requestId}] User ${userId} denied permission to modify webhook for workflow ${workflowId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
await assertWorkflowMutable(workflowId)
// Determine existing webhook to update (prefer by workflow+block for credential-based providers)
let targetWebhookId: string | null = null
if (isCredentialBased && blockId) {
const existingForBlock = await db
.select({ id: webhook.id })
.from(webhook)
.leftJoin(
workflowDeploymentVersion,
and(
eq(workflowDeploymentVersion.workflowId, workflowId),
eq(workflowDeploymentVersion.isActive, true)
)
)
.where(
and(
eq(webhook.workflowId, workflowId),
eq(webhook.blockId, blockId),
isNull(webhook.archivedAt),
or(
eq(webhook.deploymentVersionId, workflowDeploymentVersion.id),
and(isNull(workflowDeploymentVersion.id), isNull(webhook.deploymentVersionId))
)
)
)
.limit(1)
if (existingForBlock.length > 0) {
targetWebhookId = existingForBlock[0].id
}
}
if (!targetWebhookId) {
const conflictingOwner = await findConflictingWebhookPathOwner({
path: finalPath,
workflowId,
})
if (conflictingOwner) {
logger.warn(`[${requestId}] Webhook path conflict: ${finalPath}`)
return NextResponse.json(
{ error: 'Webhook path already exists.', code: 'PATH_EXISTS' },
{ status: 409 }
)
}
const ownExisting = await db
.select({ id: webhook.id })
.from(webhook)
.where(
and(
eq(webhook.path, finalPath),
eq(webhook.workflowId, workflowId),
isNull(webhook.archivedAt)
)
)
.limit(1)
if (ownExisting.length > 0) {
targetWebhookId = ownExisting[0].id
}
}
let savedWebhook: any = null
let existingWebhook: any = null
const originalProviderConfig = providerConfig || {}
let resolvedProviderConfig = await resolveEnvVarsInObject(
originalProviderConfig,
userId,
workflowRecord.workspaceId || undefined
)
let externalSubscriptionCreated = false
const createTempWebhookData = (providerConfigOverride = resolvedProviderConfig) => ({
id: targetWebhookId || generateShortId(),
path: finalPath,
provider,
providerConfig: providerConfigOverride,
})
const userProvided = originalProviderConfig as Record<string, unknown>
const configToSave: Record<string, unknown> = { ...userProvided }
if (targetWebhookId) {
const existingRows = await db
.select()
.from(webhook)
.where(eq(webhook.id, targetWebhookId))
.limit(1)
existingWebhook = existingRows[0] || null
}
const shouldRecreateSubscription =
existingWebhook &&
shouldRecreateExternalWebhookSubscription({
previousProvider: existingWebhook.provider as string,
nextProvider: provider,
previousConfig: ((existingWebhook.providerConfig as Record<string, unknown>) ||
{}) as Record<string, unknown>,
nextConfig: resolvedProviderConfig,
})
if (!existingWebhook || shouldRecreateSubscription) {
try {
const result = await createExternalWebhookSubscription(
request,
createTempWebhookData(),
workflowRecord,
userId,
requestId
)
const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
mergeNonUserFields(configToSave, updatedConfig, userProvided)
resolvedProviderConfig = updatedConfig
externalSubscriptionCreated = result.externalSubscriptionCreated
} catch (err) {
logger.error(`[${requestId}] Error creating external webhook subscription`, err)
return NextResponse.json(
{
error: 'Failed to create external webhook subscription',
details: getErrorMessage(err, 'Unknown error'),
},
{ status: 500 }
)
}
} else {
mergeNonUserFields(
configToSave,
(existingWebhook.providerConfig as Record<string, unknown>) || {},
userProvided
)
}
try {
if (targetWebhookId) {
logger.info(`[${requestId}] Updating existing webhook for path: ${finalPath}`, {
webhookId: targetWebhookId,
provider,
hasCredentialId: !!(configToSave as any)?.credentialId,
credentialId: (configToSave as any)?.credentialId,
})
const updatedResult = await db
.update(webhook)
.set({
blockId,
provider,
providerConfig: configToSave,
isActive: true,
updatedAt: new Date(),
})
.where(eq(webhook.id, targetWebhookId))
.returning()
savedWebhook = updatedResult[0]
logger.info(`[${requestId}] Webhook updated successfully`, {
webhookId: savedWebhook.id,
savedProviderConfig: savedWebhook.providerConfig,
})
} else {
// Create a new webhook
const webhookId = generateShortId()
logger.info(`[${requestId}] Creating new webhook with ID: ${webhookId}`)
const newResult = await db
.insert(webhook)
.values({
id: webhookId,
workflowId,
blockId,
path: finalPath,
provider,
providerConfig: configToSave,
isActive: true,
createdAt: new Date(),
updatedAt: new Date(),
})
.returning()
savedWebhook = newResult[0]
}
} catch (dbError) {
if (externalSubscriptionCreated) {
logger.error(`[${requestId}] DB save failed, cleaning up external subscription`, dbError)
try {
await cleanupExternalWebhook(
createTempWebhookData(configToSave),
workflowRecord,
requestId
)
} catch (cleanupError) {
logger.error(
`[${requestId}] Failed to cleanup external subscription after DB save failure`,
cleanupError
)
}
}
throw dbError
}
if (existingWebhook && shouldRecreateSubscription) {
try {
await cleanupExternalWebhook(existingWebhook, workflowRecord, requestId)
} catch (cleanupError) {
logger.warn(
`[${requestId}] Failed to cleanup previous external webhook subscription ${existingWebhook.id}`,
cleanupError
)
}
}
if (savedWebhook) {
const pollingHandler = getProviderHandler(provider)
if (pollingHandler.configurePolling) {
logger.info(
`[${requestId}] ${provider} provider detected. Setting up polling configuration.`
)
try {
const success = await pollingHandler.configurePolling({
webhook: savedWebhook,
requestId,
})
if (!success) {
logger.error(
`[${requestId}] Failed to configure ${provider} polling, rolling back webhook`
)
await revertSavedWebhook(savedWebhook, existingWebhook, requestId)
return NextResponse.json(
{
error: `Failed to configure ${provider} polling`,
details: 'Please check your account permissions and try again',
},
{ status: 500 }
)
}
logger.info(`[${requestId}] Successfully configured ${provider} polling`)
} catch (err) {
logger.error(
`[${requestId}] Error setting up ${provider} webhook configuration, rolling back webhook`,
err
)
await revertSavedWebhook(savedWebhook, existingWebhook, requestId)
return NextResponse.json(
{
error: `Failed to configure ${provider} webhook`,
details: getErrorMessage(err, 'Unknown error'),
},
{ status: 500 }
)
}
}
}
if (!targetWebhookId && savedWebhook) {
try {
PlatformEvents.webhookCreated({
webhookId: savedWebhook.id,
workflowId: workflowId,
