d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
112 lines
3.1 KiB
TypeScript
112 lines
3.1 KiB
TypeScript
import { db } from '@sim/db'
|
|
import { dataDrains, member } from '@sim/db/schema'
|
|
import { and, eq } from 'drizzle-orm'
|
|
import { NextResponse } from 'next/server'
|
|
import { getSession } from '@/lib/auth'
|
|
import { isOrganizationOnEnterprisePlan } from '@/lib/billing/core/subscription'
|
|
import { isBillingEnabled, isDataDrainsEnabled } from '@/lib/core/config/env-flags'
|
|
|
|
interface DrainAccessSession {
|
|
user: {
|
|
id: string
|
|
name?: string | null
|
|
email?: string | null
|
|
}
|
|
membership: {
|
|
role: string
|
|
}
|
|
}
|
|
|
|
export type DrainAccessResult =
|
|
| { ok: true; session: DrainAccessSession }
|
|
| { ok: false; response: NextResponse }
|
|
|
|
/**
|
|
* Auth + membership + role + enterprise-plan gate shared by every data-drain
|
|
* route. Owner/admin role is required for reads as well as writes since drain
|
|
* configs expose customer bucket names and webhook URLs. On Sim Cloud the
|
|
* gate is the Enterprise plan; on self-hosted it's `DATA_DRAINS_ENABLED`,
|
|
* which 404s when unset so a newer image doesn't silently expose drains.
|
|
*/
|
|
export async function authorizeDrainAccess(
|
|
organizationId: string,
|
|
options: { requireMutating: boolean }
|
|
): Promise<DrainAccessResult> {
|
|
const session = await getSession()
|
|
if (!session?.user?.id) {
|
|
return { ok: false, response: NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) }
|
|
}
|
|
|
|
const [memberEntry] = await db
|
|
.select({ role: member.role })
|
|
.from(member)
|
|
.where(and(eq(member.organizationId, organizationId), eq(member.userId, session.user.id)))
|
|
.limit(1)
|
|
|
|
if (!memberEntry) {
|
|
return {
|
|
ok: false,
|
|
response: NextResponse.json(
|
|
{ error: 'Forbidden - Not a member of this organization' },
|
|
{ status: 403 }
|
|
),
|
|
}
|
|
}
|
|
|
|
if (!isBillingEnabled && !isDataDrainsEnabled) {
|
|
return {
|
|
ok: false,
|
|
response: NextResponse.json(
|
|
{ error: 'Data Drains are not enabled on this deployment' },
|
|
{ status: 404 }
|
|
),
|
|
}
|
|
}
|
|
if (isBillingEnabled) {
|
|
const hasEnterprise = await isOrganizationOnEnterprisePlan(organizationId)
|
|
if (!hasEnterprise) {
|
|
return {
|
|
ok: false,
|
|
response: NextResponse.json(
|
|
{ error: 'Data Drains are available on Enterprise plans only' },
|
|
{ status: 403 }
|
|
),
|
|
}
|
|
}
|
|
}
|
|
if (memberEntry.role !== 'owner' && memberEntry.role !== 'admin') {
|
|
return {
|
|
ok: false,
|
|
response: NextResponse.json(
|
|
{
|
|
error: options.requireMutating
|
|
? 'Forbidden - Only organization owners and admins can manage data drains'
|
|
: 'Forbidden - Only organization owners and admins can view data drains',
|
|
},
|
|
{ status: 403 }
|
|
),
|
|
}
|
|
}
|
|
|
|
return {
|
|
ok: true,
|
|
session: {
|
|
user: {
|
|
id: session.user.id,
|
|
name: session.user.name ?? null,
|
|
email: session.user.email ?? null,
|
|
},
|
|
membership: { role: memberEntry.role },
|
|
},
|
|
}
|
|
}
|
|
|
|
export async function loadDrain(organizationId: string, drainId: string) {
|
|
const [drain] = await db
|
|
.select()
|
|
.from(dataDrains)
|
|
.where(and(eq(dataDrains.id, drainId), eq(dataDrains.organizationId, organizationId)))
|
|
.limit(1)
|
|
return drain ?? null
|
|
}
|