d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
440 lines
13 KiB
TypeScript
440 lines
13 KiB
TypeScript
import { z } from 'zod'
|
|
import { defineRouteContract } from '@/lib/api/contracts/types'
|
|
import {
|
|
ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID,
|
|
type OAuthProvider,
|
|
SLACK_CUSTOM_BOT_PROVIDER_ID,
|
|
} from '@/lib/oauth/types'
|
|
|
|
const ENV_VAR_NAME_REGEX = /^[A-Za-z0-9_]+$/
|
|
|
|
export function normalizeCredentialEnvKey(raw: string): string {
|
|
const trimmed = raw.trim()
|
|
const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
|
|
return wrappedMatch ? wrappedMatch[1] : trimmed
|
|
}
|
|
|
|
export const workspaceCredentialTypeSchema = z.enum([
|
|
'oauth',
|
|
'env_workspace',
|
|
'env_personal',
|
|
'service_account',
|
|
])
|
|
export const workspaceCredentialRoleSchema = z.enum(['admin', 'member'])
|
|
export const workspaceCredentialMemberStatusSchema = z.enum(['active', 'pending', 'revoked'])
|
|
|
|
export const workspaceCredentialSchema = z.object({
|
|
id: z.string(),
|
|
workspaceId: z.string(),
|
|
type: workspaceCredentialTypeSchema,
|
|
displayName: z.string(),
|
|
description: z.string().nullable(),
|
|
providerId: z.string().nullable(),
|
|
accountId: z.string().nullable(),
|
|
envKey: z.string().nullable(),
|
|
envOwnerUserId: z.string().nullable(),
|
|
createdBy: z.string(),
|
|
createdAt: z.string(),
|
|
updatedAt: z.string(),
|
|
role: workspaceCredentialRoleSchema.optional(),
|
|
status: workspaceCredentialMemberStatusSchema.optional(),
|
|
})
|
|
|
|
export type WorkspaceCredentialType = z.output<typeof workspaceCredentialTypeSchema>
|
|
export type WorkspaceCredentialRole = z.output<typeof workspaceCredentialRoleSchema>
|
|
export type WorkspaceCredentialMemberStatus = z.output<typeof workspaceCredentialMemberStatusSchema>
|
|
export type WorkspaceCredential = z.output<typeof workspaceCredentialSchema>
|
|
|
|
export const credentialsListQuerySchema = z.object({
|
|
workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
|
|
type: workspaceCredentialTypeSchema.optional(),
|
|
providerId: z.string().optional(),
|
|
})
|
|
|
|
export const credentialIdParamsSchema = z.object({
|
|
id: z.string().min(1),
|
|
})
|
|
|
|
export const credentialsListGetQuerySchema = z.object({
|
|
workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
|
|
type: workspaceCredentialTypeSchema.optional(),
|
|
providerId: z.string().optional(),
|
|
credentialId: z.string().optional(),
|
|
})
|
|
|
|
export const serviceAccountJsonSchema = z
|
|
.string()
|
|
.min(1, 'Service account JSON key is required')
|
|
.transform((val, ctx) => {
|
|
try {
|
|
const parsed = JSON.parse(val)
|
|
if (parsed.type !== 'service_account') {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'JSON key must have type "service_account"',
|
|
})
|
|
return z.NEVER
|
|
}
|
|
if (!parsed.client_email || typeof parsed.client_email !== 'string') {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'JSON key must contain a valid client_email',
|
|
})
|
|
return z.NEVER
|
|
}
|
|
if (!parsed.private_key || typeof parsed.private_key !== 'string') {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'JSON key must contain a valid private_key',
|
|
})
|
|
return z.NEVER
|
|
}
|
|
if (!parsed.project_id || typeof parsed.project_id !== 'string') {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'JSON key must contain a valid project_id',
|
|
})
|
|
return z.NEVER
|
|
}
|
|
return parsed as {
|
|
type: 'service_account'
|
|
client_email: string
|
|
private_key: string
|
|
project_id: string
|
|
[key: string]: unknown
|
|
}
|
|
} catch {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'Invalid JSON format',
|
|
})
|
|
return z.NEVER
|
|
}
|
|
})
|
|
|
|
export const createCredentialBodySchema = z
|
|
.object({
|
|
workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
|
|
type: workspaceCredentialTypeSchema,
|
|
displayName: z.string().trim().min(1).max(255).optional(),
|
|
description: z.string().trim().max(500).optional(),
|
|
providerId: z.string().trim().min(1).optional(),
|
|
accountId: z.string().trim().min(1).optional(),
|
|
envKey: z.string().trim().min(1).optional(),
|
|
envOwnerUserId: z.string().trim().min(1).optional(),
|
|
serviceAccountJson: z.string().optional(),
|
|
apiToken: z.string().trim().min(1).optional(),
|
|
domain: z.string().trim().min(1).optional(),
|
|
/**
|
|
* Client-supplied credential id, honored only for `slack-custom-bot` creates:
|
|
* the setup modal shows the ingest URL `/api/webhooks/slack/custom/{id}`
|
|
* before secrets exist, so the id must be known up front.