provider: provider || 'generic',
workspaceId: workflowRecord.workspaceId || undefined,
})
} catch {
// Telemetry should not fail the operation
}
recordAudit({
workspaceId: workflowRecord.workspaceId || null,
actorId: userId,
actorName: session?.user?.name ?? undefined,
actorEmail: session?.user?.email ?? undefined,
action: AuditAction.WEBHOOK_CREATED,
resourceType: AuditResourceType.WEBHOOK,
resourceId: savedWebhook.id,
resourceName: provider || 'generic',
description: `Created ${provider || 'generic'} webhook`,
metadata: {
provider: provider || 'generic',
workflowId,
webhookPath: finalPath,
blockId: blockId || undefined,
},
request,
})
const wsId = workflowRecord.workspaceId || undefined
captureServerEvent(
userId,
'webhook_trigger_created',
{
webhook_id: savedWebhook.id,
workflow_id: workflowId,
provider: provider || 'generic',
workspace_id: wsId ?? '',
},
wsId ? { groups: { workspace: wsId } } : undefined
)
}
const status = targetWebhookId ? 200 : 201
return NextResponse.json({ webhook: savedWebhook }, { status })
} catch (error: any) {
if (error instanceof WorkflowLockedError) {
return NextResponse.json({ error: error.message }, { status: error.status })
}
logger.error(`[${requestId}] Error creating/updating webhook`, {
message: error.message,
stack: error.stack,
})
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
})
@@ -0,0 +1,136 @@
/**
* @vitest-environment node
*/
import { beforeEach, describe, expect, it, vi } from 'vitest'
const {
mockParseWebhookBody,
mockFindWebhooksByRoutingKey,
mockDispatchResolvedWebhookTarget,
mockGetSlackBotCredential,
mockHandleChallenge,
mockVerifySignature,
} = vi.hoisted(() => ({
mockParseWebhookBody: vi.fn(),
mockFindWebhooksByRoutingKey: vi.fn(),
mockDispatchResolvedWebhookTarget: vi.fn(),
mockGetSlackBotCredential: vi.fn(),
mockHandleChallenge: vi.fn(),
mockVerifySignature: vi.fn(),
}))
vi.mock('@/lib/core/admission/gate', () => ({
tryAdmit: () => ({ release: vi.fn() }),
admissionRejectedResponse: () => new Response(null, { status: 503 }),
}))
vi.mock('@/app/api/auth/oauth/utils', () => ({
getSlackBotCredential: mockGetSlackBotCredential,
}))
vi.mock('@/lib/webhooks/processor', () => ({
parseWebhookBody: mockParseWebhookBody,
findWebhooksByRoutingKey: mockFindWebhooksByRoutingKey,
dispatchResolvedWebhookTarget: mockDispatchResolvedWebhookTarget,
}))
vi.mock('@/lib/webhooks/providers/slack', () => ({
handleSlackChallenge: mockHandleChallenge,
verifySlackRequestSignature: mockVerifySignature,
resolveSlackEventKey: () => null,
}))
import { POST } from '@/app/api/webhooks/slack/custom/[credentialId]/route'
const CREDENTIAL_ID = 'cred-123'
function makeRequest() {
return new Request('https://sim.test/api/webhooks/slack/custom/cred-123', {
method: 'POST',
headers: { 'x-slack-request-timestamp': '1700000000' },
}) as unknown as import('next/server').NextRequest
}
const context = { params: Promise.resolve({ credentialId: CREDENTIAL_ID }) }
const messageBody = {
team_id: 'T1',
api_app_id: 'A1',
event: { type: 'message', channel_type: 'channel', channel: 'C1', ts: '1.1' },
}
function webhook(id: string) {
return { webhook: { id, blockId: `blk-${id}`, providerConfig: {} }, workflow: { id: `wf-${id}` } }
}
describe('Slack custom-bot webhook route', () => {
beforeEach(() => {
vi.clearAllMocks()
mockHandleChallenge.mockReturnValue(null)
mockVerifySignature.mockReturnValue(null)
mockParseWebhookBody.mockResolvedValue({
body: messageBody,
rawBody: JSON.stringify(messageBody),
})
mockGetSlackBotCredential.mockResolvedValue({
signingSecret: 'sec',
botToken: 'xoxb-x',
teamId: 'T1',
})
mockFindWebhooksByRoutingKey.mockResolvedValue([webhook('wh1')])
mockDispatchResolvedWebhookTarget.mockResolvedValue({
outcome: 'queued',
response: new Response(null, { status: 200 }),
reason: 'queued',
})
})
it('echoes the url_verification challenge without loading the credential', async () => {
mockHandleChallenge.mockReturnValue(new Response('ok', { status: 200 }))
await POST(makeRequest(), context)
expect(mockGetSlackBotCredential).not.toHaveBeenCalled()
expect(mockVerifySignature).not.toHaveBeenCalled()
})
it('404s an unknown credential', async () => {
mockGetSlackBotCredential.mockResolvedValue(null)
const res = await POST(makeRequest(), context)
expect(res.status).toBe(404)
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
})
it('verifies with the credential signing secret and rejects a bad signature', async () => {
mockVerifySignature.mockReturnValue(new Response(null, { status: 401 }))
const res = await POST(makeRequest(), context)
expect(mockVerifySignature).toHaveBeenCalledWith(
'sec',
expect.anything(),
expect.any(String),
expect.any(String)
)
expect(res.status).toBe(401)
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
})
it('fans out by credential id (provider slack) and dispatches each webhook', async () => {
const res = await POST(makeRequest(), context)
expect(mockFindWebhooksByRoutingKey).toHaveBeenCalledWith(
CREDENTIAL_ID,
expect.any(String),
'slack'
)
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
expect(res.status).toBe(200)
})
it('still returns 200 when the dispatcher filters the event', async () => {
mockDispatchResolvedWebhookTarget.mockResolvedValue({
outcome: 'ignored',
response: new Response(null, { status: 200 }),
reason: 'filtered',
})
const res = await POST(makeRequest(), context)
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
expect(res.status).toBe(200)
})
})
@@ -0,0 +1,88 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { findWebhooksByRoutingKey, parseWebhookBody } from '@/lib/webhooks/processor'
import { handleSlackChallenge, verifySlackRequestSignature } from '@/lib/webhooks/providers/slack'
import { dispatchSlackWebhooks } from '@/lib/webhooks/slack-dispatch'
import { getSlackBotCredential } from '@/app/api/auth/oauth/utils'
const logger = createLogger('SlackCustomBotWebhookAPI')
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'
export const maxDuration = 60
/**
* Ingest endpoint for a reusable custom Slack bot. The bot's single Event
* Subscriptions Request URL embeds its credential id, so every trigger that
* references the same bot credential shares one URL — routed here by
* `routingKey = credentialId` (mirrors the native `/api/webhooks/slack`
* `team_id` fan-out). Requests are HMAC-verified with the credential's OWN
* signing secret (not the shared env secret).
