Merge branch 'main' into chore(webapp)-add-200-and-500-percent-billing-alerts

samejr · web-flow · commit 3c7750a08e52 · 2025-09-30T13:54:02.000-07:00
diff --git a/apps/webapp/app/env.server.ts b/apps/webapp/app/env.server.ts
@@ -59,6 +59,7 @@ const EnvironmentSchema = z
     ADMIN_EMAILS: z.string().refine(isValidRegex, "ADMIN_EMAILS must be a valid regex.").optional(),
     REMIX_APP_PORT: z.string().optional(),
     LOGIN_ORIGIN: z.string().default("http://localhost:3030"),
+    LOGIN_RATE_LIMITS_ENABLED: BoolEnv.default(true),
     APP_ORIGIN: z.string().default("http://localhost:3030"),
     API_ORIGIN: z.string().optional(),
     STREAM_ORIGIN: z.string().optional(),
diff --git a/apps/webapp/app/root.tsx b/apps/webapp/app/root.tsx
@@ -20,6 +20,13 @@ export const links: LinksFunction = () => {
   return [{ rel: "stylesheet", href: tailwindStylesheetUrl }];
 };
 
+export const headers = () => ({
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  "X-Content-Type-Options": "nosniff",
+  "Permissions-Policy":
+    "geolocation=(), microphone=(), camera=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()",
+});
+
 export const meta: MetaFunction = ({ data }) => {
   const typedData = data as UseDataFunctionReturn<typeof loader>;
   return [
diff --git a/apps/webapp/app/routes/login.magic/route.tsx b/apps/webapp/app/routes/login.magic/route.tsx
@@ -1,7 +1,11 @@
 import { ArrowLeftIcon, EnvelopeIcon } from "@heroicons/react/20/solid";
 import { InboxArrowDownIcon } from "@heroicons/react/24/solid";
-import type { ActionFunctionArgs, LoaderFunctionArgs, MetaFunction } from "@remix-run/node";
-import { redirect } from "@remix-run/node";
+import {
+  redirect,
+  type ActionFunctionArgs,
+  type LoaderFunctionArgs,
+  type MetaFunction,
+} from "@remix-run/node";
 import { Form, useNavigation } from "@remix-run/react";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
@@ -18,6 +22,14 @@ import { Spinner } from "~/components/primitives/Spinner";
 import { TextLink } from "~/components/primitives/TextLink";
 import { authenticator } from "~/services/auth.server";
 import { commitSession, getUserSession } from "~/services/sessionStorage.server";
+import {
+  checkMagicLinkEmailRateLimit,
+  checkMagicLinkEmailDailyRateLimit,
+  MagicLinkRateLimitError,
+  checkMagicLinkIpRateLimit,
+} from "~/services/magicLinkRateLimiter.server";
+import { logger, tryCatch } from "@trigger.dev/core/v3";
+import { env } from "~/env.server";
 
 export const meta: MetaFunction = ({ matches }) => {
   const parentMeta = matches
@@ -71,29 +83,99 @@ export async function action({ request }: ActionFunctionArgs) {
 
   const payload = Object.fromEntries(await clonedRequest.formData());
 
-  const { action } = z
-    .object({
-      action: z.enum(["send", "reset"]),
-    })
+  const data = z
+    .discriminatedUnion("action", [
+      z.object({
+        action: z.literal("send"),
+        email: z.string().trim().toLowerCase(),
+      }),
+      z.object({
+        action: z.literal("reset"),
+      }),
+    ])
     .parse(payload);
 
