v0.3.36: workflow block logs, whitelabeling configurability, session provider

Author: waleedlatif1

apps/sim/app/api/auth/socket-token/route.ts

@@ -4,8 +4,9 @@ import { auth } from '@/lib/auth'
 
 export async function POST() {
   try {
+    const hdrs = await headers()
     const response = await auth.api.generateOneTimeToken({
-      headers: await headers(),
+      headers: hdrs,
     })
 
     if (!response) {
@@ -14,7 +15,6 @@ export async function POST() {
 
     return NextResponse.json({ token: response.token })
   } catch (error) {
-    console.error('Error generating one-time token:', error)
     return NextResponse.json({ error: 'Failed to generate token' }, { status: 500 })
   }
 }

apps/sim/app/api/templates/[id]/route.ts

@@ -1,9 +1,11 @@
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
+import { hasAdminPermission } from '@/lib/permissions/utils'
 import { db } from '@/db'
-import { templates } from '@/db/schema'
+import { templates, workflow } from '@/db/schema'
 
 const logger = createLogger('TemplateByIdAPI')
 
@@ -62,3 +64,153 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
+
+const updateTemplateSchema = z.object({
+  name: z.string().min(1).max(100),
+  description: z.string().min(1).max(500),
+  author: z.string().min(1).max(100),
+  category: z.string().min(1),
+  icon: z.string().min(1),
+  color: z.string().regex(/^#[0-9A-F]{6}$/i),
+  state: z.any().optional(), // Workflow state
+})
+
+// PUT /api/templates/[id] - Update a template
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const requestId = crypto.randomUUID().slice(0, 8)
+  const { id } = await params
+
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      logger.warn(`[${requestId}] Unauthorized template update attempt for ID: ${id}`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const body = await request.json()
+    const validationResult = updateTemplateSchema.safeParse(body)
+
+    if (!validationResult.success) {
+      logger.warn(`[${requestId}] Invalid template data for update: ${id}`, validationResult.error)
+      return NextResponse.json(
+        { error: 'Invalid template data', details: validationResult.error.errors },
+        { status: 400 }
+      )
+    }
+
+    const { name, description, author, category, icon, color, state } = validationResult.data
+
+    // Check if template exists
+    const existingTemplate = await db.select().from(templates).where(eq(templates.id, id)).limit(1)
+
+    if (existingTemplate.length === 0) {
+      logger.warn(`[${requestId}] Template not found for update: ${id}`)
+      return NextResponse.json({ error: 'Template not found' }, { status: 404 })
+    }
+
+    // Permission: template owner OR admin of the workflow's workspace (if any)
+    let canUpdate = existingTemplate[0].userId === session.user.id
+
+    if (!canUpdate && existingTemplate[0].workflowId) {
+      const wfRows = await db
+        .select({ workspaceId: workflow.workspaceId })
+        .from(workflow)
+        .where(eq(workflow.id, existingTemplate[0].workflowId))
+        .limit(1)
+
+      const workspaceId = wfRows[0]?.workspaceId as string | null | undefined
+      if (workspaceId) {
+        const hasAdmin = await hasAdminPermission(session.user.id, workspaceId)
+        if (hasAdmin) canUpdate = true
+      }
+    }
+
+    if (!canUpdate) {
+      logger.warn(`[${requestId}] User denied permission to update template ${id}`)
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    // Update the template
+    const updatedTemplate = await db
+      .update(templates)
+      .set({
+        name,
+        description,
+        author,
+        category,
+        icon,
+        color,
+        ...(state && { state }),
+        updatedAt: new Date(),
+      })
+      .where(eq(templates.id, id))
+      .returning()
+
+    logger.info(`[${requestId}] Successfully updated template: ${id}`)
+
+    return NextResponse.json({
+      data: updatedTemplate[0],
+      message: 'Template updated successfully',
+    })
+  } catch (error: any) {
+    logger.error(`[${requestId}] Error updating template: ${id}`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+// DELETE /api/templates/[id] - Delete a template
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const requestId = crypto.randomUUID().slice(0, 8)
+  const { id } = await params
+
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      logger.warn(`[${requestId}] Unauthorized template delete attempt for ID: ${id}`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    // Fetch template
+    const existing = await db.select().from(templates).where(eq(templates.id, id)).limit(1)
+    if (existing.length === 0) {
+      logger.warn(`[${requestId}] Template not found for delete: ${id}`)
+      return NextResponse.json({ error: 'Template not found' }, { status: 404 })
+    }
+
+    const template = existing[0]
+
+    // Permission: owner or admin of the workflow's workspace (if any)
+    let canDelete = template.userId === session.user.id
+
+    if (!canDelete && template.workflowId) {
+      // Look up workflow to get workspaceId
+      const wfRows = await db
+        .select({ workspaceId: workflow.workspaceId })
+        .from(workflow)
+        .where(eq(workflow.id, template.workflowId))
+        .limit(1)
+
+      const workspaceId = wfRows[0]?.workspaceId as string | null | undefined
+      if (workspaceId) {
+        const hasAdmin = await hasAdminPermission(session.user.id, workspaceId)
+        if (hasAdmin) canDelete = true
+      }
+    }
+
+    if (!canDelete) {
+      logger.warn(`[${requestId}] User denied permission to delete template ${id}`)
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    await db.delete(templates).where(eq(templates.id, id))
+
+    logger.info(`[${requestId}] Deleted template: ${id}`)
+    return NextResponse.json({ success: true })
+  } catch (error: any) {
+    logger.error(`[${requestId}] Error deleting template: ${id}`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/templates/route.ts