*/
export const POST = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ credentialId: string }> }) => {
const ticket = tryAdmit()
if (!ticket) {
return admissionRejectedResponse()
}
try {
return await handleSlackCustomBotWebhook(request, context)
} finally {
ticket.release()
}
}
)
async function handleSlackCustomBotWebhook(
request: NextRequest,
context: { params: Promise<{ credentialId: string }> }
): Promise<NextResponse> {
const receivedAt = Date.now()
const requestId = generateRequestId()
const { credentialId } = await context.params
const parseResult = await parseWebhookBody(request, requestId)
if (parseResult instanceof NextResponse) {
return parseResult
}
const { body, rawBody } = parseResult
// Echo Slack's url_verification challenge unconditionally — this is how Slack
// verifies the Request URL when the app is created from the manifest, before
// the bot is installed / the credential is finalized.
const challenge = handleSlackChallenge(body)
if (challenge) {
return challenge
}
const botCredential = await getSlackBotCredential(credentialId)
if (!botCredential) {
logger.warn(`[${requestId}] Unknown Slack bot credential ${credentialId}`)
return new NextResponse(null, { status: 404 })
}
const authError = verifySlackRequestSignature(
botCredential.signingSecret,
request,
rawBody,
requestId
)
if (authError) {
return authError
}
const webhooks = await findWebhooksByRoutingKey(credentialId, requestId, 'slack')
if (webhooks.length === 0) {
logger.info(
`[${requestId}] No active trigger for bot credential ${credentialId}; nothing to run`
)
return new NextResponse(null, { status: 200 })
}
await dispatchSlackWebhooks(webhooks, { body, request, requestId, receivedAt })
return new NextResponse(null, { status: 200 })
}
@@ -0,0 +1,126 @@
/**
* @vitest-environment node
*/
import { beforeEach, describe, expect, it, vi } from 'vitest'
const { mockParseWebhookBody, mockFindWebhooksByRoutingKey, mockDispatchResolvedWebhookTarget } =
vi.hoisted(() => ({
mockParseWebhookBody: vi.fn(),
mockFindWebhooksByRoutingKey: vi.fn(),
mockDispatchResolvedWebhookTarget: vi.fn(),
}))
vi.mock('@/lib/core/admission/gate', () => ({
tryAdmit: () => ({ release: vi.fn() }),
admissionRejectedResponse: () => new Response(null, { status: 503 }),
}))
vi.mock('@/lib/core/config/env', () => ({
env: { SLACK_SIGNING_SECRET: 'test-secret' },
}))
vi.mock('@/lib/webhooks/processor', () => ({
parseWebhookBody: mockParseWebhookBody,
findWebhooksByRoutingKey: mockFindWebhooksByRoutingKey,
dispatchResolvedWebhookTarget: mockDispatchResolvedWebhookTarget,
}))
vi.mock('@/lib/webhooks/providers/slack', () => ({
handleSlackChallenge: () => null,
verifySlackRequestSignature: () => null,
resolveSlackEventKey: () => null,
}))
import { POST } from '@/app/api/webhooks/slack/route'
function makeRequest() {
return new Request('https://sim.test/api/webhooks/slack', {
method: 'POST',
headers: { 'x-slack-request-timestamp': '1700000000' },
}) as unknown as import('next/server').NextRequest
}
function webhook(id: string) {
return { webhook: { id, blockId: `blk-${id}`, providerConfig: {} }, workflow: { id: `wf-${id}` } }
}
async function run(body: Record<string, unknown>) {
mockParseWebhookBody.mockResolvedValue({ body, rawBody: JSON.stringify(body) })
await POST(makeRequest())
}
const messageBody = {
team_id: 'T1',
api_app_id: 'A1',
event: { type: 'message', channel_type: 'channel', channel: 'C1', ts: '1.1' },
}
describe('Slack app webhook route', () => {
beforeEach(() => {
vi.clearAllMocks()
mockFindWebhooksByRoutingKey.mockResolvedValue([webhook('wh1')])
mockDispatchResolvedWebhookTarget.mockResolvedValue({
outcome: 'queued',
response: new Response(null, { status: 200 }),
reason: 'queued',
})
})
it('dispatches each webhook resolved for the event team', async () => {
await run(messageBody)
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
})
it('continues cleanly when the dispatcher filters the event', async () => {
mockDispatchResolvedWebhookTarget.mockResolvedValue({
outcome: 'ignored',
response: new Response(null, { status: 200 }),
reason: 'filtered',
})
await run(messageBody)
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
})
it('routes via Slack Connect authorizations and dedups overlapping webhooks', async () => {
// Two candidate teams (outer + authorization) that resolve to overlapping webhooks.
mockFindWebhooksByRoutingKey.mockImplementation(async (teamId: string) =>
teamId === 'T1' ? [webhook('wh1')] : [webhook('wh1'), webhook('wh2')]
)
await run({
...messageBody,
authorizations: [{ team_id: 'T2' }],
})
expect(mockFindWebhooksByRoutingKey).toHaveBeenCalledTimes(2)
// wh1 (in both) is dispatched once, wh2 once — dedup by webhook id.
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(2)
})
it('returns 200 with no team_id', async () => {
await run({ event: { type: 'message' } })
expect(mockFindWebhooksByRoutingKey).not.toHaveBeenCalled()
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
})
it('routes an interaction payload by payload.team.id', async () => {
await run({
type: 'block_actions',
api_app_id: 'A1',
team: { id: 'T1' },
user: { id: 'U1' },
actions: [{ action_id: 'approve_btn' }],
})
expect(mockFindWebhooksByRoutingKey).toHaveBeenCalledWith('T1', expect.anything())
expect(mockDispatchResolvedWebhookTarget).toHaveBeenCalledTimes(1)
})
it('fails closed on an interaction missing payload.team.id (never routes on user.team_id)', async () => {
await run({
type: 'block_actions',
api_app_id: 'A1',
user: { id: 'U1', team_id: 'T_OTHER' },
actions: [{ action_id: 'approve_btn' }],
})
expect(mockFindWebhooksByRoutingKey).not.toHaveBeenCalled()
expect(mockDispatchResolvedWebhookTarget).not.toHaveBeenCalled()
})
})
+112
View File
@@ -0,0 +1,112 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
import { env } from '@/lib/core/config/env'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { findWebhooksByRoutingKey, parseWebhookBody } from '@/lib/webhooks/processor'
import { handleSlackChallenge, verifySlackRequestSignature } from '@/lib/webhooks/providers/slack'
import { dispatchSlackWebhooks } from '@/lib/webhooks/slack-dispatch'
const logger = createLogger('SlackAppWebhookAPI')
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'
export const maxDuration = 60
/**
* Single ingest endpoint for the official Sim Slack app. Every workspace's
* events arrive here and are routed to listening workflows by Slack `team_id`
* (and Slack Connect `authorizations[].team_id`) after HMAC verification with
* the shared app signing secret. This is the request URL configured in the
* app's Event Subscriptions.
*/
export const POST = withRouteHandler(async (request: NextRequest) => {
const ticket = tryAdmit()
if (!ticket) {
return admissionRejectedResponse()
}
try {
return await handleSlackAppWebhook(request)
} finally {
ticket.release()
}
})
async function handleSlackAppWebhook(request: NextRequest): Promise<NextResponse> {
const receivedAt = Date.now()
const requestId = generateRequestId()
const parseResult = await parseWebhookBody(request, requestId)
if (parseResult instanceof NextResponse) {
return parseResult
}
const { body, rawBody } = parseResult
// Slack's endpoint verification handshake — echo the challenge back.
const challenge = handleSlackChallenge(body)
if (challenge) {
return challenge
}
const signingSecret = env.SLACK_SIGNING_SECRET
if (!signingSecret) {
logger.error(`[${requestId}] SLACK_SIGNING_SECRET is not configured`)
return new NextResponse('Slack app not configured', { status: 500 })
}
const authError = verifySlackRequestSignature(signingSecret, request, rawBody, requestId)
if (authError) {
return authError
}
const payload = body as Record<string, unknown>
// Route by the installed workspace(s). For Slack Connect the outer `team_id`
// may be the sender's workspace, so every authorized installation is a
// routing candidate. Team ids are Slack-attested (post-signature), never user
// input.