|
|
*/
|
|
id: z.string().uuid('id must be a valid UUID').optional(),
|
|
signingSecret: z.string().trim().min(1).optional(),
|
|
botToken: z.string().trim().min(1).optional(),
|
|
})
|
|
.superRefine((data, ctx) => {
|
|
if (data.type === 'oauth') {
|
|
if (!data.accountId) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'accountId is required for oauth credentials',
|
|
path: ['accountId'],
|
|
})
|
|
}
|
|
if (!data.providerId) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'providerId is required for oauth credentials',
|
|
path: ['providerId'],
|
|
})
|
|
}
|
|
if (!data.displayName) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'displayName is required for oauth credentials',
|
|
path: ['displayName'],
|
|
})
|
|
}
|
|
return
|
|
}
|
|
|
|
if (data.type === 'service_account') {
|
|
if (data.providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID) {
|
|
if (!data.apiToken) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'apiToken is required for Atlassian service account credentials',
|
|
path: ['apiToken'],
|
|
})
|
|
}
|
|
if (!data.domain) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'domain is required for Atlassian service account credentials',
|
|
path: ['domain'],
|
|
})
|
|
}
|
|
return
|
|
}
|
|
if (data.providerId === SLACK_CUSTOM_BOT_PROVIDER_ID) {
|
|
if (!data.signingSecret) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'signingSecret is required for a custom Slack bot credential',
|
|
path: ['signingSecret'],
|
|
})
|
|
}
|
|
if (!data.botToken) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'botToken is required for a custom Slack bot credential',
|
|
path: ['botToken'],
|
|
})
|
|
}
|
|
return
|
|
}
|
|
if (!data.serviceAccountJson) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'serviceAccountJson is required for service account credentials',
|
|
path: ['serviceAccountJson'],
|
|
})
|
|
}
|
|
return
|
|
}
|
|
|
|
const normalizedEnvKey = data.envKey ? normalizeCredentialEnvKey(data.envKey) : ''
|
|
if (!normalizedEnvKey) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'envKey is required for env credentials',
|
|
path: ['envKey'],
|
|
})
|
|
return
|
|
}
|
|
|
|
if (!ENV_VAR_NAME_REGEX.test(normalizedEnvKey)) {
|
|
ctx.addIssue({
|
|
code: z.ZodIssueCode.custom,
|
|
message: 'envKey must contain only letters, numbers, and underscores',
|
|
path: ['envKey'],
|
|
})
|
|
}
|
|
})
|
|
|
|
export const updateCredentialByIdBodySchema = z
|
|
.object({
|
|
displayName: z.string().trim().min(1).max(255).optional(),
|
|
description: z.string().trim().max(500).nullish(),
|
|
serviceAccountJson: z.string().min(1).optional(),
|
|
/** Slack custom-bot secret rotation (reconnect). */
|
|
signingSecret: z.string().trim().min(1).optional(),
|
|
botToken: z.string().trim().min(1).optional(),
|
|
/** Atlassian service-account secret rotation (reconnect). */
|
|
apiToken: z.string().trim().min(1).optional(),
|
|
domain: z.string().trim().min(1).optional(),
|
|
})
|
|
.strict()
|
|
.refine(
|
|
(data) =>
|
|
data.displayName !== undefined ||
|
|
data.description !== undefined ||
|
|
data.serviceAccountJson !== undefined ||
|
|
data.signingSecret !== undefined ||
|
|
data.botToken !== undefined ||
|
|
data.apiToken !== undefined ||
|
|
data.domain !== undefined,
|
|
{
|
|
message: 'At least one field must be provided',
|
|
path: ['displayName'],
|
|
}
|
|
)
|
|
|
|
export const leaveCredentialQuerySchema = z.object({
|
|
credentialId: z.string().min(1),
|
|
})
|
|
|
|
export const workspaceCredentialMemberSchema = z.object({
|
|
id: z.string(),
|
|
userId: z.string(),
|
|
role: workspaceCredentialRoleSchema,
|
|
status: workspaceCredentialMemberStatusSchema,
|
|
joinedAt: z.string().nullable(),
|
|
invitedBy: z.string().nullable().optional(),
|
|
createdAt: z.string().optional(),
|
|
updatedAt: z.string().optional(),
|
|
userName: z.string().nullable(),
|
|
userEmail: z.string().nullable(),
|
|
userImage: z.string().nullable().optional(),
|
|
/** `workspace-admin` roles are derived from workspace admin and cannot be changed. */
|
|
roleSource: z.enum(['explicit', 'workspace-admin']).optional(),
|
|
})
|
|
|
|
export type WorkspaceCredentialMember = z.output<typeof workspaceCredentialMemberSchema>
|
|
|
|
export const createCredentialDraftBodySchema = z.object({
|
|
workspaceId: z.string().min(1),
|
|
providerId: z.string().min(1),
|
|
displayName: z.string().min(1),
|
|
