Files
simstudioai--sim/apps/sim/app/api/workflows/[id]/route.ts
T
wehub-resource-sync d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

356 lines
13 KiB
TypeScript

import { db } from '@sim/db'
import { workflow } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import {
assertFolderMutable,
assertWorkflowMutable,
authorizeWorkflowByWorkspacePermission,
FolderLockedError,
WorkflowLockedError,
} from '@sim/platform-authz/workflow'
import { eq, sql } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { updateWorkflowContract } from '@/lib/api/contracts/workflows'
import { parseRequest } from '@/lib/api/server'
import { AuthType, checkHybridAuth, checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { captureServerEvent } from '@/lib/posthog/server'
import { performDeleteWorkflow, performUpdateWorkflow } from '@/lib/workflows/orchestration'
import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
import { getWorkflowById } from '@/lib/workflows/utils'
const logger = createLogger('WorkflowByIdAPI')
/**
* GET /api/workflows/[id]
* Fetch a single workflow by ID
* Uses hybrid approach: try normalized tables first, fallback to JSON blob
*/
export const GET = withRouteHandler(
async (request: NextRequest, { params }: { params: Promise<{ id: string }> }) => {
const requestId = generateRequestId()
const startTime = Date.now()
const { id: workflowId } = await params
try {
const auth = await checkHybridAuth(request, { requireWorkflowId: false })
if (!auth.success) {
logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const isInternalCall = auth.authType === AuthType.INTERNAL_JWT
const userId = auth.userId || null
let workflowData = await getWorkflowById(workflowId)
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
if (auth.apiKeyType === 'workspace' && auth.workspaceId !== workflowData.workspaceId) {
return NextResponse.json(
{ error: 'API key is not authorized for this workspace' },
{ status: 403 }
)
}
if (isInternalCall && !userId) {
// Internal system calls (e.g. workflow-in-workflow executor) may not carry a userId.
// These are already authenticated via internal JWT; allow read access.
logger.info(`[${requestId}] Internal API call for workflow ${workflowId}`)
} else if (!userId) {
logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
} else {
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
if (!authorization.workflow) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
workflowData = authorization.workflow
if (!authorization.allowed) {
logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status }
)
}
}
const snapshot = await db.transaction(async (tx) => {
await tx.execute(sql`SET TRANSACTION ISOLATION LEVEL REPEATABLE READ`)
const [normalizedData, [workflowRecord]] = await Promise.all([
loadWorkflowFromNormalizedTables(workflowId, tx),
tx.select().from(workflow).where(eq(workflow.id, workflowId)).limit(1),
])
return { normalizedData, workflowRecord }
})
const responseWorkflowData = snapshot.workflowRecord ?? workflowData
// Stamp `workflowId` from the path param on each variable so the
// global client-side variables store can filter by workflow without
// requiring persisted variables to carry a redundant `workflowId`.
// The persisted blob may or may not include `workflowId` depending on
// when the variable was last written; the path param is authoritative.
const persistedVariables =
(responseWorkflowData.variables as Record<string, Record<string, unknown>>) || {}
const stampedVariables: Record<string, Record<string, unknown>> = {}
for (const [variableId, variable] of Object.entries(persistedVariables)) {
if (variable && typeof variable === 'object') {
stampedVariables[variableId] = { ...variable, workflowId }
}
}
const workflowStateMetadata = {
name: responseWorkflowData.name,
...(typeof responseWorkflowData.description === 'string'
? { description: responseWorkflowData.description }
: {}),
}
if (snapshot.normalizedData) {
const finalWorkflowData = {
...responseWorkflowData,
state: {
blocks: snapshot.normalizedData.blocks,
edges: snapshot.normalizedData.edges,
loops: snapshot.normalizedData.loops,
parallels: snapshot.normalizedData.parallels,
lastSaved: Date.now(),
isDeployed: responseWorkflowData.isDeployed || false,
deployedAt: responseWorkflowData.deployedAt,
metadata: workflowStateMetadata,
},
variables: stampedVariables,
}
logger.info(`[${requestId}] Loaded workflow ${workflowId} from normalized tables`)
const elapsed = Date.now() - startTime
logger.info(`[${requestId}] Successfully fetched workflow ${workflowId} in ${elapsed}ms`)
return NextResponse.json({ data: finalWorkflowData }, { status: 200 })
}
const emptyWorkflowData = {
...responseWorkflowData,
state: {
blocks: {},
edges: [],
loops: {},
parallels: {},
lastSaved: Date.now(),
isDeployed: responseWorkflowData.isDeployed || false,
deployedAt: responseWorkflowData.deployedAt,
metadata: workflowStateMetadata,
},
variables: stampedVariables,
}
return NextResponse.json({ data: emptyWorkflowData }, { status: 200 })