@@ -77,6 +77,7 @@ const QueryParamsSchema = z.object({
   limit: z.coerce.number().optional().default(50),
   offset: z.coerce.number().optional().default(0),
   search: z.string().optional(),
+  workflowId: z.string().optional(),
 })
 
 // GET /api/templates - Retrieve templates
@@ -111,6 +112,11 @@ export async function GET(request: NextRequest) {
       )
     }
 
+    // Apply workflow filter if provided (for getting template by workflow)
+    if (params.workflowId) {
+      conditions.push(eq(templates.workflowId, params.workflowId))
+    }
+
     // Combine conditions
     const whereCondition = conditions.length > 0 ? and(...conditions) : undefined
 

apps/sim/app/api/webhooks/[id]/route.ts

@@ -1,8 +1,10 @@
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { env } from '@/lib/env'
 import { createLogger } from '@/lib/logs/console/logger'
 import { getUserEntityPermissions } from '@/lib/permissions/utils'
+import { getOAuthToken } from '@/app/api/auth/oauth/utils'
 import { db } from '@/db'
 import { webhook, workflow } from '@/db/schema'
 
@@ -242,6 +244,167 @@ export async function DELETE(
 
     const foundWebhook = webhookData.webhook
 
+    // If it's an Airtable webhook, delete it from Airtable first
+    if (foundWebhook.provider === 'airtable') {
+      try {
+        const { baseId, externalId } = (foundWebhook.providerConfig || {}) as {
+          baseId?: string
+          externalId?: string
+        }
+
+        if (!baseId) {
+          logger.warn(`[${requestId}] Missing baseId for Airtable webhook deletion.`, {
+            webhookId: id,
+          })
+          return NextResponse.json(
+            { error: 'Missing baseId for Airtable webhook deletion' },
+            { status: 400 }
+          )
+        }
+
+        // Get access token for the workflow owner
+        const userIdForToken = webhookData.workflow.userId
+        const accessToken = await getOAuthToken(userIdForToken, 'airtable')
+        if (!accessToken) {
+          logger.warn(
+            `[${requestId}] Could not retrieve Airtable access token for user ${userIdForToken}. Cannot delete webhook in Airtable.`,
+            { webhookId: id }
+          )
+          return NextResponse.json(
+            { error: 'Airtable access token not found for webhook deletion' },
+            { status: 401 }
+          )
+        }
+
+        // Resolve externalId if missing by listing webhooks and matching our notificationUrl
+        let resolvedExternalId: string | undefined = externalId
+
+        if (!resolvedExternalId) {
+          try {
+            const requestOrigin = new URL(request.url).origin
+            const effectiveOrigin = requestOrigin.includes('localhost')
+              ? env.NEXT_PUBLIC_APP_URL || requestOrigin
+              : requestOrigin
+            const expectedNotificationUrl = `${effectiveOrigin}/api/webhooks/trigger/${foundWebhook.path}`
+
+            const listUrl = `https://api.airtable.com/v0/bases/${baseId}/webhooks`
+            const listResp = await fetch(listUrl, {
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+              },
+            })
+            const listBody = await listResp.json().catch(() => null)
+
+            if (listResp.ok && listBody && Array.isArray(listBody.webhooks)) {
+              const match = listBody.webhooks.find((w: any) => {
+                const url: string | undefined = w?.notificationUrl
+                if (!url) return false
+                // Prefer exact match; fallback to suffix match to handle origin/host remaps
+                return (
+                  url === expectedNotificationUrl ||
+                  url.endsWith(`/api/webhooks/trigger/${foundWebhook.path}`)
+                )
+              })
+              if (match?.id) {