const teamIds = new Set<string>()
if (typeof payload.team_id === 'string' && payload.team_id.length > 0) {
teamIds.add(payload.team_id)
}
const authorizations = Array.isArray(payload.authorizations) ? payload.authorizations : []
for (const authorization of authorizations) {
const teamId = (authorization as Record<string, unknown>)?.team_id
if (typeof teamId === 'string' && teamId.length > 0) {
teamIds.add(teamId)
}
}
// Interactivity payloads (block_actions / view_submission) carry no top-level
// `team_id` / `authorizations`; the install/context workspace is at
// `payload.team.id`. Route on that ONLY — never `payload.user.team_id`, which
// in Slack Connect can be a different (external) tenant. Slack-attested,
// post-signature, so not user-forgeable.
if (teamIds.size === 0) {
const interactionTeamId = (payload.team as Record<string, unknown> | undefined)?.id
if (typeof interactionTeamId === 'string' && interactionTeamId.length > 0) {
teamIds.add(interactionTeamId)
}
}
if (teamIds.size === 0) {
logger.warn(`[${requestId}] Slack event missing team_id`)
return new NextResponse(null, { status: 200 })
}
const webhooksById = new Map<string, { webhook: any; workflow: any }>()
for (const teamId of teamIds) {
const found = await findWebhooksByRoutingKey(teamId, requestId)
for (const entry of found) {
webhooksById.set(entry.webhook.id, entry)
}
}
const webhooks = [...webhooksById.values()]
if (webhooks.length === 0) {
return new NextResponse(null, { status: 200 })
}
await dispatchSlackWebhooks(webhooks, { body, request, requestId, receivedAt })
return new NextResponse(null, { status: 200 })
}
@@ -0,0 +1,116 @@
/**
* @vitest-environment node
*/
import crypto from 'node:crypto'
import { NextRequest } from 'next/server'
import { beforeEach, describe, expect, it, vi } from 'vitest'
const { mockEnqueue, mockExecuteTikTokWebhookIngress, mockRelease } = vi.hoisted(() => ({
mockEnqueue: vi.fn(),
mockExecuteTikTokWebhookIngress: vi.fn(),
mockRelease: vi.fn(),
}))
vi.mock('@/background/tiktok-webhook-ingress', () => ({
executeTikTokWebhookIngress: mockExecuteTikTokWebhookIngress,
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT: 50,
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS: 3,
}))
vi.mock('@/lib/core/admission/gate', () => ({
admissionRejectedResponse: vi.fn(() => new Response(null, { status: 503 })),
tryAdmit: vi.fn(() => ({ release: mockRelease })),
}))
vi.mock('@/lib/core/async-jobs', () => ({
getJobQueue: vi.fn(async () => ({ enqueue: mockEnqueue })),
}))
vi.mock('@/lib/core/config/env', () => ({
env: {
TIKTOK_CLIENT_ID: 'client-key',
TIKTOK_CLIENT_SECRET: 'client-secret',
},
}))
vi.mock('@/lib/core/utils/request', () => ({
generateRequestId: vi.fn(() => 'request-1'),
}))
vi.mock('@/lib/core/utils/with-route-handler', () => ({
withRouteHandler:
(handler: (request: NextRequest) => Promise<Response>) => (request: NextRequest) =>
handler(request),
}))
import { POST } from '@/app/api/webhooks/tiktok/route'
function signedRequest(overrides?: { clientKey?: string }): NextRequest {
const body = JSON.stringify({
client_key: overrides?.clientKey ?? 'client-key',
event: 'post.publish.complete',
create_time: 1_725_000_000,
user_openid: 'act.user',
content: '{"publish_id":"publish-1"}',
})
const timestamp = String(Math.floor(Date.now() / 1000))
const signature = crypto
.createHmac('sha256', 'client-secret')
.update(`${timestamp}.${body}`, 'utf8')
.digest('hex')
return new NextRequest('http://localhost/api/webhooks/tiktok', {
method: 'POST',
headers: {
'content-type': 'application/json',
'TikTok-Signature': `t=${timestamp},s=${signature}`,
},
body,
})
}
describe('TikTok webhook ingress route', () => {
beforeEach(() => {
vi.clearAllMocks()
mockEnqueue.mockResolvedValue('ingress-job-1')
})
it('returns 200 only after the verified delivery is accepted by the job queue', async () => {
const response = await POST(signedRequest())
expect(response.status).toBe(200)
await expect(response.json()).resolves.toEqual({ ok: true })
expect(mockEnqueue).toHaveBeenCalledWith(
'tiktok-webhook-ingress',
expect.objectContaining({
envelope: expect.objectContaining({
client_key: 'client-key',
user_openid: 'act.user',
}),
requestId: 'request-1',
}),
expect.objectContaining({
maxAttempts: 3,
runner: expect.any(Function),
})
)
expect(mockRelease).toHaveBeenCalledOnce()
})
it('returns 503 when durable acceptance fails so TikTok retries', async () => {
mockEnqueue.mockRejectedValue(new Error('queue unavailable'))
const response = await POST(signedRequest())
expect(response.status).toBe(503)
expect(mockRelease).toHaveBeenCalledOnce()
})
it('rejects a signed delivery for a different TikTok app', async () => {
const response = await POST(signedRequest({ clientKey: 'other-client-key' }))
expect(response.status).toBe(401)
expect(mockEnqueue).not.toHaveBeenCalled()
})
})
+135
View File
@@ -0,0 +1,135 @@
import { createLogger } from '@sim/logger'
import { getErrorMessage } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { tiktokWebhookEnvelopeSchema } from '@/lib/api/contracts/webhooks'
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
import { getJobQueue } from '@/lib/core/async-jobs'
import { env } from '@/lib/core/config/env'
import { generateRequestId } from '@/lib/core/utils/request'
import {
assertContentLengthWithinLimit,
isPayloadSizeLimitError,
readStreamToBufferWithLimit,
} from '@/lib/core/utils/stream-limits'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
import { verifyTikTokSignature } from '@/lib/webhooks/providers/tiktok'
import {
executeTikTokWebhookIngress,
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
type TikTokWebhookIngressPayload,
} from '@/background/tiktok-webhook-ingress'
const logger = createLogger('TikTokWebhookIngress')
const TIKTOK_BODY_LABEL = 'TikTok webhook body'
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'
export const maxDuration = 60
async function readTikTokBody(req: Request): Promise<string> {
assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, TIKTOK_BODY_LABEL)
const buffer = await readStreamToBufferWithLimit(req.body, {
maxBytes: WEBHOOK_MAX_BODY_BYTES,
label: TIKTOK_BODY_LABEL,
})
return new TextDecoder().decode(buffer)
}
/**
* App-level TikTok webhook Callback URL.
* Portal: `{APP_URL}/api/webhooks/tiktok` (e.g. https://www.sim.ai/api/webhooks/tiktok).
* Verifies TikTok-Signature and durably accepts the delivery before background target fanout.