-  if (action === "send") {
-    return authenticator.authenticate("email-link", request, {
-      successRedirect: "/login/magic",
-      failureRedirect: "/login/magic",
-    });
-  } else {
-    const session = await getUserSession(request);
-    session.unset("triggerdotdev:magiclink");
-
-    return redirect("/login/magic", {
-      headers: {
-        "Set-Cookie": await commitSession(session),
-      },
-    });
+  switch (data.action) {
+    case "send": {
+      if (!env.LOGIN_RATE_LIMITS_ENABLED) {
+        return authenticator.authenticate("email-link", request, {
+          successRedirect: "/login/magic",
+          failureRedirect: "/login/magic",
+        });
+      }
+
+      const { email } = data;
+      const xff = request.headers.get("x-forwarded-for");
+      const clientIp = extractClientIp(xff);
+
+      const [error] = await tryCatch(
+        Promise.all([
+          clientIp ? checkMagicLinkIpRateLimit(clientIp) : Promise.resolve(),
+          checkMagicLinkEmailRateLimit(email),
+          checkMagicLinkEmailDailyRateLimit(email),
+        ])
+      );
+
+      if (error) {
+        if (error instanceof MagicLinkRateLimitError) {
+          logger.warn("Login magic link rate limit exceeded", {
+            clientIp,
+            email,
+            error,
+          });
+        } else {
+          logger.error("Failed sending login magic link", {
+            clientIp,
+            email,
+            error,
+          });
+        }
+
+        const errorMessage =
+          error instanceof MagicLinkRateLimitError
+            ? "Too many magic link requests. Please try again shortly."
+            : "Failed sending magic link. Please try again shortly.";
+
+        const session = await getUserSession(request);
+        session.set("auth:error", {
+          message: errorMessage,
+        });
+
+        return redirect("/login/magic", {
+          headers: {
+            "Set-Cookie": await commitSession(session),
+          },
+        });
+      }
+
+      return authenticator.authenticate("email-link", request, {
+        successRedirect: "/login/magic",
+        failureRedirect: "/login/magic",
+      });
+    }
+    case "reset":
+    default: {
+      data.action satisfies "reset";
+
+      const session = await getUserSession(request);
+      session.unset("triggerdotdev:magiclink");
+
+      return redirect("/login/magic", {
+        headers: {
+          "Set-Cookie": await commitSession(session),
+        },
+      });
+    }
   }
 }
 
