simstudioai
diff --git a/‎apps/sim/app/api/tools/custom/route.test.ts‎
Lines changed: 146 additions & 123 deletions b/‎apps/sim/app/api/tools/custom/route.test.ts‎
Lines changed: 146 additions & 123 deletions
@@ -12,6 +12,7 @@ describe('Custom Tools API Routes', () => {
   const sampleTools = [
     {
       id: 'tool-1',
+      workspaceId: 'workspace-123',
       userId: 'user-123',
       title: 'Weather Tool',
       schema: {
@@ -37,6 +38,7 @@ describe('Custom Tools API Routes', () => {
     },
     {
       id: 'tool-2',
+      workspaceId: 'workspace-123',
       userId: 'user-123',
       title: 'Calculator Tool',
       schema: {
@@ -82,7 +84,20 @@ describe('Custom Tools API Routes', () => {
     // Reset all mock implementations
     mockSelect.mockReturnValue({ from: mockFrom })
     mockFrom.mockReturnValue({ where: mockWhere })
-    mockWhere.mockReturnValue({ limit: mockLimit })
+    // where() can be called with limit() or directly awaited
+    // Create a mock query builder that supports both patterns
+    mockWhere.mockImplementation((condition) => {
+      // Return an object that is both awaitable and has a limit() method
+      const queryBuilder = {
+        limit: mockLimit,
+        then: (resolve: (value: typeof sampleTools) => void) => {
+          resolve(sampleTools)
+          return queryBuilder
+        },
+        catch: (reject: (error: Error) => void) => queryBuilder,
+      }
+      return queryBuilder
+    })
     mockLimit.mockResolvedValue(sampleTools)
     mockInsert.mockReturnValue({ values: mockValues })
     mockValues.mockResolvedValue({ id: 'new-tool-id' })
@@ -99,11 +114,34 @@ describe('Custom Tools API Routes', () => {
         delete: mockDelete,
         transaction: vi.fn().mockImplementation(async (callback) => {
           // Execute the callback with a transaction object that has the same methods
+          // Create transaction-specific mocks that follow the same pattern
+          const txMockSelect = vi.fn().mockReturnValue({ from: mockFrom })
+          const txMockInsert = vi.fn().mockReturnValue({ values: mockValues })
+          const txMockUpdate = vi.fn().mockReturnValue({ set: mockSet })
+          const txMockDelete = vi.fn().mockReturnValue({ where: mockWhere })
+
+          // Transaction where() should also support the query builder pattern
+          const txMockWhere = vi.fn().mockImplementation((condition) => {
+            const queryBuilder = {
+              limit: mockLimit,
+              then: (resolve: (value: typeof sampleTools) => void) => {
+                resolve(sampleTools)
+                return queryBuilder
+              },
+              catch: (reject: (error: Error) => void) => queryBuilder,
+            }
+            return queryBuilder
+          })
+
+          // Update mockFrom to return txMockWhere for transaction queries
+          const txMockFrom = vi.fn().mockReturnValue({ where: txMockWhere })
+          txMockSelect.mockReturnValue({ from: txMockFrom })
+
           return await callback({
-            select: mockSelect,
-            insert: mockInsert,
-            update: mockUpdate,
-            delete: mockDelete,
+            select: txMockSelect,
+            insert: txMockInsert,
+            update: txMockUpdate,
+            delete: txMockDelete,
           })
         }),
       },
@@ -112,8 +150,15 @@ describe('Custom Tools API Routes', () => {
     // Mock schema
     vi.doMock('@sim/db/schema', () => ({
       customTools: {
-        userId: 'userId', // Add these properties to enable WHERE clauses with eq()
         id: 'id',
+        workspaceId: 'workspaceId',
+        userId: 'userId',
+        title: 'title',
+      },
+      workflow: {
+        id: 'id',
+        workspaceId: 'workspaceId',
+        userId: 'userId',
       },
     }))
 
@@ -122,9 +167,18 @@ describe('Custom Tools API Routes', () => {
       getSession: vi.fn().mockResolvedValue(mockSession),
     }))
 
-    // Mock getUserId
-    vi.doMock('@/app/api/auth/oauth/utils', () => ({
-      getUserId: vi.fn().mockResolvedValue('user-123'),
+    // Mock hybrid auth
+    vi.doMock('@/lib/auth/hybrid', () => ({
+      checkHybridAuth: vi.fn().mockResolvedValue({
+        success: true,
+        userId: 'user-123',
+        authType: 'session',
+      }),
+    }))
+
+    // Mock permissions
+    vi.doMock('@/lib/permissions/utils', () => ({
+      getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
     }))
 
     // Mock logger
@@ -137,14 +191,23 @@ describe('Custom Tools API Routes', () => {
       }),
     }))
 
