d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
82 lines
2.8 KiB
TypeScript
82 lines
2.8 KiB
TypeScript
import { createLogger } from '@sim/logger'
|
|
import {
|
|
authorizeWorkflowByWorkspacePermission,
|
|
type WorkflowWorkspaceAuthorizationResult,
|
|
} from '@sim/platform-authz/workflow'
|
|
import { type NextRequest, NextResponse } from 'next/server'
|
|
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
|
|
import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
|
|
|
|
const logger = createLogger('DeploymentToolsAPI')
|
|
|
|
export type AuthorizedDeploymentWorkflow = NonNullable<
|
|
WorkflowWorkspaceAuthorizationResult['workflow']
|
|
>
|
|
|
|
/** Standard error body for deployment tool routes, matching the generic tool response shape. */
|
|
export function deploymentToolError(error: string, status: number): NextResponse {
|
|
return NextResponse.json({ success: false, error }, { status })
|
|
}
|
|
|
|
/**
|
|
* Authenticates a deployment tool request via session or internal token (API
|
|
* keys are rejected) and applies per-user rate limiting. Runs before request
|
|
* parsing, so it must not read the body.
|
|
*/
|
|
export async function authenticateDeploymentToolRequest(
|
|
request: NextRequest,
|
|
requestId: string
|
|
): Promise<{ ok: true; userId: string } | { ok: false; response: NextResponse }> {
|
|
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
|
|
if (!auth.success || !auth.userId) {
|
|
logger.warn(`[${requestId}] Unauthorized deployment tool request`, { error: auth.error })
|
|
return {
|
|
ok: false,
|
|
response: deploymentToolError(auth.error || 'Authentication required', 401),
|
|
}
|
|
}
|
|
|
|
const rateLimited = await enforceUserRateLimit('deployment-tools', auth.userId)
|
|
if (rateLimited) return { ok: false, response: rateLimited }
|
|
|
|
return { ok: true, userId: auth.userId }
|
|
}
|
|
|
|
/**
|
|
* Verifies the user holds the required workspace permission on the target
|
|
* workflow and that the workflow belongs to the calling workspace. Deployment
|
|
* mutations require `admin`, reads require `read`, matching the UI deploy
|
|
* routes. The workspace binding keeps workflow-driven executions (schedules,
|
|
* webhooks) from reaching into other workspaces the actor administers.
|
|
*/
|
|
export async function authorizeDeploymentWorkflow(
|
|
userId: string,
|
|
workflowId: string,
|
|
workspaceId: string,
|
|
action: 'read' | 'admin'
|
|
): Promise<
|
|
{ ok: true; workflow: AuthorizedDeploymentWorkflow } | { ok: false; response: NextResponse }
|
|
> {
|
|
const authorization = await authorizeWorkflowByWorkspacePermission({
|
|
workflowId,
|
|
userId,
|
|
action,
|
|
})
|
|
|
|
if (!authorization.allowed || !authorization.workflow) {
|
|
return {
|
|
ok: false,
|
|
response: deploymentToolError(authorization.message || 'Access denied', authorization.status),
|
|
}
|
|
}
|
|
|
|
if (authorization.workflow.workspaceId !== workspaceId) {
|
|
return {
|
|
ok: false,
|
|
response: deploymentToolError('Workflow not found in this workspace', 404),
|
|
}
|
|
}
|
|
|
|
return { ok: true, workflow: authorization.workflow }
|
|
}
|