+const extractClientIp = (xff: string | null) => {
+  if (!xff) return null;
+
+  const parts = xff.split(",").map((p) => p.trim());
+  return parts[parts.length - 1]; // take last item, ALB appends the real client IP by default
+};
+
 export default function LoginMagicLinkPage() {
   const { magicLinkSent, magicLinkError } = useTypedLoaderData<typeof loader>();
   const navigate = useNavigation();
diff --git a/apps/webapp/app/services/magicLinkRateLimiter.server.ts b/apps/webapp/app/services/magicLinkRateLimiter.server.ts
@@ -0,0 +1,96 @@
+import { Ratelimit } from "@upstash/ratelimit";
+import { env } from "~/env.server";
+import { createRedisRateLimitClient, RateLimiter } from "~/services/rateLimiter.server";
+import { singleton } from "~/utils/singleton";
+
+export class MagicLinkRateLimitError extends Error {
+  public readonly retryAfter: number;
+
+  constructor(retryAfter: number) {
+    super("Magic link request rate limit exceeded.");
+    this.retryAfter = retryAfter;
+  }
+}
+
+function getRedisClient() {
+  return createRedisRateLimitClient({
+    port: env.RATE_LIMIT_REDIS_PORT,
+    host: env.RATE_LIMIT_REDIS_HOST,
+    username: env.RATE_LIMIT_REDIS_USERNAME,
+    password: env.RATE_LIMIT_REDIS_PASSWORD,
+    tlsDisabled: env.RATE_LIMIT_REDIS_TLS_DISABLED === "true",
+    clusterMode: env.RATE_LIMIT_REDIS_CLUSTER_MODE_ENABLED === "1",
+  });
+}
+
+const magicLinkEmailRateLimiter = singleton(
+  "magicLinkEmailRateLimiter",
+  initializeMagicLinkEmailRateLimiter
+);
+
+function initializeMagicLinkEmailRateLimiter() {
+  return new RateLimiter({
+    redisClient: getRedisClient(),
+    keyPrefix: "auth:magiclink:email",
+    limiter: Ratelimit.slidingWindow(3, "1 m"), // 3 requests per minute per email
+    logSuccess: false,
+    logFailure: true,
+  });
+}
+
+const magicLinkEmailDailyRateLimiter = singleton(
+  "magicLinkEmailDailyRateLimiter",
+  initializeMagicLinkEmailDailyRateLimiter
+);
+
+function initializeMagicLinkEmailDailyRateLimiter() {
+  return new RateLimiter({
+    redisClient: getRedisClient(),
+    keyPrefix: "auth:magiclink:email:daily",
+    limiter: Ratelimit.slidingWindow(30, "1 d"), // 30 requests per day per email
+    logSuccess: false,
+    logFailure: true,
+  });
+}
+
+const magicLinkIpRateLimiter = singleton(
+  "magicLinkIpRateLimiter",
+  initializeMagicLinkIpRateLimiter
+);
+
+function initializeMagicLinkIpRateLimiter() {
+  return new RateLimiter({
+    redisClient: getRedisClient(),
+    keyPrefix: "auth:magiclink:ip",
+    limiter: Ratelimit.slidingWindow(10, "1 m"), // 10 requests per minute per IP
+    logSuccess: false,
+    logFailure: true,
+  });
+}
+
+export async function checkMagicLinkEmailRateLimit(identifier: string): Promise<void> {
+  const result = await magicLinkEmailRateLimiter.limit(identifier);
+
+  if (!result.success) {
+    const retryAfter = new Date(result.reset).getTime() - Date.now();
+    throw new MagicLinkRateLimitError(retryAfter);
+  }
+}
+
+export async function checkMagicLinkEmailDailyRateLimit(identifier: string): Promise<void> {
+  const result = await magicLinkEmailDailyRateLimiter.limit(identifier);
+
+  if (!result.success) {
+    const retryAfter = new Date(result.reset).getTime() - Date.now();
+    throw new MagicLinkRateLimitError(retryAfter);
+  }
+}
+
+export async function checkMagicLinkIpRateLimit(ip: string): Promise<void> {
+  const result = await magicLinkIpRateLimiter.limit(ip);
+
+  if (!result.success) {
+    const retryAfter = new Date(result.reset).getTime() - Date.now();
+    throw new MagicLinkRateLimitError(retryAfter);
+  }
+}
diff --git a/docker/dev-compose.yml b/docker/dev-compose.yml
@@ -48,7 +48,7 @@ services:
       - db
 
   clickhouse:
-    image: bitnami/clickhouse:latest
+    image: bitnamilegacy/clickhouse:latest
     container_name: clickhouse-dev
     environment:
       CLICKHOUSE_ADMIN_USER: default
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -76,7 +76,7 @@ services:
       - database
 
   clickhouse:
-    image: bitnami/clickhouse:latest
+    image: bitnamilegacy/clickhouse:latest
     restart: always
     container_name: clickhouse
     environment:
diff --git a/docs/idempotency.mdx b/docs/idempotency.mdx
@@ -5,11 +5,6 @@ description: "An API call or operation is “idempotent” if it has the same re
 
 We currently support idempotency at the task level, meaning that if you trigger a task with the same `idempotencyKey` twice, the second request will not create a new task run.
 
