chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,116 @@
|
||||
/**
|
||||
* @vitest-environment node
|
||||
*/
|
||||
|
||||
import crypto from 'node:crypto'
|
||||
import { NextRequest } from 'next/server'
|
||||
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
||||
|
||||
const { mockEnqueue, mockExecuteTikTokWebhookIngress, mockRelease } = vi.hoisted(() => ({
|
||||
mockEnqueue: vi.fn(),
|
||||
mockExecuteTikTokWebhookIngress: vi.fn(),
|
||||
mockRelease: vi.fn(),
|
||||
}))
|
||||
|
||||
vi.mock('@/background/tiktok-webhook-ingress', () => ({
|
||||
executeTikTokWebhookIngress: mockExecuteTikTokWebhookIngress,
|
||||
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT: 50,
|
||||
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS: 3,
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/admission/gate', () => ({
|
||||
admissionRejectedResponse: vi.fn(() => new Response(null, { status: 503 })),
|
||||
tryAdmit: vi.fn(() => ({ release: mockRelease })),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/async-jobs', () => ({
|
||||
getJobQueue: vi.fn(async () => ({ enqueue: mockEnqueue })),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/config/env', () => ({
|
||||
env: {
|
||||
TIKTOK_CLIENT_ID: 'client-key',
|
||||
TIKTOK_CLIENT_SECRET: 'client-secret',
|
||||
},
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/utils/request', () => ({
|
||||
generateRequestId: vi.fn(() => 'request-1'),
|
||||
}))
|
||||
|
||||
vi.mock('@/lib/core/utils/with-route-handler', () => ({
|
||||
withRouteHandler:
|
||||
(handler: (request: NextRequest) => Promise<Response>) => (request: NextRequest) =>
|
||||
handler(request),
|
||||
}))
|
||||
|
||||
import { POST } from '@/app/api/webhooks/tiktok/route'
|
||||
|
||||
function signedRequest(overrides?: { clientKey?: string }): NextRequest {
|
||||
const body = JSON.stringify({
|
||||
client_key: overrides?.clientKey ?? 'client-key',
|
||||
event: 'post.publish.complete',
|
||||
create_time: 1_725_000_000,
|
||||
user_openid: 'act.user',
|
||||
content: '{"publish_id":"publish-1"}',
|
||||
})
|
||||
const timestamp = String(Math.floor(Date.now() / 1000))
|
||||
const signature = crypto
|
||||
.createHmac('sha256', 'client-secret')
|
||||
.update(`${timestamp}.${body}`, 'utf8')
|
||||
.digest('hex')
|
||||
|
||||
return new NextRequest('http://localhost/api/webhooks/tiktok', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'content-type': 'application/json',
|
||||
'TikTok-Signature': `t=${timestamp},s=${signature}`,
|
||||
},
|
||||
body,
|
||||
})
|
||||
}
|
||||
|
||||
describe('TikTok webhook ingress route', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks()
|
||||
mockEnqueue.mockResolvedValue('ingress-job-1')
|
||||
})
|
||||
|
||||
it('returns 200 only after the verified delivery is accepted by the job queue', async () => {
|
||||
const response = await POST(signedRequest())
|
||||
|
||||
expect(response.status).toBe(200)
|
||||
await expect(response.json()).resolves.toEqual({ ok: true })
|
||||
expect(mockEnqueue).toHaveBeenCalledWith(
|
||||
'tiktok-webhook-ingress',
|
||||
expect.objectContaining({
|
||||
envelope: expect.objectContaining({
|
||||
client_key: 'client-key',
|
||||
user_openid: 'act.user',
|
||||
}),
|
||||
requestId: 'request-1',
|
||||
}),
|
||||
expect.objectContaining({
|
||||
maxAttempts: 3,
|
||||
runner: expect.any(Function),
|
||||
})
|
||||
)
|
||||
expect(mockRelease).toHaveBeenCalledOnce()
|
||||
})
|
||||
|
||||
it('returns 503 when durable acceptance fails so TikTok retries', async () => {
|
||||
mockEnqueue.mockRejectedValue(new Error('queue unavailable'))
|
||||
|
||||
const response = await POST(signedRequest())
|
||||
|
||||
expect(response.status).toBe(503)
|
||||
expect(mockRelease).toHaveBeenCalledOnce()
|
||||
})
|
||||
|
||||
it('rejects a signed delivery for a different TikTok app', async () => {
|
||||
const response = await POST(signedRequest({ clientKey: 'other-client-key' }))
|
||||
|
||||
expect(response.status).toBe(401)
|
||||
expect(mockEnqueue).not.toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,135 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { tiktokWebhookEnvelopeSchema } from '@/lib/api/contracts/webhooks'
|
||||
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
|
||||
import { getJobQueue } from '@/lib/core/async-jobs'
|
||||
import { env } from '@/lib/core/config/env'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import {
|
||||
assertContentLengthWithinLimit,
|
||||
isPayloadSizeLimitError,
|
||||
readStreamToBufferWithLimit,
|
||||
} from '@/lib/core/utils/stream-limits'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
|
||||
import { verifyTikTokSignature } from '@/lib/webhooks/providers/tiktok'
|
||||
import {
|
||||
executeTikTokWebhookIngress,
|
||||
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
|
||||
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
|
||||
type TikTokWebhookIngressPayload,
|
||||
} from '@/background/tiktok-webhook-ingress'
|
||||
|
||||
const logger = createLogger('TikTokWebhookIngress')
|
||||
|
||||
const TIKTOK_BODY_LABEL = 'TikTok webhook body'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
export const runtime = 'nodejs'
|
||||
export const maxDuration = 60
|
||||
|
||||
async function readTikTokBody(req: Request): Promise<string> {
|
||||
assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, TIKTOK_BODY_LABEL)
|
||||
const buffer = await readStreamToBufferWithLimit(req.body, {
|
||||
maxBytes: WEBHOOK_MAX_BODY_BYTES,
|
||||
label: TIKTOK_BODY_LABEL,
|
||||
})
|
||||
return new TextDecoder().decode(buffer)
|
||||
}
|
||||
|
||||
/**
|
||||
* App-level TikTok webhook Callback URL.