+                resolvedExternalId = match.id as string
+                // Persist resolved externalId for future operations
+                try {
+                  await db
+                    .update(webhook)
+                    .set({
+                      providerConfig: {
+                        ...(foundWebhook.providerConfig || {}),
+                        externalId: resolvedExternalId,
+                      },
+                      updatedAt: new Date(),
+                    })
+                    .where(eq(webhook.id, id))
+                } catch {
+                  // non-fatal persistence error
+                }
+                logger.info(`[${requestId}] Resolved Airtable externalId by listing webhooks`, {
+                  baseId,
+                  externalId: resolvedExternalId,
+                })
+              } else {
+                logger.warn(`[${requestId}] Could not resolve Airtable externalId from list`, {
+                  baseId,
+                  expectedNotificationUrl,
+                })
+              }
+            } else {
+              logger.warn(`[${requestId}] Failed to list Airtable webhooks to resolve externalId`, {
+                baseId,
+                status: listResp.status,
+                body: listBody,
+              })
+            }
+          } catch (e: any) {
+            logger.warn(`[${requestId}] Error attempting to resolve Airtable externalId`, {
+              error: e?.message,
+            })
+          }
+        }
+
+        // If still not resolvable, skip remote deletion but proceed with local delete
+        if (!resolvedExternalId) {
+          logger.info(
+            `[${requestId}] Airtable externalId not found; skipping remote deletion and proceeding to remove local record`,
+            { baseId }
+          )
+        }
+
+        if (resolvedExternalId) {
+          const airtableDeleteUrl = `https://api.airtable.com/v0/bases/${baseId}/webhooks/${resolvedExternalId}`
+          const airtableResponse = await fetch(airtableDeleteUrl, {
+            method: 'DELETE',
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+            },
+          })
+
+          // Attempt to parse error body for better diagnostics
+          if (!airtableResponse.ok) {
+            let responseBody: any = null
+            try {
+              responseBody = await airtableResponse.json()
+            } catch {
+              // ignore parse errors
+            }
+
+            logger.error(
+              `[${requestId}] Failed to delete Airtable webhook in Airtable. Status: ${airtableResponse.status}`,
+              { baseId, externalId: resolvedExternalId, response: responseBody }
+            )
+            return NextResponse.json(
+              {
+                error: 'Failed to delete webhook from Airtable',
+                details:
+                  (responseBody && (responseBody.error?.message || responseBody.error)) ||
+                  `Status ${airtableResponse.status}`,
+              },
+              { status: 500 }
+            )
+          }
+
+          logger.info(`[${requestId}] Successfully deleted Airtable webhook in Airtable`, {
+            baseId,
+            externalId: resolvedExternalId,
+          })
+        }
+      } catch (error: any) {
+        logger.error(`[${requestId}] Error deleting Airtable webhook`, {
+          webhookId: id,
+          error: error.message,
+          stack: error.stack,
+        })
+        return NextResponse.json(
+          { error: 'Failed to delete webhook from Airtable', details: error.message },
+          { status: 500 }
+        )
+      }
+    }
+
     // If it's a Telegram webhook, delete it from Telegram first
     if (foundWebhook.provider === 'telegram') {
       try {