-    // Mock eq function from drizzle-orm
+    // Mock drizzle-orm functions
     vi.doMock('drizzle-orm', async () => {
       const actual = await vi.importActual('drizzle-orm')
       return {
         ...(actual as object),
         eq: vi.fn().mockImplementation((field, value) => ({ field, value, operator: 'eq' })),
+        and: vi.fn().mockImplementation((...conditions) => ({ operator: 'and', conditions })),
+        or: vi.fn().mockImplementation((...conditions) => ({ operator: 'or', conditions })),
+        isNull: vi.fn().mockImplementation((field) => ({ field, operator: 'isNull' })),
+        ne: vi.fn().mockImplementation((field, value) => ({ field, value, operator: 'ne' })),
       }
     })
+
+    // Mock utils
+    vi.doMock('@/lib/utils', () => ({
+      generateRequestId: vi.fn().mockReturnValue('test-request-id'),
+    }))
   })
 
   afterEach(() => {
@@ -155,9 +218,11 @@ describe('Custom Tools API Routes', () => {
    * Test GET endpoint
    */
   describe('GET /api/tools/custom', () => {
-    it('should return tools for authenticated user', async () => {
-      // Create mock request
-      const req = createMockRequest('GET')
+    it('should return tools for authenticated user with workspaceId', async () => {
+      // Create mock request with workspaceId
+      const req = new NextRequest(
+        'http://localhost:3000/api/tools/custom?workspaceId=workspace-123'
+      )
 
       // Simulate DB returning tools
       mockWhere.mockReturnValueOnce(Promise.resolve(sampleTools))
@@ -182,11 +247,16 @@ describe('Custom Tools API Routes', () => {
 
     it('should handle unauthorized access', async () => {
       // Create mock request
-      const req = createMockRequest('GET')
-
-      // Mock session to return no user
-      vi.doMock('@/lib/auth', () => ({
-        getSession: vi.fn().mockResolvedValue(null),
+      const req = new NextRequest(
+        'http://localhost:3000/api/tools/custom?workspaceId=workspace-123'
+      )
+
+      // Mock hybrid auth to return unauthorized
+      vi.doMock('@/lib/auth/hybrid', () => ({
+        checkHybridAuth: vi.fn().mockResolvedValue({
+          success: false,
+          error: 'Unauthorized',
+        }),
       }))
 
       // Import handler after mocks are set up
@@ -205,114 +275,53 @@ describe('Custom Tools API Routes', () => {
       // Create mock request with workflowId parameter
       const req = new NextRequest('http://localhost:3000/api/tools/custom?workflowId=workflow-123')
 
-      // Import handler after mocks are set up
-      const { GET } = await import('@/app/api/tools/custom/route')
-
-      // Call the handler
-      const _response = await GET(req)
-
-      // Verify getUserId was called with correct parameters
-      const getUserId = (await import('@/app/api/auth/oauth/utils')).getUserId
-      expect(getUserId).toHaveBeenCalledWith(expect.any(String), 'workflow-123')
-
-      // Verify DB query filters by user
-      expect(mockWhere).toHaveBeenCalled()
-    })
-  })
-
-  /**
-   * Test POST endpoint
-   */
-  describe('POST /api/tools/custom', () => {
-    it('should create new tools when IDs are not provided', async () => {
-      // Create test tool data
-      const newTool = {
-        title: 'New Tool',
-        schema: {
-          type: 'function',
-          function: {
-            name: 'newTool',
-            description: 'A brand new tool',
-            parameters: {
-              type: 'object',
-              properties: {},
-              required: [],
-            },
-          },
-        },
-        code: 'return "hello world";',
-      }
-
-      // Create mock request with new tool
-      const req = createMockRequest('POST', { tools: [newTool] })
-
-      // Import handler after mocks are set up
-      const { POST } = await import('@/app/api/tools/custom/route')
-
-      // Call the handler
-      const response = await POST(req)
-      const data = await response.json()
-
-      // Verify response
-      expect(response.status).toBe(200)
-      expect(data).toHaveProperty('success', true)
+      // Mock workflow lookup to return workspaceId (for limit(1) call)
+      mockLimit.mockResolvedValueOnce([{ workspaceId: 'workspace-123' }])
 
-      // Verify insert was called with correct parameters
-      expect(mockInsert).toHaveBeenCalled()
-      expect(mockValues).toHaveBeenCalled()
-    })
-
-    it('should update existing tools when ID is provided', async () => {
-      // Create test tool data with ID
-      const updateTool = {
-        id: 'tool-1',
-        title: 'Updated Weather Tool',
-        schema: {
-          type: 'function',
-          function: {
-            name: 'getWeatherUpdate',
-            description: 'Get updated weather information',
-            parameters: {
-              type: 'object',
-              properties: {},
-              required: [],
-            },
+      // Mock the where() call for fetching tools (returns awaitable query builder)
+      mockWhere.mockImplementationOnce((condition) => {
+        const queryBuilder = {
+          limit: mockLimit,
+          then: (resolve: (value: typeof sampleTools) => void) => {
+            resolve(sampleTools)
+            return queryBuilder
           },
-        },
-        code: 'return { temperature: 75, conditions: "partly cloudy" };',
-      }
-
-      // Mock DB to find existing tool
-      mockLimit.mockResolvedValueOnce([sampleTools[0]])
-
-      // Create mock request with tool update
-      const req = createMockRequest('POST', { tools: [updateTool] })
+          catch: (reject: (error: Error) => void) => queryBuilder,
+        }
+        return queryBuilder
+      })
 