description: z.string().trim().max(500).optional(),
|
|
credentialId: z.string().min(1).optional(),
|
|
})
|
|
|
|
export const upsertWorkspaceCredentialMemberBodySchema = z.object({
|
|
userId: z.string().min(1),
|
|
role: workspaceCredentialRoleSchema.default('member'),
|
|
})
|
|
|
|
export const removeWorkspaceCredentialMemberQuerySchema = z.object({
|
|
userId: z.string().min(1),
|
|
})
|
|
|
|
export const oauthCredentialSchema = z.object({
|
|
id: z.string(),
|
|
name: z.string(),
|
|
provider: z.custom<OAuthProvider>((value) => typeof value === 'string'),
|
|
type: z.enum(['oauth', 'service_account']).optional(),
|
|
serviceId: z.string().optional(),
|
|
lastUsed: z.string().optional(),
|
|
isDefault: z.boolean().optional(),
|
|
scopes: z.array(z.string()).optional(),
|
|
})
|
|
|
|
export const oauthCredentialsQuerySchema = z
|
|
.object({
|
|
provider: z.string().nullish(),
|
|
workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
|
|
workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
|
|
credentialId: z.string().min(1, 'Credential ID must not be empty').max(255).nullish(),
|
|
})
|
|
.refine((data) => data.provider || data.credentialId, {
|
|
message: 'Provider or credentialId is required',
|
|
path: ['provider'],
|
|
})
|
|
|
|
export const listWorkspaceCredentialsContract = defineRouteContract({
|
|
method: 'GET',
|
|
path: '/api/credentials',
|
|
query: credentialsListQuerySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
credentials: z.array(workspaceCredentialSchema),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const getWorkspaceCredentialContract = defineRouteContract({
|
|
method: 'GET',
|
|
path: '/api/credentials/[id]',
|
|
params: credentialIdParamsSchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
credential: workspaceCredentialSchema.nullable(),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const listOAuthCredentialsContract = defineRouteContract({
|
|
method: 'GET',
|
|
path: '/api/auth/oauth/credentials',
|
|
query: oauthCredentialsQuerySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
credentials: z.array(oauthCredentialSchema),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const listWorkspaceCredentialMembersContract = defineRouteContract({
|
|
method: 'GET',
|
|
path: '/api/credentials/[id]/members',
|
|
params: credentialIdParamsSchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
members: z.array(workspaceCredentialMemberSchema).optional(),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const createCredentialDraftContract = defineRouteContract({
|
|
method: 'POST',
|
|
path: '/api/credentials/draft',
|
|
body: createCredentialDraftBodySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
success: z.literal(true),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const createWorkspaceCredentialContract = defineRouteContract({
|
|
method: 'POST',
|
|
path: '/api/credentials',
|
|
body: createCredentialBodySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
credential: workspaceCredentialSchema,
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const updateWorkspaceCredentialContract = defineRouteContract({
|
|
method: 'PUT',
|
|
path: '/api/credentials/[id]',
|
|
params: credentialIdParamsSchema,
|
|
body: updateCredentialByIdBodySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
credential: workspaceCredentialSchema.nullable(),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const deleteWorkspaceCredentialContract = defineRouteContract({
|
|
method: 'DELETE',
|
|
path: '/api/credentials/[id]',
|
|
params: credentialIdParamsSchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
success: z.literal(true),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const upsertWorkspaceCredentialMemberContract = defineRouteContract({
|
|
method: 'POST',
|
|
path: '/api/credentials/[id]/members',
|
|
params: credentialIdParamsSchema,
|
|
body: upsertWorkspaceCredentialMemberBodySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
success: z.literal(true),
|
|
member: workspaceCredentialMemberSchema.optional(),
|
|
}),
|
|
},
|
|
})
|
|
|
|
export const removeWorkspaceCredentialMemberContract = defineRouteContract({
|
|
method: 'DELETE',
|
|
path: '/api/credentials/[id]/members',
|
|
params: credentialIdParamsSchema,
|
|
query: removeWorkspaceCredentialMemberQuerySchema,
|
|
response: {
|
|
mode: 'json',
|
|
schema: z.object({
|
|
success: z.literal(true),
|
|
}),
|
|
},
|
|
})
|