-<Warning>
-  In version 3.3.0 and later, the `idempotencyKey` option is not available when using
-  `triggerAndWait` or `batchTriggerAndWait`, due to a bug that would sometimes cause the parent task
-  to become stuck. We are working on a fix for this issue.
-</Warning>
 
 ## `idempotencyKey` option
 
diff --git a/hosting/docker/webapp/docker-compose.yml b/hosting/docker/webapp/docker-compose.yml
@@ -139,7 +139,7 @@ services:
       start_period: 10s
 
   clickhouse:
-    image: bitnami/clickhouse:${CLICKHOUSE_IMAGE_TAG:-latest}
+    image: bitnamilegacy/clickhouse:${CLICKHOUSE_IMAGE_TAG:-latest}
     restart: ${RESTART_POLICY:-unless-stopped}
     logging: *logging-config
     ports:
@@ -183,7 +183,7 @@ services:
       start_period: 10s
 
   minio:
-    image: bitnami/minio:${MINIO_IMAGE_TAG:-latest}
+    image: bitnamilegacy/minio:${MINIO_IMAGE_TAG:-latest}
     restart: ${RESTART_POLICY:-unless-stopped}
     logging: *logging-config
     ports:
diff --git a/hosting/k8s/helm/Chart.yaml b/hosting/k8s/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.0.1
+version: 4.0.3
 appVersion: v4.0.4
 home: https://trigger.dev
 sources:
diff --git a/hosting/k8s/helm/templates/_helpers.tpl b/hosting/k8s/helm/templates/_helpers.tpl
@@ -95,6 +95,34 @@ Get the full image name for supervisor
 {{- end }}
 {{- end }}
 
+{{/*
+Get the full image name for webapp volumePermissions init container
+*/}}
+{{- define "trigger-v4.webapp.volumePermissions.image" -}}
+{{- $registry := .Values.global.imageRegistry | default .Values.webapp.volumePermissions.image.registry -}}
+{{- $repository := .Values.webapp.volumePermissions.image.repository -}}
+{{- $tag := .Values.webapp.volumePermissions.image.tag -}}
+{{- if $registry }}
+{{- printf "%s/%s:%s" $registry $repository $tag }}
+{{- else }}
+{{- printf "%s:%s" $repository $tag }}
+{{- end }}
+{{- end }}
+
+{{/*
+Get the full image name for webapp tokenSyncer sidecar
+*/}}
+{{- define "trigger-v4.webapp.tokenSyncer.image" -}}
+{{- $registry := .Values.global.imageRegistry | default .Values.webapp.tokenSyncer.image.registry -}}
+{{- $repository := .Values.webapp.tokenSyncer.image.repository -}}
+{{- $tag := .Values.webapp.tokenSyncer.image.tag -}}
+{{- if $registry }}
+{{- printf "%s/%s:%s" $registry $repository $tag }}
+{{- else }}
+{{- printf "%s:%s" $repository $tag }}
+{{- end }}
+{{- end }}
+
 {{/*
 PostgreSQL hostname (deprecated - used only for legacy DATABASE_HOST env var)
 */}}
diff --git a/hosting/k8s/helm/templates/webapp.yaml b/hosting/k8s/helm/templates/webapp.yaml
@@ -67,8 +67,9 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       initContainers:
-        - name: init-shared
-          image: busybox:1.35
+        - name: volume-permissions
+          image: {{ include "trigger-v4.webapp.volumePermissions.image" . }}
+          imagePullPolicy: {{ .Values.webapp.volumePermissions.image.pullPolicy }}
           command: ['sh', '-c', 'mkdir -p /home/node/shared']
           securityContext:
             runAsUser: 1000
@@ -77,7 +78,8 @@ spec:
               mountPath: /home/node/shared
       containers:
         - name: token-syncer
-          image: bitnami/kubectl:1.28
+          image: {{ include "trigger-v4.webapp.tokenSyncer.image" . }}
+          imagePullPolicy: {{ .Values.webapp.tokenSyncer.image.pullPolicy }}
           securityContext:
             runAsUser: 1000
             runAsNonRoot: true
@@ -419,6 +421,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.webapp.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: v1
 kind: Service
diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml
diff --git a/internal-packages/run-engine/src/engine/systems/waitpointSystem.ts b/internal-packages/run-engine/src/engine/systems/waitpointSystem.ts
