chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:20:55 +08:00
commit d25d482dc2
13754 changed files with 4996608 additions and 0 deletions
@@ -0,0 +1,116 @@
/**
* @vitest-environment node
*/
import crypto from 'node:crypto'
import { NextRequest } from 'next/server'
import { beforeEach, describe, expect, it, vi } from 'vitest'
const { mockEnqueue, mockExecuteTikTokWebhookIngress, mockRelease } = vi.hoisted(() => ({
mockEnqueue: vi.fn(),
mockExecuteTikTokWebhookIngress: vi.fn(),
mockRelease: vi.fn(),
}))
vi.mock('@/background/tiktok-webhook-ingress', () => ({
executeTikTokWebhookIngress: mockExecuteTikTokWebhookIngress,
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT: 50,
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS: 3,
}))
vi.mock('@/lib/core/admission/gate', () => ({
admissionRejectedResponse: vi.fn(() => new Response(null, { status: 503 })),
tryAdmit: vi.fn(() => ({ release: mockRelease })),
}))
vi.mock('@/lib/core/async-jobs', () => ({
getJobQueue: vi.fn(async () => ({ enqueue: mockEnqueue })),
}))
vi.mock('@/lib/core/config/env', () => ({
env: {
TIKTOK_CLIENT_ID: 'client-key',
TIKTOK_CLIENT_SECRET: 'client-secret',
},
}))
vi.mock('@/lib/core/utils/request', () => ({
generateRequestId: vi.fn(() => 'request-1'),
}))
vi.mock('@/lib/core/utils/with-route-handler', () => ({
withRouteHandler:
(handler: (request: NextRequest) => Promise<Response>) => (request: NextRequest) =>
handler(request),
}))
import { POST } from '@/app/api/webhooks/tiktok/route'
function signedRequest(overrides?: { clientKey?: string }): NextRequest {
const body = JSON.stringify({
client_key: overrides?.clientKey ?? 'client-key',
event: 'post.publish.complete',
create_time: 1_725_000_000,
user_openid: 'act.user',
content: '{"publish_id":"publish-1"}',
})
const timestamp = String(Math.floor(Date.now() / 1000))
const signature = crypto
.createHmac('sha256', 'client-secret')
.update(`${timestamp}.${body}`, 'utf8')
.digest('hex')
return new NextRequest('http://localhost/api/webhooks/tiktok', {
method: 'POST',
headers: {
'content-type': 'application/json',
'TikTok-Signature': `t=${timestamp},s=${signature}`,
},
body,
})
}
describe('TikTok webhook ingress route', () => {
beforeEach(() => {
vi.clearAllMocks()
mockEnqueue.mockResolvedValue('ingress-job-1')
})
it('returns 200 only after the verified delivery is accepted by the job queue', async () => {
const response = await POST(signedRequest())
expect(response.status).toBe(200)
await expect(response.json()).resolves.toEqual({ ok: true })
expect(mockEnqueue).toHaveBeenCalledWith(
'tiktok-webhook-ingress',
expect.objectContaining({
envelope: expect.objectContaining({
client_key: 'client-key',
user_openid: 'act.user',
}),
requestId: 'request-1',
}),
expect.objectContaining({
maxAttempts: 3,
runner: expect.any(Function),
})
)
expect(mockRelease).toHaveBeenCalledOnce()
})
it('returns 503 when durable acceptance fails so TikTok retries', async () => {
mockEnqueue.mockRejectedValue(new Error('queue unavailable'))
const response = await POST(signedRequest())
expect(response.status).toBe(503)
expect(mockRelease).toHaveBeenCalledOnce()
})
it('rejects a signed delivery for a different TikTok app', async () => {
const response = await POST(signedRequest({ clientKey: 'other-client-key' }))
expect(response.status).toBe(401)
expect(mockEnqueue).not.toHaveBeenCalled()
})
})
+135
View File
@@ -0,0 +1,135 @@
import { createLogger } from '@sim/logger'
import { getErrorMessage } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { tiktokWebhookEnvelopeSchema } from '@/lib/api/contracts/webhooks'
import { admissionRejectedResponse, tryAdmit } from '@/lib/core/admission/gate'
import { getJobQueue } from '@/lib/core/async-jobs'
import { env } from '@/lib/core/config/env'
import { generateRequestId } from '@/lib/core/utils/request'
import {
assertContentLengthWithinLimit,
isPayloadSizeLimitError,
readStreamToBufferWithLimit,
} from '@/lib/core/utils/stream-limits'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { WEBHOOK_MAX_BODY_BYTES } from '@/lib/webhooks/constants'
import { verifyTikTokSignature } from '@/lib/webhooks/providers/tiktok'
import {
executeTikTokWebhookIngress,
TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
type TikTokWebhookIngressPayload,
} from '@/background/tiktok-webhook-ingress'
const logger = createLogger('TikTokWebhookIngress')
const TIKTOK_BODY_LABEL = 'TikTok webhook body'
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'
export const maxDuration = 60
async function readTikTokBody(req: Request): Promise<string> {
assertContentLengthWithinLimit(req.headers, WEBHOOK_MAX_BODY_BYTES, TIKTOK_BODY_LABEL)
const buffer = await readStreamToBufferWithLimit(req.body, {
maxBytes: WEBHOOK_MAX_BODY_BYTES,
label: TIKTOK_BODY_LABEL,
})
return new TextDecoder().decode(buffer)
}
/**
* App-level TikTok webhook Callback URL.
