forked from farhoodlabs/paperclip
Antonio
cd19834fab
Adds two new webhook trigger signing modes for external provider compatibility: - github_hmac: accepts X-Hub-Signature-256 header with HMAC-SHA256(secret, rawBody), no timestamp prefix. Compatible with GitHub, Sentry, and services following the same standard. - none: no authentication; the 24-char hex publicId in the URL acts as the shared secret. For services that cannot add auth headers. The replay window UI field is hidden when these modes are selected since neither uses timestamp-based replay protection. Closes #1892 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
307 lines
11 KiB
TypeScript
307 lines
11 KiB
TypeScript
import { Router, type Request } from "express";
|
|
import type { Db } from "@paperclipai/db";
|
|
import {
|
|
createRoutineSchema,
|
|
createRoutineTriggerSchema,
|
|
rotateRoutineTriggerSecretSchema,
|
|
runRoutineSchema,
|
|
updateRoutineSchema,
|
|
updateRoutineTriggerSchema,
|
|
} from "@paperclipai/shared";
|
|
import { trackRoutineCreated } from "@paperclipai/shared/telemetry";
|
|
import { validate } from "../middleware/validate.js";
|
|
import { accessService, logActivity, routineService } from "../services/index.js";
|
|
import { assertCompanyAccess, getActorInfo } from "./authz.js";
|
|
import { forbidden, unauthorized } from "../errors.js";
|
|
import { getTelemetryClient } from "../telemetry.js";
|
|
|
|
export function routineRoutes(db: Db) {
|
|
const router = Router();
|
|
const svc = routineService(db);
|
|
const access = accessService(db);
|
|
|
|
async function assertBoardCanAssignTasks(req: Request, companyId: string) {
|
|
assertCompanyAccess(req, companyId);
|
|
if (req.actor.type !== "board") return;
|
|
if (req.actor.source === "local_implicit" || req.actor.isInstanceAdmin) return;
|
|
const allowed = await access.canUser(companyId, req.actor.userId, "tasks:assign");
|
|
if (!allowed) {
|
|
throw forbidden("Missing permission: tasks:assign");
|
|
}
|
|
}
|
|
|
|
function assertCanManageCompanyRoutine(req: Request, companyId: string, assigneeAgentId?: string | null) {
|
|
assertCompanyAccess(req, companyId);
|
|
if (req.actor.type === "board") return;
|
|
if (req.actor.type !== "agent" || !req.actor.agentId) throw unauthorized();
|
|
if (assigneeAgentId && assigneeAgentId !== req.actor.agentId) {
|
|
throw forbidden("Agents can only manage routines assigned to themselves");
|
|
}
|
|
}
|
|
|
|
async function assertCanManageExistingRoutine(req: Request, routineId: string) {
|
|
const routine = await svc.get(routineId);
|
|
if (!routine) return null;
|
|
assertCompanyAccess(req, routine.companyId);
|
|
if (req.actor.type === "board") return routine;
|
|
if (req.actor.type !== "agent" || !req.actor.agentId) throw unauthorized();
|
|
if (routine.assigneeAgentId !== req.actor.agentId) {
|
|
throw forbidden("Agents can only manage routines assigned to themselves");
|
|
}
|
|
return routine;
|
|
}
|
|
|
|
router.get("/companies/:companyId/routines", async (req, res) => {
|
|
const companyId = req.params.companyId as string;
|
|
assertCompanyAccess(req, companyId);
|
|
const result = await svc.list(companyId);
|
|
res.json(result);
|
|
});
|
|
|
|
router.post("/companies/:companyId/routines", validate(createRoutineSchema), async (req, res) => {
|
|
const companyId = req.params.companyId as string;
|
|
await assertBoardCanAssignTasks(req, companyId);
|
|
assertCanManageCompanyRoutine(req, companyId, req.body.assigneeAgentId);
|
|
const created = await svc.create(companyId, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.created",
|
|
entityType: "routine",
|
|
entityId: created.id,
|
|
details: { title: created.title, assigneeAgentId: created.assigneeAgentId },
|
|
});
|
|
const telemetryClient = getTelemetryClient();
|
|
if (telemetryClient) {
|
|
trackRoutineCreated(telemetryClient);
|
|
}
|
|
res.status(201).json(created);
|
|
});
|
|
|
|
router.get("/routines/:id", async (req, res) => {
|
|
const detail = await svc.getDetail(req.params.id as string);
|
|
if (!detail) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
assertCompanyAccess(req, detail.companyId);
|
|
res.json(detail);
|
|
});
|
|
|
|
router.patch("/routines/:id", validate(updateRoutineSchema), async (req, res) => {
|
|
const routine = await assertCanManageExistingRoutine(req, req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
const assigneeWillChange =
|
|
req.body.assigneeAgentId !== undefined &&
|
|
req.body.assigneeAgentId !== routine.assigneeAgentId;
|
|
if (assigneeWillChange) {
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
}
|
|
const statusWillActivate =
|
|
req.body.status !== undefined &&
|
|
req.body.status === "active" &&
|
|