} catch (error: any) {
const elapsed = Date.now() - startTime
logger.error(`[${requestId}] Error fetching workflow ${workflowId} after ${elapsed}ms`, error)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
)
/**
* DELETE /api/workflows/[id]
* Delete a workflow by ID
*/
export const DELETE = withRouteHandler(
async (request: NextRequest, { params }: { params: Promise<{ id: string }> }) => {
const requestId = generateRequestId()
const startTime = Date.now()
const { id: workflowId } = await params
try {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized deletion attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const workflowData = authorization.workflow || (await getWorkflowById(workflowId))
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found for deletion`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const canDelete = authorization.allowed
if (!canDelete) {
logger.warn(
`[${requestId}] User ${userId} denied permission to delete workflow ${workflowId}`
)
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
}
await assertWorkflowMutable(workflowId)
const result = await performDeleteWorkflow({
workflowId,
userId,
requestId,
})
if (!result.success) {
const status =
result.errorCode === 'not_found' ? 404 : result.errorCode === 'validation' ? 400 : 500
return NextResponse.json({ error: result.error }, { status })
}
captureServerEvent(
userId,
'workflow_deleted',
{ workflow_id: workflowId, workspace_id: workflowData.workspaceId ?? '' },
workflowData.workspaceId ? { groups: { workspace: workflowData.workspaceId } } : undefined
)
const elapsed = Date.now() - startTime
logger.info(`[${requestId}] Successfully archived workflow ${workflowId} in ${elapsed}ms`)
return NextResponse.json({ success: true }, { status: 200 })
} catch (error: any) {
if (error instanceof WorkflowLockedError) {
return NextResponse.json({ error: error.message }, { status: error.status })
}
const elapsed = Date.now() - startTime
logger.error(`[${requestId}] Error deleting workflow ${workflowId} after ${elapsed}ms`, error)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
)
/**
* PUT /api/workflows/[id]
* Update workflow metadata (name, description, folderId)
*/
export const PUT = withRouteHandler(
async (request: NextRequest, context: { params: Promise<{ id: string }> }) => {
const requestId = generateRequestId()
const startTime = Date.now()
const { id: workflowId } = await context.params
try {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized update attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const parsed = await parseRequest(updateWorkflowContract, request, context)
if (!parsed.success) return parsed.response
const updates = parsed.data.body
// Fetch the workflow to check ownership/access
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const workflowData = authorization.workflow || (await getWorkflowById(workflowId))
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found for update`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const canUpdate = authorization.allowed
if (!canUpdate) {
logger.warn(
`[${requestId}] User ${userId} denied permission to update workflow ${workflowId}`
)
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
}
if (updates.locked !== undefined && authorization.workspacePermission !== 'admin') {
logger.warn(
`[${requestId}] User ${userId} denied permission to lock workflow ${workflowId}`
)
return NextResponse.json(
{ error: 'Admin access required to lock workflows' },
{ status: 403 }
)
}
const hasNonLockUpdate = Object.keys(updates).some((key) => key !== 'locked')
if (hasNonLockUpdate) {
await assertWorkflowMutable(workflowId)
}
if (updates.folderId !== undefined) {
await assertFolderMutable(updates.folderId)
}
if (!workflowData.workspaceId) {
logger.error(`[${requestId}] Workflow ${workflowId} has no workspaceId`)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
const result = await performUpdateWorkflow({
workflowId,
userId,
workspaceId: workflowData.workspaceId,
currentName: workflowData.name,
currentFolderId: workflowData.folderId,
currentLocked: workflowData.locked,
...updates,
requestId,
})
if (!result.success || !result.workflow) {
const status =
result.errorCode === 'not_found'
? 404
: result.errorCode === 'conflict'
? 409
: result.errorCode === 'validation'
? 400
: 500
return NextResponse.json({ error: result.error }, { status })
}
const elapsed = Date.now() - startTime
logger.info(`[${requestId}] Successfully updated workflow ${workflowId} in ${elapsed}ms`, {
updates,
})
return NextResponse.json({ workflow: result.workflow }, { status: 200 })
} catch (error: any) {
if (error instanceof WorkflowLockedError || error instanceof FolderLockedError) {
return NextResponse.json({ error: error.message }, { status: error.status })
}
const elapsed = Date.now() - startTime
logger.error(`[${requestId}] Error updating workflow ${workflowId} after ${elapsed}ms`, error)
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
)