* Portal: `{APP_URL}/api/webhooks/tiktok` (e.g. https://www.sim.ai/api/webhooks/tiktok).
* Verifies TikTok-Signature and durably accepts the delivery before background target fanout.
*/
export const POST = withRouteHandler(async (request: NextRequest) => {
const ticket = tryAdmit()
if (!ticket) {
return admissionRejectedResponse()
}
const requestId = generateRequestId()
const receivedAt = Date.now()
try {
let rawBody: string
try {
rawBody = await readTikTokBody(request)
} catch (bodyError) {
if (isPayloadSizeLimitError(bodyError)) {
logger.warn(`[${requestId}] Rejected oversized TikTok webhook body`, {
maxBytes: WEBHOOK_MAX_BODY_BYTES,
observedBytes: bodyError.observedBytes,
})
return NextResponse.json({ error: 'Request body too large' }, { status: 413 })
}
throw bodyError
}
const authError = verifyTikTokSignature(
rawBody,
request.headers.get('TikTok-Signature'),
requestId
)
if (authError) {
return authError
}
let parsedJson: unknown
try {
parsedJson = rawBody ? JSON.parse(rawBody) : {}
} catch {
logger.warn(`[${requestId}] TikTok webhook body is not valid JSON`)
// Ack to avoid retry storms on malformed payloads after a valid signature.
return NextResponse.json({ ok: true })
}
const envelopeResult = tiktokWebhookEnvelopeSchema.safeParse(parsedJson)
if (!envelopeResult.success) {
logger.warn(`[${requestId}] Invalid TikTok webhook envelope`, {
issues: envelopeResult.error.issues,
})
return NextResponse.json({ ok: true })
}
const envelope = envelopeResult.data
if (!env.TIKTOK_CLIENT_ID || envelope.client_key !== env.TIKTOK_CLIENT_ID) {
logger.warn(`[${requestId}] TikTok webhook client_key does not match configured app`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const payload: TikTokWebhookIngressPayload = {
envelope,
headers: {
'content-type': request.headers.get('content-type') ?? 'application/json',
},
requestId,
receivedAt,
}
const jobQueue = await getJobQueue()
const jobId = await jobQueue.enqueue('tiktok-webhook-ingress', payload, {
maxAttempts: TIKTOK_WEBHOOK_INGRESS_MAX_ATTEMPTS,
concurrencyKey: 'tiktok-webhook-ingress',
concurrencyLimit: TIKTOK_WEBHOOK_INGRESS_CONCURRENCY_LIMIT,
runner: async () => {
await executeTikTokWebhookIngress(payload)
},
})
logger.info(`[${requestId}] Accepted TikTok webhook delivery`, {
event: envelope.event,
jobId,
userOpenIdPrefix: envelope.user_openid.slice(0, 12),
})
return NextResponse.json({ ok: true })
} catch (error) {
logger.error(`[${requestId}] TikTok webhook ingress error`, {
error: getErrorMessage(error, 'Unknown error'),
})
return NextResponse.json({ error: 'Temporarily unable to accept webhook' }, { status: 503 })
} finally {
ticket.release()
}
})