Files
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

324 lines
11 KiB
TypeScript

import { createLogger } from '@sim/logger'
import { getSessionCookie } from 'better-auth/cookies'
import { type NextRequest, NextResponse } from 'next/server'
import { sendToProfound } from './lib/analytics/profound'
import { getEnv } from './lib/core/config/env'
import { isAuthDisabled, isDev, isHosted } from './lib/core/config/env-flags'
import { generateRuntimeCSP } from './lib/core/security/csp'
import { getClientIp } from './lib/core/utils/request'
const logger = createLogger('Proxy')
export interface CorsPolicy {
origin: string
credentials: boolean
methods: string
headers: string
}
const DEFAULT_API_ALLOWED_HEADERS =
'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-API-Key, Authorization'
const WORKFLOW_EXECUTE_HEADERS =
'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-API-Key'
/** Subpaths under /api/chat/* that serve the workspace UI, not embeds. */
const EMBED_RESERVED_SEGMENTS = new Set(['manage', 'validate'])
/** True for /api/chat/[identifier] and any deeper subroute. */
function isEmbedPath(pathname: string): boolean {
const segments = pathname.split('/')
if (segments.length < 4) return false
if (segments[1] !== 'api') return false
if (segments[2] !== 'chat') return false
const identifier = segments[3]
if (!identifier || EMBED_RESERVED_SEGMENTS.has(identifier)) return false
return true
}
interface CorsRule {
match: (pathname: string) => boolean
policy: (request: NextRequest) => CorsPolicy
}
const CORS_RULES: readonly CorsRule[] = [
{
match: (p) => p.startsWith('/api/auth/oauth2/'),
policy: () => ({
origin: '*',
credentials: false,
methods: 'GET, POST, OPTIONS',
headers: 'Content-Type, Authorization, Accept',
}),
},
{
match: (p) => p === '/api/mcp/copilot',
policy: () => ({
origin: '*',
credentials: false,
methods: 'GET, POST, OPTIONS, DELETE',
headers: 'Content-Type, Authorization, X-API-Key, X-Requested-With, Accept',
}),
},
{
match: (p) => isEmbedPath(p),
policy: (request) => {
const requestOrigin = request.headers.get('origin')
return {
origin: requestOrigin || '*',
credentials: !!requestOrigin,
methods: 'GET, POST, PUT, OPTIONS',
headers: 'Content-Type, X-Requested-With',
}
},
},
{
match: (p) => /^\/api\/workflows\/[^/]+\/execute$/.test(p),
policy: () => ({
origin: '*',
credentials: false,
methods: 'GET,POST,OPTIONS,PUT',
headers: WORKFLOW_EXECUTE_HEADERS,
}),
},
]
/** Single source of truth for /api/* CORS — resolved at request time, not baked at build. */
export function resolveApiCorsPolicy(request: NextRequest): CorsPolicy {
const { pathname } = request.nextUrl
for (const rule of CORS_RULES) {
if (rule.match(pathname)) return rule.policy(request)
}
return {
origin: getEnv('NEXT_PUBLIC_APP_URL') || 'http://localhost:3001',
credentials: true,
methods: 'GET,POST,OPTIONS,PUT,DELETE',
headers: DEFAULT_API_ALLOWED_HEADERS,
}
}
const CORS_PREFLIGHT_MAX_AGE = '86400'
function applyCorsHeaders(response: NextResponse, policy: CorsPolicy): void {
response.headers.set('Access-Control-Allow-Origin', policy.origin)
response.headers.set('Access-Control-Allow-Credentials', String(policy.credentials))
response.headers.set('Access-Control-Allow-Methods', policy.methods)
response.headers.set('Access-Control-Allow-Headers', policy.headers)
if (policy.origin !== '*') {
response.headers.set('Vary', 'Origin')
}
}
/** Next's auto-OPTIONS doesn't carry middleware headers, so we answer preflight here. */
function buildPreflightResponse(policy: CorsPolicy): NextResponse {
const response = new NextResponse(null, { status: 204 })
applyCorsHeaders(response, policy)
response.headers.set('Access-Control-Max-Age', CORS_PREFLIGHT_MAX_AGE)
return response
}
const SUSPICIOUS_UA_PATTERNS = [
/^\s*$/, // Empty user agents
/\.\./, // Path traversal attempt
/<\s*script/i, // Potential XSS payloads
/^\(\)\s*{/, // Command execution attempt
/\b(sqlmap|nikto|gobuster|dirb|nmap)\b/i, // Known scanning tools
] as const
/**
* Handles authentication-based redirects for root paths
*/
function handleRootPathRedirects(
request: NextRequest,
hasActiveSession: boolean
): NextResponse | null {
const url = request.nextUrl
if (url.pathname !== '/') {
return null
}
if (!isHosted && !isDev) {
// Self-hosted production: Always redirect based on session.
