Files
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

215 lines
5.9 KiB
TypeScript

import { createLogger } from '@sim/logger'
import { type PermissionType, permissionSatisfies } from '@sim/platform-authz/workspace'
import { type NextRequest, NextResponse } from 'next/server'
import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
import type { SubscriptionPlan } from '@/lib/core/rate-limiter'
import { getRateLimit, RateLimiter } from '@/lib/core/rate-limiter'
import { generateRequestId } from '@/lib/core/utils/request'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
import { getWorkspaceBillingSettings } from '@/lib/workspaces/utils'
import { authenticateV1Request } from '@/app/api/v1/auth'
const logger = createLogger('V1Middleware')
const rateLimiter = new RateLimiter()
export type V1Endpoint =
| 'logs'
| 'logs-detail'
| 'workflows'
| 'workflow-detail'
| 'workflow-deploy'
| 'workflow-rollback'
| 'audit-logs'
| 'tables'
| 'table-detail'
| 'table-rows'
| 'table-row-detail'
| 'table-columns'
| 'files'
| 'file-detail'
| 'knowledge'
| 'knowledge-detail'
| 'knowledge-search'
| 'copilot-chat'
export interface RateLimitResult {
allowed: boolean
remaining: number
resetAt: Date
limit: number
retryAfterMs?: number
userId?: string
workspaceId?: string
keyType?: 'personal' | 'workspace'
error?: string
}
export interface AuthorizedRequest {
requestId: string
userId: string
rateLimit: RateLimitResult
}
export async function checkRateLimit(
request: NextRequest,
endpoint: V1Endpoint = 'logs'
): Promise<RateLimitResult> {
try {
const auth = await authenticateV1Request(request)
if (!auth.authenticated) {
return {
allowed: false,
remaining: 0,
limit: 10,
resetAt: new Date(),
error: auth.error,
}
}
const userId = auth.userId!
const subscription = await getHighestPrioritySubscription(userId)
const result = await rateLimiter.checkRateLimitWithSubscription(
userId,
subscription,
'api-endpoint',
false
)
if (!result.allowed) {
logger.warn(`Rate limit exceeded for user ${userId}`, {
endpoint,
remaining: result.remaining,
resetAt: result.resetAt,
})
}
const plan = (subscription?.plan || 'free') as SubscriptionPlan
const config = getRateLimit(plan, 'api-endpoint')
return {
allowed: result.allowed,
remaining: result.remaining,
resetAt: result.resetAt,
limit: config.refillRate,
retryAfterMs: result.retryAfterMs,
userId,
workspaceId: auth.workspaceId,
keyType: auth.keyType,
}
} catch (error) {
logger.error('Rate limit check error', { error })
return {
allowed: false,
remaining: 0,
limit: 10,
resetAt: new Date(Date.now() + 60000),
error: 'Rate limit check failed',
}
}
}
/**
* Authenticates and rate-limits a v1 API request.
* Returns NextResponse on failure, AuthorizedRequest on success.
*/
export async function authenticateRequest(
request: NextRequest,
endpoint: V1Endpoint
): Promise<AuthorizedRequest | NextResponse> {
const requestId = generateRequestId()
const rateLimit = await checkRateLimit(request, endpoint)
if (!rateLimit.allowed) {
return createRateLimitResponse(rateLimit)
}
return { requestId, userId: rateLimit.userId!, rateLimit }
}
export function createRateLimitResponse(result: RateLimitResult): NextResponse {
const headers = {
'X-RateLimit-Limit': result.limit.toString(),
'X-RateLimit-Remaining': result.remaining.toString(),
'X-RateLimit-Reset': result.resetAt.toISOString(),
}
if (result.error) {
return NextResponse.json({ error: result.error || 'Unauthorized' }, { status: 401, headers })
}
const retryAfterSeconds = result.retryAfterMs
? Math.ceil(result.retryAfterMs / 1000)
: Math.ceil((result.resetAt.getTime() - Date.now()) / 1000)
return NextResponse.json(
{
error: 'Rate limit exceeded',
message: `API rate limit exceeded. Please retry after ${result.resetAt.toISOString()}`,
retryAfter: result.resetAt.getTime(),
},
{
status: 429,
headers: {
...headers,
'Retry-After': retryAfterSeconds.toString(),
},
}
)
}
/**
* Verify that the API key is allowed to access the requested workspace.
*
* Enforces two policies:
* - A workspace-scoped key may only target its own workspace.
* - A personal key is rejected when the workspace has disabled personal API
* keys (`allowPersonalApiKeys = false`), matching the workflow-execution
* surface in `app/api/workflows/middleware.ts`.
*/
export async function checkWorkspaceScope(
rateLimit: RateLimitResult,
requestedWorkspaceId: string
): Promise<NextResponse | null> {
if (
rateLimit.keyType === 'workspace' &&
rateLimit.workspaceId &&
rateLimit.workspaceId !== requestedWorkspaceId
) {
return NextResponse.json(
{ error: 'API key is not authorized for this workspace' },
{ status: 403 }
)
}
if (rateLimit.keyType === 'personal') {
const settings = await getWorkspaceBillingSettings(requestedWorkspaceId)
if (!settings?.allowPersonalApiKeys) {
return NextResponse.json(
{ error: 'Personal API keys are not allowed for this workspace' },
{ status: 403 }
)
}
}
return null
}
/**
* Validates workspace-scoped API key bounds and the user's workspace permission.
* Returns null on success, NextResponse on failure.
*/
export async function validateWorkspaceAccess(
rateLimit: RateLimitResult,
userId: string,
workspaceId: string,
level: PermissionType = 'read'
): Promise<NextResponse | null> {
const scopeError = await checkWorkspaceScope(rateLimit, workspaceId)
if (scopeError) return scopeError
const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (!permissionSatisfies(permission, level)) {
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
return null
}