       // Import handler after mocks are set up
-      const { POST } = await import('@/app/api/tools/custom/route')
+      const { GET } = await import('@/app/api/tools/custom/route')
 
       // Call the handler
-      const response = await POST(req)
+      const response = await GET(req)
       const data = await response.json()
 
       // Verify response
       expect(response.status).toBe(200)
-      expect(data).toHaveProperty('success', true)
+      expect(data).toHaveProperty('data')
 
-      // Verify update was called with correct parameters
-      expect(mockUpdate).toHaveBeenCalled()
-      expect(mockSet).toHaveBeenCalled()
+      // Verify DB query was called
       expect(mockWhere).toHaveBeenCalled()
     })
+  })
 
+  /**
+   * Test POST endpoint
+   */
+  describe('POST /api/tools/custom', () => {
     it('should reject unauthorized requests', async () => {
-      // Mock session to return no user
-      vi.doMock('@/lib/auth', () => ({
-        getSession: vi.fn().mockResolvedValue(null),
+      // Mock hybrid auth to return unauthorized
+      vi.doMock('@/lib/auth/hybrid', () => ({
+        checkHybridAuth: vi.fn().mockResolvedValue({
+          success: false,
+          error: 'Unauthorized',
+        }),
       }))
 
       // Create mock request
-      const req = createMockRequest('POST', { tools: [] })
+      const req = createMockRequest('POST', { tools: [], workspaceId: 'workspace-123' })
 
       // Import handler after mocks are set up
       const { POST } = await import('@/app/api/tools/custom/route')
@@ -333,8 +342,8 @@ describe('Custom Tools API Routes', () => {
         code: 'return "invalid";',
       }
 
-      // Create mock request with invalid tool
-      const req = createMockRequest('POST', { tools: [invalidTool] })
+      // Create mock request with invalid tool and workspaceId
+      const req = createMockRequest('POST', { tools: [invalidTool], workspaceId: 'workspace-123' })
 
       // Import handler after mocks are set up
       const { POST } = await import('@/app/api/tools/custom/route')
@@ -354,12 +363,14 @@ describe('Custom Tools API Routes', () => {
    * Test DELETE endpoint
    */
   describe('DELETE /api/tools/custom', () => {
-    it('should delete a tool by ID', async () => {
-      // Mock finding existing tool
+    it('should delete a workspace-scoped tool by ID', async () => {
+      // Mock finding existing workspace-scoped tool
       mockLimit.mockResolvedValueOnce([sampleTools[0]])
 
-      // Create mock request with ID parameter
-      const req = new NextRequest('http://localhost:3000/api/tools/custom?id=tool-1')
+      // Create mock request with ID and workspaceId parameters
+      const req = new NextRequest(
+        'http://localhost:3000/api/tools/custom?id=tool-1&workspaceId=workspace-123'
+      )
 
       // Import handler after mocks are set up
       const { DELETE } = await import('@/app/api/tools/custom/route')
@@ -412,12 +423,21 @@ describe('Custom Tools API Routes', () => {
       expect(data).toHaveProperty('error', 'Tool not found')
     })
 
-    it('should prevent unauthorized deletion', async () => {
-      // Mock finding tool that belongs to a different user
-      const otherUserTool = { ...sampleTools[0], userId: 'different-user' }
-      mockLimit.mockResolvedValueOnce([otherUserTool])
+    it('should prevent unauthorized deletion of user-scoped tool', async () => {
+      // Mock hybrid auth for the DELETE request
+      vi.doMock('@/lib/auth/hybrid', () => ({
+        checkHybridAuth: vi.fn().mockResolvedValue({
+          success: true,
+          userId: 'user-456', // Different user
+          authType: 'session',
+        }),
+      }))
 
-      // Create mock request
+      // Mock finding user-scoped tool (no workspaceId) that belongs to user-123
+      const userScopedTool = { ...sampleTools[0], workspaceId: null, userId: 'user-123' }
+      mockLimit.mockResolvedValueOnce([userScopedTool])
+
+      // Create mock request (no workspaceId for user-scoped tool)
       const req = new NextRequest('http://localhost:3000/api/tools/custom?id=tool-1')
 
       // Import handler after mocks are set up
@@ -429,13 +449,16 @@ describe('Custom Tools API Routes', () => {
 
       // Verify response
       expect(response.status).toBe(403)
-      expect(data).toHaveProperty('error', 'Unauthorized')
+      expect(data).toHaveProperty('error', 'Access denied')
     })
 
     it('should reject unauthorized requests', async () => {
-      // Mock session to return no user
-      vi.doMock('@/lib/auth', () => ({
-        getSession: vi.fn().mockResolvedValue(null),
+      // Mock hybrid auth to return unauthorized
+      vi.doMock('@/lib/auth/hybrid', () => ({
+        checkHybridAuth: vi.fn().mockResolvedValue({
+          success: false,
+          error: 'Unauthorized',
+        }),
       }))
 
       // Create mock request