*/
export const POST = withRouteHandler(async (request: NextRequest) => {
const ticket = tryAdmit()
if (!ticket) {
return admissionRejectedResponse()
}
const requestId = generateRequestId()
const receivedAt = Date.now()
try {
let rawBody: string
try {
rawBody = await readTikTokBody(request)
} catch (bodyError) {
if (isPayloadSizeLimitError(bodyError)) {
logger.warn(`[${requestId}] Rejected oversized TikTok webhook body`, {
maxBytes: WEBHOOK_MAX_BODY_BYTES,
observedBytes: bodyError.observedBytes,
})
return NextResponse.json({ error: 'Request body too large' }, { status: 413 })
}
throw bodyError
}
const authError = verifyTikTokSignature(
rawBody,
request.headers.get('TikTok-Signature'),
requestId
)
if (authError) {
return authError
}
let parsedJson: unknown
try {
parsedJson = rawBody ? JSON.parse(rawBody) : {}
} catch {
logger.warn(`[${requestId}] TikTok webhook body is not valid JSON`)
// Ack to avoid retry storms on malformed payloads after a valid signature.
return NextResponse.json({ ok: true })
}
const envelopeResult = tiktokWebhookEnvelopeSchema.safeParse(parsedJson)
if (!envelopeResult.success) {
logger.warn(`[${requestId}] Invalid TikTok webhook envelope`, {
issues: envelopeResult.error.issues,
})
return NextResponse.json({ ok: true })
}
const envelope = envelopeResult.data
if (!env.TIKTOK_CLIENT_ID || envelope.client_key !== env.TIKTOK_CLIENT_ID) {
logger.warn(`[${requestId}] TikTok webhook client_key does not match configured app`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const payload: TikTokWebhookIngressPayload = {
envelope,
headers: {
'content-type': request.headers.get('content-type') ?? 'application/json',
},
requestId,
receivedAt,
}
const jobQueue = await getJobQueue()
const jobId = await jobQueue.enqueue('tiktok-webhook-ingress', payload, {
maxAttempts: TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
concurrencyKey: 'tiktok-webhook-ingress',
concurrencyLimit: TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
runner: async () => {
await executeTikTokWebhookIngress(payload)
},
})
logger.info(`[${requestId}] Accepted TikTok webhook delivery`, {
event: envelope.event,
jobId,
userOpenIdPrefix: envelope.user_openid.slice(0, 12),
})
return NextResponse.json({ ok: true })
} catch (error) {
logger.error(`[${requestId}] TikTok webhook ingress error`, {
error: getErrorMessage(error, 'Unknown error'),
})
return NextResponse.json({ error: 'Temporarily unable to accept webhook' }, { status: 503 })
} finally {
ticket.release()
}
})
@@ -0,0 +1,953 @@
/**
* Integration tests for webhook trigger API route
*
* @vitest-environment node
*/
import {
createMockRequest,
encryptionMock,
executionPreprocessingMock,
executionPreprocessingMockFns,
loggingSessionMock,
workflowsPersistenceUtilsMock,
workflowsPersistenceUtilsMockFns,
workflowsUtilsMock,
} from '@sim/testing'
import { beforeEach, describe, expect, it, vi } from 'vitest'
vi.mock('@/lib/core/security/encryption', () => encryptionMock)
vi.mock('@/lib/logs/execution/trace-spans/trace-spans', () => ({
buildTraceSpans: vi.fn().mockReturnValue({ traceSpans: [], totalDuration: 100 }),
}))
vi.mock('@/lib/workflows/utils', () => workflowsUtilsMock)
vi.mock('@/serializer', () => ({
Serializer: vi.fn().mockImplementation(() => ({
serializeWorkflow: vi.fn().mockReturnValue({
version: '1.0',
blocks: [
{
id: 'starter-id',
metadata: { id: 'starter', name: 'Start' },
config: {},
inputs: {},
outputs: {},
position: { x: 100, y: 100 },
enabled: true,
},
{
id: 'agent-id',
metadata: { id: 'agent', name: 'Agent 1' },
config: {},
inputs: {},
outputs: {},
position: { x: 634, y: -167 },
enabled: true,
},
],
edges: [
{
id: 'edge-1',
source: 'starter-id',
target: 'agent-id',
sourceHandle: 'source',
targetHandle: 'target',
},
],
loops: {},
parallels: {},
}),
})),
}))
/**
* Test data store - isolated per test via beforeEach reset
* This replaces the global mutable state pattern with local test data
*/
const testData = {
webhooks: [] as Array<{
id: string
provider: string
path: string
isActive: boolean
providerConfig?: Record<string, unknown>
workflowId: string
rateLimitCount?: number
rateLimitPeriod?: number
}>,
workflows: [] as Array<{
id: string
userId: string
workspaceId?: string
}>,
}
const {
generateRequestHashMock,
validateSlackSignatureMock,
handleWhatsAppVerificationMock,
handleSlackChallengeMock,
processWhatsAppDeduplicationMock,
processGenericDeduplicationMock,
processWebhookMock,
executeMock,
getWorkspaceBilledAccountUserIdMock,
queueWebhookExecutionMock,
dispatchResolvedWebhookTargetMock,
isWorkspaceApiExecutionEntitledMock,
} = vi.hoisted(() => ({
generateRequestHashMock: vi.fn().mockResolvedValue('test-hash-123'),
validateSlackSignatureMock: vi.fn().mockResolvedValue(true),
handleWhatsAppVerificationMock: vi.fn().mockResolvedValue(null),
handleSlackChallengeMock: vi.fn().mockReturnValue(null),
processWhatsAppDeduplicationMock: vi.fn().mockResolvedValue(null),
processGenericDeduplicationMock: vi.fn().mockResolvedValue(null),
processWebhookMock: vi.fn().mockResolvedValue(new Response('Webhook processed', { status: 200 })),
executeMock: vi.fn().mockResolvedValue({
success: true,
output: { response: 'Webhook execution success' },
logs: [],
metadata: {
duration: 100,
startTime: new Date().toISOString(),
endTime: new Date().toISOString(),
},
}),
getWorkspaceBilledAccountUserIdMock: vi
.fn()
.mockImplementation(async (workspaceId: string | null | undefined) =>
workspaceId ? 'test-user-id' : null
),
queueWebhookExecutionMock: vi.fn().mockImplementation(async () => {
const { NextResponse } = await import('next/server')
return NextResponse.json({ message: 'Webhook processed' })
}),
dispatchResolvedWebhookTargetMock: vi.fn(),
isWorkspaceApiExecutionEntitledMock: vi.fn().mockResolvedValue(true),
}))
vi.mock('@/lib/billing/core/api-access', () => ({
API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE: 'paid plan required',
isWorkspaceApiExecutionEntitled: isWorkspaceApiExecutionEntitledMock,
}))
vi.mock('@trigger.dev/sdk', () => ({
tasks: {
trigger: vi.fn().mockResolvedValue({ id: 'mock-task-id' }),
},
task: vi.fn().mockReturnValue({}),
}))
vi.mock('@/background/webhook-execution', () => ({
executeWebhookJob: vi.fn().mockResolvedValue({
success: true,
workflowId: 'test-workflow-id',
executionId: 'test-exec-id',
output: {},
executedAt: new Date().toISOString(),
}),
}))
vi.mock('@/background/logs-webhook-delivery', () => ({
logsWebhookDelivery: {},
}))
vi.mock('@/lib/webhooks/utils', () => ({
handleWhatsAppVerification: handleWhatsAppVerificationMock,
handleSlackChallenge: handleSlackChallengeMock,
processWhatsAppDeduplication: processWhatsAppDeduplicationMock,
processGenericDeduplication: processGenericDeduplicationMock,
processWebhook: processWebhookMock,
}))
vi.mock('@/app/api/webhooks/utils', () => ({
generateRequestHash: generateRequestHashMock,
validateSlackSignature: validateSlackSignatureMock,
}))
vi.mock('@/executor', () => ({
Executor: vi.fn().mockImplementation(() => ({
execute: executeMock,
})),
}))
vi.mock('@/lib/execution/preprocessing', () => executionPreprocessingMock)
vi.mock('@/lib/logs/execution/logging-session', () => loggingSessionMock)
vi.mock('@/lib/workspaces/utils', () => ({
getWorkspaceBillingSettings: vi.fn().mockResolvedValue(null),
getWorkspaceBilledAccountUserId: getWorkspaceBilledAccountUserIdMock,
}))
vi.mock('@/lib/core/rate-limiter', () => ({
RateLimiter: vi.fn().mockImplementation(() => ({
checkRateLimit: vi.fn().mockResolvedValue({
allowed: true,
remaining: 10,
resetAt: new Date(),
}),
})),
RateLimitError: class RateLimitError extends Error {
constructor(
message: string,
public statusCode = 429
) {
super(message)
this.name = 'RateLimitError'
}
},
}))
vi.mock('@/lib/workflows/persistence/utils', () => workflowsPersistenceUtilsMock)
vi.mock('@/lib/webhooks/processor', () => ({
findAllWebhooksForPath: vi.fn().mockImplementation(async (options: { path: string }) => {
// Filter webhooks by path from testData
const matchingWebhooks = testData.webhooks.filter(
(wh) => wh.path === options.path && wh.isActive
)
if (matchingWebhooks.length === 0) {
return []
}
// Return array of {webhook, workflow} objects
return matchingWebhooks.map((wh) => {
const matchingWorkflow = testData.workflows.find((w) => w.id === wh.workflowId) || {
id: wh.workflowId || 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
}
return {
webhook: wh,
workflow: matchingWorkflow,