if (hasActiveSession) {
return NextResponse.redirect(new URL('/workspace', request.url))
}
return NextResponse.redirect(new URL('/login', request.url))
}
// For root path, redirect authenticated users to workspace
// Unless they have a 'home' query parameter (e.g., ?home)
// This allows intentional navigation to the homepage from anywhere in the app
if (hasActiveSession) {
const isBrowsingHome = url.searchParams.has('home')
if (!isBrowsingHome) {
return NextResponse.redirect(new URL('/workspace', request.url))
}
}
return null
}
/**
* Handles invitation link redirects for unauthenticated users
*/
function handleInvitationRedirects(
request: NextRequest,
hasActiveSession: boolean
): NextResponse | null {
if (!request.nextUrl.pathname.startsWith('/invite/')) {
return null
}
if (
!hasActiveSession &&
!request.nextUrl.pathname.endsWith('/login') &&
!request.nextUrl.pathname.endsWith('/signup') &&
!request.nextUrl.search.includes('callbackUrl')
) {
const token = request.nextUrl.searchParams.get('token')
const inviteId = request.nextUrl.pathname.split('/').pop()
const callbackParam = encodeURIComponent(`/invite/${inviteId}${token ? `?token=${token}` : ''}`)
return NextResponse.redirect(
new URL(`/login?callbackUrl=${callbackParam}&invite_flow=true`, request.url)
)
}
const response = NextResponse.next()
response.headers.set('Content-Security-Policy', generateRuntimeCSP())
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('X-Frame-Options', 'SAMEORIGIN')
return response
}
/**
* Handles security filtering for suspicious user agents
*/
function handleSecurityFiltering(request: NextRequest): NextResponse | null {
const userAgent = request.headers.get('user-agent') || ''
const { pathname } = request.nextUrl
const isWebhookEndpoint =
pathname.startsWith('/api/webhooks/trigger/') ||
pathname.startsWith('/api/webhooks/tiktok') ||
pathname.startsWith('/api/webhooks/agentmail')
const isMcpEndpoint = pathname.startsWith('/api/mcp/')
const isMcpOauthDiscoveryEndpoint =
pathname.startsWith('/.well-known/oauth-authorization-server') ||
pathname.startsWith('/.well-known/oauth-protected-resource')
const isSuspicious = SUSPICIOUS_UA_PATTERNS.some((pattern) => pattern.test(userAgent))
// Block suspicious requests, but exempt machine-to-machine endpoints that may
// legitimately omit User-Agent headers (webhooks and MCP protocol discovery/calls).
if (isSuspicious && !isWebhookEndpoint && !isMcpEndpoint && !isMcpOauthDiscoveryEndpoint) {
logger.warn('Blocked suspicious request', {
userAgent,
ip: getClientIp(request),
url: request.url,
method: request.method,
pattern: SUSPICIOUS_UA_PATTERNS.find((pattern) => pattern.test(userAgent))?.toString(),
})
return new NextResponse(null, {
status: 403,
statusText: 'Forbidden',
headers: {
'Content-Type': 'text/plain',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'Content-Security-Policy': "default-src 'none'",
'Cache-Control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
Pragma: 'no-cache',
Expires: '0',
},
})
}
return null
}
export async function proxy(request: NextRequest) {
const url = request.nextUrl
if (url.pathname.startsWith('/api/')) {
const policy = resolveApiCorsPolicy(request)
if (request.method === 'OPTIONS') {
return buildPreflightResponse(policy)
}
const response = NextResponse.next()
applyCorsHeaders(response, policy)
return response
}
const sessionCookie = getSessionCookie(request)
const hasActiveSession = isAuthDisabled || !!sessionCookie
const redirect = handleRootPathRedirects(request, hasActiveSession)
if (redirect) return track(request, redirect)
if (url.pathname === '/login' || url.pathname === '/signup') {
if (hasActiveSession) {
return track(request, NextResponse.redirect(new URL('/workspace', request.url)))
}
const response = NextResponse.next()
response.headers.set('Content-Security-Policy', generateRuntimeCSP())
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('X-Frame-Options', 'SAMEORIGIN')
return track(request, response)
}
// Chat pages are publicly accessible embeds — CSP is set in next.config.ts headers
if (url.pathname.startsWith('/chat/')) {
return track(request, NextResponse.next())
}
if (url.pathname.startsWith('/workspace')) {
if (!hasActiveSession) {
return track(request, NextResponse.redirect(new URL('/login', request.url)))
}
const response = NextResponse.next()
response.headers.set('Content-Security-Policy', generateRuntimeCSP())
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('X-Frame-Options', 'SAMEORIGIN')
return track(request, response)
}
const invitationRedirect = handleInvitationRedirects(request, hasActiveSession)
if (invitationRedirect) return track(request, invitationRedirect)
const securityBlock = handleSecurityFiltering(request)
if (securityBlock) return track(request, securityBlock)
const response = NextResponse.next()
response.headers.set('Vary', 'User-Agent')
response.headers.set('Content-Security-Policy', generateRuntimeCSP())
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('X-Frame-Options', 'SAMEORIGIN')
return track(request, response)
}
/**
* Sends request data to Profound analytics (fire-and-forget) and returns the response.
*/
function track(request: NextRequest, response: NextResponse): NextResponse {
sendToProfound(request, response.status)
return response
}
export const config = {
matcher: [
'/', // Root path for self-hosted redirect logic
'/terms', // Whitelabel terms redirect
'/privacy', // Whitelabel privacy redirect
'/w', // Legacy /w redirect
'/w/:path*', // Legacy /w/* redirects
'/workspace/:path*', // New workspace routes
'/login',
'/signup',
'/invite/:path*', // Match invitation routes
'/api/:path*', // Runtime CORS
// Catch-all for other pages, excluding static assets and public directories
'/((?!api/|api$|_next/static|_next/image|ingest|favicon.ico|logo/|landing/|static/|footer/|social/|enterprise/|favicon/|twitter/|robots.txt|sitemap.xml).*)',
],
}