|
||||
* Portal: `{APP_URL}/api/webhooks/tiktok` (e.g. https://www.sim.ai/api/webhooks/tiktok).
|
||||
* Verifies TikTok-Signature and durably accepts the delivery before background target fanout.
|
||||
*/
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const ticket = tryAdmit()
|
||||
if (!ticket) {
|
||||
return admissionRejectedResponse()
|
||||
}
|
||||
|
||||
const requestId = generateRequestId()
|
||||
const receivedAt = Date.now()
|
||||
|
||||
try {
|
||||
let rawBody: string
|
||||
try {
|
||||
rawBody = await readTikTokBody(request)
|
||||
} catch (bodyError) {
|
||||
if (isPayloadSizeLimitError(bodyError)) {
|
||||
logger.warn(`[${requestId}] Rejected oversized TikTok webhook body`, {
|
||||
maxBytes: WEBHOOK_MAX_BODY_BYTES,
|
||||
observedBytes: bodyError.observedBytes,
|
||||
})
|
||||
return NextResponse.json({ error: 'Request body too large' }, { status: 413 })
|
||||
}
|
||||
throw bodyError
|
||||
}
|
||||
|
||||
const authError = verifyTikTokSignature(
|
||||
rawBody,
|
||||
request.headers.get('TikTok-Signature'),
|
||||
requestId
|
||||
)
|
||||
if (authError) {
|
||||
return authError
|
||||
}
|
||||
|
||||
let parsedJson: unknown
|
||||
try {
|
||||
parsedJson = rawBody ? JSON.parse(rawBody) : {}
|
||||
} catch {
|
||||
logger.warn(`[${requestId}] TikTok webhook body is not valid JSON`)
|
||||
// Ack to avoid retry storms on malformed payloads after a valid signature.
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const envelopeResult = tiktokWebhookEnvelopeSchema.safeParse(parsedJson)
|
||||
if (!envelopeResult.success) {
|
||||
logger.warn(`[${requestId}] Invalid TikTok webhook envelope`, {
|
||||
issues: envelopeResult.error.issues,
|
||||
})
|
||||
return NextResponse.json({ ok: true })
|
||||
}
|
||||
|
||||
const envelope = envelopeResult.data
|
||||
if (!env.TIKTOK_CLIENT_ID || envelope.client_key !== env.TIKTOK_CLIENT_ID) {
|
||||
logger.warn(`[${requestId}] TikTok webhook client_key does not match configured app`)
|
||||
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
||||
}
|
||||
|
||||
const payload: TikTokWebhookIngressPayload = {
|
||||
envelope,
|
||||
headers: {
|
||||
'content-type': request.headers.get('content-type') ?? 'application/json',
|
||||
},
|
||||
requestId,
|
||||
receivedAt,
|
||||
}
|
||||
const jobQueue = await getJobQueue()
|
||||
const jobId = await jobQueue.enqueue('tiktok-webhook-ingress', payload, {
|
||||
maxAttempts: TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
|
||||
concurrencyKey: 'tiktok-webhook-ingress',
|
||||
concurrencyLimit: TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
|
||||
runner: async () => {
|
||||
await executeTikTokWebhookIngress(payload)
|
||||
},
|
||||
})
|
||||
|
||||
logger.info(`[${requestId}] Accepted TikTok webhook delivery`, {
|
||||
event: envelope.event,
|
||||
jobId,
|
||||
userOpenIdPrefix: envelope.user_openid.slice(0, 12),
|
||||
})
|
||||
|
||||
return NextResponse.json({ ok: true })
|
||||
} catch (error) {
|
||||
logger.error(`[${requestId}] TikTok webhook ingress error`, {
|
||||
error: getErrorMessage(error, 'Unknown error'),
|
||||
})
|
||||
return NextResponse.json({ error: 'Temporarily unable to accept webhook' }, { status: 503 })
|
||||
} finally {
|
||||
ticket.release()
|
||||
}
|
||||
})
|
||||
Reference in New Issue
Block a user