}
})
}),
parseWebhookBody: vi.fn().mockImplementation(async (request: any) => {
try {
const cloned = request.clone()
const rawBody = await cloned.text()
const body = rawBody ? JSON.parse(rawBody) : {}
return { body, rawBody }
} catch {
return { body: {}, rawBody: '' }
}
}),
handleProviderChallenges: vi.fn().mockResolvedValue(null),
handlePreLookupWebhookVerification: vi
.fn()
.mockImplementation(
async (
method: string,
body: Record<string, unknown> | undefined,
_requestId: string,
path: string
) => {
if (path !== 'pending-verification-path') {
return null
}
const isVerificationProbe =
method === 'GET' ||
method === 'HEAD' ||
(method === 'POST' && (!body || Object.keys(body).length === 0 || !body.type))
if (!isVerificationProbe) {
return null
}
const { NextResponse } = require('next/server')
return NextResponse.json({ status: 'ok', message: 'Webhook endpoint verified' })
}
),
handleProviderReachabilityTest: vi.fn().mockReturnValue(null),
dispatchResolvedWebhookTarget: dispatchResolvedWebhookTargetMock.mockImplementation(
async (
foundWebhook: unknown,
foundWorkflow: unknown,
body: unknown,
request: unknown,
options: unknown
) => ({
outcome: 'queued',
reason: 'queued',
response: await queueWebhookExecutionMock(
foundWebhook,
foundWorkflow,
body,
request,
options
),
})
),
verifyProviderAuth: vi
.fn()
.mockImplementation(
async (
foundWebhook: any,
_foundWorkflow: any,
request: any,
_rawBody: string,
_requestId: string
) => {
// Implement generic webhook auth verification for tests
if (foundWebhook.provider === 'generic') {
const providerConfig = foundWebhook.providerConfig || {}
if (providerConfig.requireAuth) {
const configToken = providerConfig.token
const secretHeaderName = providerConfig.secretHeaderName
if (configToken) {
let isTokenValid = false
if (secretHeaderName) {
// Custom header auth
const headerValue = request.headers.get(secretHeaderName.toLowerCase())
if (headerValue === configToken) {
isTokenValid = true
}
} else {
// Bearer token auth
const authHeader = request.headers.get('authorization')
if (authHeader?.toLowerCase().startsWith('bearer ')) {
const token = authHeader.substring(7)
if (token === configToken) {
isTokenValid = true
}
}
}
if (!isTokenValid) {
const { NextResponse } = await import('next/server')
return new NextResponse('Unauthorized - Invalid authentication token', {
status: 401,
})
}
} else {
// Auth required but no token configured
const { NextResponse } = await import('next/server')
return new NextResponse('Unauthorized - Authentication required but not configured', {
status: 401,
})
}
}
}
return null
}
),
checkWebhookPreprocessing: vi.fn().mockResolvedValue({
error: null,
actorUserId: 'test-user-id',
executionId: 'preprocess-execution-id',
correlation: {
executionId: 'preprocess-execution-id',
requestId: 'mock-request-id',
source: 'webhook',
workflowId: 'test-workflow-id',
webhookId: 'generic-webhook-id',
path: 'test-path',
provider: 'generic',
triggerType: 'webhook',
},
}),
formatProviderErrorResponse: vi.fn().mockImplementation((_webhook, error, status) => {
const { NextResponse } = require('next/server')
return NextResponse.json({ error }, { status })
}),
shouldSkipWebhookEvent: vi.fn().mockReturnValue(false),
handlePreDeploymentVerification: vi.fn().mockReturnValue(null),
}))
vi.mock('drizzle-orm/postgres-js', () => ({
drizzle: vi.fn().mockReturnValue({}),
}))
vi.mock('postgres', () => vi.fn().mockReturnValue({}))
process.env.DATABASE_URL = 'postgresql://test:test@localhost:5432/test'
import { GET, POST } from '@/app/api/webhooks/trigger/[path]/route'
describe('Webhook Trigger API Route', () => {
beforeEach(() => {
vi.clearAllMocks()
// Reset test data arrays
testData.webhooks.length = 0
testData.workflows.length = 0
executionPreprocessingMockFns.mockPreprocessExecution.mockResolvedValue({
success: true,
actorUserId: 'test-user-id',
workflowRecord: {
id: 'test-workflow-id',
userId: 'test-user-id',
isDeployed: true,
workspaceId: 'test-workspace-id',
},
userSubscription: {
plan: 'pro',
status: 'active',
},
rateLimitInfo: {
allowed: true,
remaining: 100,
resetAt: new Date(),
},
})
workflowsPersistenceUtilsMockFns.mockLoadWorkflowFromNormalizedTables.mockResolvedValue({
blocks: {},
edges: [],
loops: {},
parallels: {},
isFromNormalizedTables: true,
})
workflowsPersistenceUtilsMockFns.mockBlockExistsInDeployment.mockResolvedValue(true)
isWorkspaceApiExecutionEntitledMock.mockResolvedValue(true)
// Set up default workflow for tests
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
handleWhatsAppVerificationMock.mockResolvedValue(null)
processGenericDeduplicationMock.mockResolvedValue(null)
processWebhookMock.mockResolvedValue(new Response('Webhook processed', { status: 200 }))
})
it('should handle 404 for non-existent webhooks', async () => {
const req = createMockRequest('POST', { type: 'event.test' })
const params = Promise.resolve({ path: 'non-existent-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(404)
const text = await response.text()
expect(text).toMatch(/not found/i)
})
it('should return 405 for GET requests on unknown webhook paths', async () => {
const req = createMockRequest(
'GET',
undefined,
{},
'http://localhost:3000/api/webhooks/trigger/non-existent-path'
)
const params = Promise.resolve({ path: 'non-existent-path' })
const response = await GET(req as any, { params })
expect(response.status).toBe(405)
})
it('should return 200 for GET verification probes on registered pending paths', async () => {
const req = createMockRequest(
'GET',
undefined,
{},
'http://localhost:3000/api/webhooks/trigger/pending-verification-path'
)
const params = Promise.resolve({ path: 'pending-verification-path' })
const response = await GET(req as any, { params })
expect(response.status).toBe(200)
await expect(response.json()).resolves.toMatchObject({
status: 'ok',
message: 'Webhook endpoint verified',
})
})
it('should return 200 for empty POST verification probes on registered pending paths', async () => {
const req = createMockRequest(
'POST',
undefined,
{},
'http://localhost:3000/api/webhooks/trigger/pending-verification-path'
)
const params = Promise.resolve({ path: 'pending-verification-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
await expect(response.json()).resolves.toMatchObject({
status: 'ok',
message: 'Webhook endpoint verified',
})
})
it('should return 404 for POST requests without type on unknown webhook paths', async () => {
const req = createMockRequest('POST', { event: 'test' })
const params = Promise.resolve({ path: 'non-existent-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(404)
const text = await response.text()
expect(text).toMatch(/not found/i)
})
describe('Non-path trigger providers', () => {
it.each(['sim', 'table', 'tiktok'])(
'rejects HTTP deliveries to %s trigger paths with 404',
async (provider) => {
testData.webhooks.push({
id: `${provider}-webhook-id`,
provider,
path: 'internal-path',
isActive: true,
providerConfig: { eventType: 'execution_error' },
workflowId: 'test-workflow-id',
})
const req = createMockRequest('POST', { event: 'execution_error', forged: true })
const params = Promise.resolve({ path: 'internal-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(404)
expect(queueWebhookExecutionMock).not.toHaveBeenCalled()
}
)
it('does not affect normal provider paths', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'normal-path',
isActive: true,
providerConfig: { requireAuth: false },
workflowId: 'test-workflow-id',
})
const req = createMockRequest('POST', { event: 'test' })
const params = Promise.resolve({ path: 'normal-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
expect(queueWebhookExecutionMock).toHaveBeenCalledOnce()
})
})
describe('Generic Webhook Authentication', () => {
it('passes request context into shared webhook dispatch', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: false },
workflowId: 'test-workflow-id',
})
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
expect(queueWebhookExecutionMock).toHaveBeenCalledOnce()
const call = dispatchResolvedWebhookTargetMock.mock.calls[0]
expect(call[0]).toEqual(expect.objectContaining({ id: 'generic-webhook-id' }))
expect(call[1]).toEqual(expect.objectContaining({ id: 'test-workflow-id' }))
expect(call[2]).toEqual(expect.objectContaining({ event: 'test', id: 'test-123' }))
expect(call[4]).toEqual(
expect.objectContaining({
requestId: 'mock-request-id',