routine.status !== "active";
|
|
if (statusWillActivate) {
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
}
|
|
if (req.actor.type === "agent" && req.body.assigneeAgentId && req.body.assigneeAgentId !== req.actor.agentId) {
|
|
throw forbidden("Agents can only assign routines to themselves");
|
|
}
|
|
const updated = await svc.update(routine.id, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.updated",
|
|
entityType: "routine",
|
|
entityId: routine.id,
|
|
details: { title: updated?.title ?? routine.title },
|
|
});
|
|
res.json(updated);
|
|
});
|
|
|
|
router.get("/routines/:id/runs", async (req, res) => {
|
|
const routine = await svc.get(req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
assertCompanyAccess(req, routine.companyId);
|
|
const limit = Number(req.query.limit ?? 50);
|
|
const result = await svc.listRuns(routine.id, Number.isFinite(limit) ? limit : 50);
|
|
res.json(result);
|
|
});
|
|
|
|
router.post("/routines/:id/triggers", validate(createRoutineTriggerSchema), async (req, res) => {
|
|
const routine = await assertCanManageExistingRoutine(req, req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
const created = await svc.createTrigger(routine.id, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_created",
|
|
entityType: "routine_trigger",
|
|
entityId: created.trigger.id,
|
|
details: { routineId: routine.id, kind: created.trigger.kind },
|
|
});
|
|
res.status(201).json(created);
|
|
});
|
|
|
|
router.patch("/routine-triggers/:id", validate(updateRoutineTriggerSchema), async (req, res) => {
|
|
const trigger = await svc.getTrigger(req.params.id as string);
|
|
if (!trigger) {
|
|
res.status(404).json({ error: "Routine trigger not found" });
|
|
return;
|
|
}
|
|
const routine = await assertCanManageExistingRoutine(req, trigger.routineId);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
const updated = await svc.updateTrigger(trigger.id, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_updated",
|
|
entityType: "routine_trigger",
|
|
entityId: trigger.id,
|
|
details: { routineId: routine.id, kind: updated?.kind ?? trigger.kind },
|
|
});
|
|
res.json(updated);
|
|
});
|
|
|
|
router.delete("/routine-triggers/:id", async (req, res) => {
|
|
const trigger = await svc.getTrigger(req.params.id as string);
|
|
if (!trigger) {
|
|
res.status(404).json({ error: "Routine trigger not found" });
|
|
return;
|
|
}
|
|
const routine = await assertCanManageExistingRoutine(req, trigger.routineId);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await svc.deleteTrigger(trigger.id);
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_deleted",
|
|
entityType: "routine_trigger",
|
|
entityId: trigger.id,
|
|
details: { routineId: routine.id, kind: trigger.kind },
|
|
});
|
|
res.status(204).end();
|
|
});
|
|
|
|
router.post(
|
|
"/routine-triggers/:id/rotate-secret",
|
|
validate(rotateRoutineTriggerSecretSchema),
|
|
async (req, res) => {
|
|
const trigger = await svc.getTrigger(req.params.id as string);
|
|
if (!trigger) {
|
|
res.status(404).json({ error: "Routine trigger not found" });
|
|
return;
|
|
}
|
|
const routine = await assertCanManageExistingRoutine(req, trigger.routineId);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
const rotated = await svc.rotateTriggerSecret(trigger.id, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_secret_rotated",
|
|
entityType: "routine_trigger",
|
|
entityId: trigger.id,
|
|
details: { routineId: routine.id },
|
|
});
|
|
res.json(rotated);
|
|
},
|
|
);
|
|
|
|
router.post("/routines/:id/run", validate(runRoutineSchema), async (req, res) => {
|
|
const routine = await assertCanManageExistingRoutine(req, req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
const run = await svc.runRoutine(routine.id, req.body);
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.run_triggered",
|
|
entityType: "routine_run",
|
|
entityId: run.id,
|
|
details: { routineId: routine.id, source: run.source, status: run.status },
|
|
});
|
|
res.status(202).json(run);
|
|
});
|
|
|
|
router.post("/routine-triggers/public/:publicId/fire", async (req, res) => {
|
|
const result = await svc.firePublicTrigger(req.params.publicId as string, {
|
|
authorizationHeader: req.header("authorization"),
|
|
signatureHeader: req.header("x-paperclip-signature"),
|
|
hubSignatureHeader: req.header("x-hub-signature-256"),
|
|
timestampHeader: req.header("x-paperclip-timestamp"),
|
|
idempotencyKey: req.header("idempotency-key"),
|
|
rawBody: (req as { rawBody?: Buffer }).rawBody ?? null,
|
|
payload: typeof req.body === "object" && req.body !== null ? req.body as Record<string, unknown> : null,
|
|
});
|
|
res.status(202).json(result);
|
|
});
|
|
|
|
return router;
|
|
}
|