path: 'test-path',
})
)
})
it('should process generic webhook without authentication', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: false },
workflowId: 'test-workflow-id',
rateLimitCount: 100,
rateLimitPeriod: 60,
})
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
const data = await response.json()
expect(data.message).toBe('Webhook processed')
})
it('blocks a generic webhook when the workspace is on the free plan', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: false },
workflowId: 'test-workflow-id',
rateLimitCount: 100,
rateLimitPeriod: 60,
})
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
isWorkspaceApiExecutionEntitledMock.mockResolvedValueOnce(false)
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(402)
})
it('returns 402 (not 500) when every webhook in a shared path is generic and free', async () => {
testData.webhooks.push(
{
id: 'generic-webhook-a',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: false },
workflowId: 'test-workflow-id',
rateLimitCount: 100,
rateLimitPeriod: 60,
},
{
id: 'generic-webhook-b',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: false },
workflowId: 'test-workflow-id',
rateLimitCount: 100,
rateLimitPeriod: 60,
}
)
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
isWorkspaceApiExecutionEntitledMock.mockResolvedValue(false)
const req = createMockRequest('POST', { event: 'test', id: 'test-123' })
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(402)
})
it('should authenticate with Bearer token when no custom header is configured', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: true, token: 'test-token-123' },
workflowId: 'test-workflow-id',
})
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
const headers = {
'Content-Type': 'application/json',
Authorization: 'Bearer test-token-123',
}
const req = createMockRequest('POST', { event: 'bearer.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
})
it('should authenticate with custom header when configured', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: {
requireAuth: true,
token: 'secret-token-456',
secretHeaderName: 'X-Custom-Auth',
},
workflowId: 'test-workflow-id',
})
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
const headers = {
'Content-Type': 'application/json',
'X-Custom-Auth': 'secret-token-456',
}
const req = createMockRequest('POST', { event: 'custom.header.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
})
it('should handle case insensitive Bearer token authentication', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: true, token: 'case-test-token' },
workflowId: 'test-workflow-id',
})
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
const testCases = [
'Bearer case-test-token',
'bearer case-test-token',
'BEARER case-test-token',
'BeArEr case-test-token',
]
for (const authHeader of testCases) {
const headers = {
'Content-Type': 'application/json',
Authorization: authHeader,
}
const req = createMockRequest('POST', { event: 'case.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
}
})
it('should handle case insensitive custom header authentication', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: {
requireAuth: true,
token: 'custom-token-789',
secretHeaderName: 'X-Secret-Key',
},
workflowId: 'test-workflow-id',
})
testData.workflows.push({
id: 'test-workflow-id',
userId: 'test-user-id',
workspaceId: 'test-workspace-id',
})
const testCases = ['X-Secret-Key', 'x-secret-key', 'X-SECRET-KEY', 'x-Secret-Key']
for (const headerName of testCases) {
const headers = {
'Content-Type': 'application/json',
[headerName]: 'custom-token-789',
}
const req = createMockRequest('POST', { event: 'custom.case.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(200)
}
})
it('should reject wrong Bearer token', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: true, token: 'correct-token' },
workflowId: 'test-workflow-id',
})
const headers = {
'Content-Type': 'application/json',
Authorization: 'Bearer wrong-token',
}
const req = createMockRequest('POST', { event: 'wrong.token.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(401)
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
expect(processWebhookMock).not.toHaveBeenCalled()
})
it('should reject wrong custom header token', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: {
requireAuth: true,
token: 'correct-custom-token',
secretHeaderName: 'X-Auth-Key',
},
workflowId: 'test-workflow-id',
})
const headers = {
'Content-Type': 'application/json',
'X-Auth-Key': 'wrong-custom-token',
}
const req = createMockRequest('POST', { event: 'wrong.custom.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(401)
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
expect(processWebhookMock).not.toHaveBeenCalled()
})
it('should reject missing authentication when required', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: true, token: 'required-token' },
workflowId: 'test-workflow-id',
})
const req = createMockRequest('POST', { event: 'no.auth.test' })
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(401)
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
expect(processWebhookMock).not.toHaveBeenCalled()
})
it('should reject Bearer token when custom header is configured', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: {
requireAuth: true,
token: 'exclusive-token',
secretHeaderName: 'X-Only-Header',
},
workflowId: 'test-workflow-id',
})
const headers = {
'Content-Type': 'application/json',
Authorization: 'Bearer exclusive-token',
}
const req = createMockRequest('POST', { event: 'exclusivity.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(401)
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
expect(processWebhookMock).not.toHaveBeenCalled()
})
it('should reject wrong custom header name', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: {
requireAuth: true,
token: 'correct-token',
secretHeaderName: 'X-Expected-Header',
},
workflowId: 'test-workflow-id',
})
const headers = {
'Content-Type': 'application/json',
'X-Wrong-Header': 'correct-token',
}
const req = createMockRequest('POST', { event: 'wrong.header.name.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(401)
expect(await response.text()).toContain('Unauthorized - Invalid authentication token')
expect(processWebhookMock).not.toHaveBeenCalled()
})
it('should reject when auth is required but no token is configured', async () => {
testData.webhooks.push({
id: 'generic-webhook-id',
provider: 'generic',
path: 'test-path',
isActive: true,
providerConfig: { requireAuth: true },
workflowId: 'test-workflow-id',
})
testData.workflows.push({ id: 'test-workflow-id', userId: 'test-user-id' })
const headers = {
'Content-Type': 'application/json',
Authorization: 'Bearer any-token',
}
const req = createMockRequest('POST', { event: 'no.token.config.test' }, headers)
const params = Promise.resolve({ path: 'test-path' })
const response = await POST(req as any, { params })
expect(response.status).toBe(401)
expect(await response.text()).toContain(
'Unauthorized - Authentication required but not configured'
)
expect(processWebhookMock).not.toHaveBeenCalled()
})
})
})
@@ -0,0 +1,220 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { webhookTriggerGetContract, webhookTriggerPostContract } from '@/lib/api/contracts/webhooks'
import { parseRequest } from '@/lib/api/server'
import {
API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE,
isWorkspaceApiExecutionEntitled,
} from '@/lib/billing/core/api-access'
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import {
dispatchResolvedWebhookTarget,
findAllWebhooksForPath,
handlePreLookupWebhookVerification,
handleProviderChallenges,
handleProviderReachabilityTest,
parseWebhookBody,
verifyProviderAuth,
} from '@/lib/webhooks/processor'
import { acceptsPathWebhookDelivery } from '@/lib/webhooks/providers'
import { isInternalTriggerProvider } from '@/triggers/constants'
const logger = createLogger('WebhookTriggerAPI')
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'
export const maxDuration = 60
export const GET = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ path: string }> }) => {
const requestId = generateRequestId()
const parsed = await parseRequest(webhookTriggerGetContract, request, context)
if (!parsed.success) return parsed.response
const { path } = parsed.data.params
// Handle provider-specific GET verifications (Microsoft Graph, WhatsApp, etc.)
const challengeResponse = await handleProviderChallenges({}, request, requestId, path)
if (challengeResponse) {
return challengeResponse
}
return (
(await handlePreLookupWebhookVerification(request.method, undefined, requestId, path)) ||
new NextResponse('Method not allowed', { status: 405 })
)
}
)
export const POST = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ path: string }> }) => {
const ticket = tryAdmit()
if (!ticket) {
return admissionRejectedResponse()
}
try {
return await handleWebhookPost(request, context)
} finally {
ticket.release()
}
}
)
async function handleWebhookPost(
request: NextRequest,
context: { params: Promise<{ path: string }> }
): Promise<NextResponse> {
const receivedAt = Date.now()
/**
* Slack signs every interactive request with the originating interaction time.
* Capturing it lets the executor surface the true trigger_id age (the window
* that expires at 3s) instead of only the in-workflow block timings.
*/
const slackRequestTimestamp = request.headers.get('x-slack-request-timestamp')
const triggerTimestampMs = slackRequestTimestamp
? Number(slackRequestTimestamp) * 1000
: undefined
const requestId = generateRequestId()
const parsed = await parseRequest(webhookTriggerPostContract, request, context)
if (!parsed.success) return parsed.response
const { path } = parsed.data.params
const earlyChallenge = await handleProviderChallenges({}, request, requestId, path)
if (earlyChallenge) {
return earlyChallenge
}
const parseResult = await parseWebhookBody(request, requestId)
// Check if parseWebhookBody returned an error response
if (parseResult instanceof NextResponse) {
return parseResult
}
const { body, rawBody } = parseResult
const challengeResponse = await handleProviderChallenges(body, request, requestId, path, rawBody)
if (challengeResponse) {
return challengeResponse
}
// Find all webhooks for this path (multiple webhooks in one workflow may share a path)
const allWebhooksForPath = await findAllWebhooksForPath({ requestId, path })
/** Exclude in-process triggers and providers that own an app-level ingress route. */
const webhooksForPath = allWebhooksForPath.filter(
({ webhook: foundWebhook }) =>
!isInternalTriggerProvider(foundWebhook.provider) &&
acceptsPathWebhookDelivery(foundWebhook.provider)
)
if (allWebhooksForPath.length > 0 && webhooksForPath.length === 0) {
logger.warn(`[${requestId}] Rejected HTTP delivery to non-path trigger: ${path}`)
return new NextResponse('Not Found', { status: 404 })
}
if (webhooksForPath.length === 0) {
const verificationResponse = await handlePreLookupWebhookVerification(
request.method,
body as Record<string, unknown> | undefined,
requestId,
path
)
if (verificationResponse) {
return verificationResponse
}
logger.warn(`[${requestId}] Webhook or workflow not found for path: ${path}`)
return new NextResponse('Not Found', { status: 404 })
}
// Process each webhook matched on this path
const responses: NextResponse[] = []
let billingBlocked = false
for (const { webhook: foundWebhook, workflow: foundWorkflow } of webhooksForPath) {
// Generic ("custom") webhooks are an unauthenticated programmatic execution
// surface, so they fall under the same paid-plan gate as the API. Provider
// webhooks (slack, github, ...) are unaffected.
if (
foundWebhook.provider === 'generic' &&
!(await isWorkspaceApiExecutionEntitled(foundWorkflow.workspaceId))
) {
logger.warn(`[${requestId}] Generic webhook blocked: workspace on free plan`)
billingBlocked = true
if (webhooksForPath.length > 1) continue
return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
}
const authError = await verifyProviderAuth(
foundWebhook,
foundWorkflow,
request,
rawBody,
requestId
)
if (authError) {
if (webhooksForPath.length > 1) {
logger.warn(`[${requestId}] Auth failed for webhook ${foundWebhook.id}, continuing to next`)
continue
}
return authError
}
const reachabilityResponse = handleProviderReachabilityTest(foundWebhook, body, requestId)
if (reachabilityResponse) {
return reachabilityResponse
}
const dispatchResult = await dispatchResolvedWebhookTarget(
foundWebhook,
foundWorkflow,
body,
request,
{
requestId,
path,
receivedAt,
triggerTimestampMs: Number.isFinite(triggerTimestampMs) ? triggerTimestampMs : undefined,
}
)
if (dispatchResult.reason === 'filtered') {
continue
}
if (dispatchResult.outcome === 'failed' || dispatchResult.reason === 'block-missing') {
if (webhooksForPath.length > 1) {
logger.warn(
`[${requestId}] Webhook dispatch failed for ${foundWebhook.id}, continuing to next`,
{ reason: dispatchResult.reason, status: dispatchResult.response.status }
)
continue
}
return dispatchResult.response
}
responses.push(dispatchResult.response)
}
if (responses.length === 0) {
if (billingBlocked) {
return NextResponse.json({ error: API_EXECUTION_REQUIRES_PAID_PLAN_MESSAGE }, { status: 402 })
}
return new NextResponse('No webhooks processed successfully', { status: 500 })
}
if (responses.length === 1) {
return responses[0]
}
// For multiple webhooks, return success if at least one succeeded
logger.info(`[${requestId}] Processed ${responses.length} webhooks for path: ${path}`)
return NextResponse.json({
success: true,
webhooksProcessed: responses.length,
})
}