add auth to workflow log route (#14)

ctate · web-flow · commit d0b4ec4460c7 · 2025-11-24T10:33:20.000-06:00
diff --git a/app/api/workflow-log/route.ts b/app/api/workflow-log/route.ts
@@ -1,90 +1,193 @@
 import { eq } from "drizzle-orm";
 import { NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
 import { db } from "@/lib/db";
 import { workflowExecutionLogs, workflowExecutions } from "@/lib/db/schema";
 
+async function handleStartAction(
+  session: { user: { id: string } },
+  data: {
+    executionId: string;
+    nodeId: string;
+    nodeName: string;
+    nodeType: string;
+    input: unknown;
+  }
+) {
+  const { executionId, nodeId, nodeName, nodeType, input } = data;
+
+  // Verify the execution belongs to the user
+  const execution = await db.query.workflowExecutions.findFirst({
+    where: eq(workflowExecutions.id, executionId),
+    with: {
+      workflow: true,
+    },
+  });
+
+  if (!execution) {
+    return NextResponse.json({ error: "Execution not found" }, { status: 404 });
+  }
+
+  if (execution.workflow.userId !== session.user.id) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const [log] = await db
+    .insert(workflowExecutionLogs)
+    .values({
+      executionId,
+      nodeId,
+      nodeName,
+      nodeType,
+      status: "running",
+      input,
+      startedAt: new Date(),
+    })
+    .returning();
+
+  return NextResponse.json({
+    logId: log.id,
+    startTime: Date.now(),
+  });
+}
+
+async function handleWorkflowCompletion(
+  session: { user: { id: string } },
+  data: {
+    executionId: string;
+    status: "pending" | "running" | "success" | "error" | "cancelled";
+    output: unknown;
+    error: string;
+    startTime: number;
+  }
+) {
+  const {
+    executionId: execId,
+    status: execStatus,
+    output: execOutput,
+    error: execError,
+    startTime: execStartTime,
+  } = data;
+
+  // Verify the execution belongs to the user
+  const execution = await db.query.workflowExecutions.findFirst({
+    where: eq(workflowExecutions.id, execId),
+    with: {
+      workflow: true,
+    },
+  });
+
+  if (!execution) {
+    return NextResponse.json({ error: "Execution not found" }, { status: 404 });
+  }
+
+  if (execution.workflow.userId !== session.user.id) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const duration = Date.now() - execStartTime;
+
+  await db
+    .update(workflowExecutions)
+    .set({
+      status: execStatus,
+      output: execOutput,
+      error: execError,
+      completedAt: new Date(),
+      duration: duration.toString(),
+    })
+    .where(eq(workflowExecutions.id, execId));
+
+  return NextResponse.json({ success: true });
+}
+
+async function handleNodeCompletion(
+  session: { user: { id: string } },
+  data: {
+    logId: string;
+    startTime: number;
+    status: "pending" | "running" | "success" | "error";
+    output: unknown;
+    error: string;
+  }
+) {
+  const {
+    logId,
+    startTime: nodeStartTime,
+    status: nodeStatus,
+    output: nodeOutput,
+    error: nodeError,
+  } = data;
+
+  if (!logId) {
+    return NextResponse.json({ success: true });
+  }
+
+  // Verify the log belongs to the user
+  const log = await db.query.workflowExecutionLogs.findFirst({
+    where: eq(workflowExecutionLogs.id, logId),
+  });
+
+  if (!log) {
+    return NextResponse.json({ error: "Log not found" }, { status: 404 });
+  }
+
+  // Get the execution to verify ownership
+  const execution = await db.query.workflowExecutions.findFirst({
+    where: eq(workflowExecutions.id, log.executionId),
+    with: {
+      workflow: true,
+    },
+  });
+
+  if (!execution) {
+    return NextResponse.json({ error: "Execution not found" }, { status: 404 });
+  }
+
+  if (execution.workflow.userId !== session.user.id) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const duration = Date.now() - nodeStartTime;
+
+  await db
+    .update(workflowExecutionLogs)
+    .set({
+      status: nodeStatus,
+      output: nodeOutput,
+      error: nodeError,
+      completedAt: new Date(),
+      duration: duration.toString(),
+    })
+    .where(eq(workflowExecutionLogs.id, logId));
+
+  return NextResponse.json({ success: true });
+}
+
 export async function POST(request: Request) {
   try {
+    const session = await auth.api.getSession({
+      headers: request.headers,
+    });
+
+    if (!session?.user) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
     const body = await request.json();
     const { action, data } = body;
 
     if (action === "start") {
-      // Start node execution log
-      const { executionId, nodeId, nodeName, nodeType, input } = data;
-
-      const [log] = await db
-        .insert(workflowExecutionLogs)
-        .values({
-          executionId,
-          nodeId,
-          nodeName,
-          nodeType,
-          status: "running",
-          input,
-          startedAt: new Date(),
-        })
-        .returning();
-
-      return NextResponse.json({
-        logId: log.id,
-        startTime: Date.now(),
-      });
+      return handleStartAction(session, data);
     }
 
     if (action === "complete") {
       // Check if this is a workflow execution completion or node execution completion
       if (data.executionId && !data.logId) {
-        // This is the overall workflow execution completion
-        const {
-          executionId: execId,
-          status: execStatus,
-          output: execOutput,
-          error: execError,
-          startTime: execStartTime,
-        } = data;
-        const duration = Date.now() - execStartTime;
-
-        await db
-          .update(workflowExecutions)
-          .set({
-            status: execStatus,
-            output: execOutput,
-            error: execError,
-            completedAt: new Date(),
-            duration: duration.toString(),
-          })
-          .where(eq(workflowExecutions.id, execId));
-
-        return NextResponse.json({ success: true });
-      }
-
-      // Complete node execution log
-      const {
-        logId,
-        startTime: nodeStartTime,
-        status: nodeStatus,
-        output: nodeOutput,
-        error: nodeError,
-      } = data;
-
-      if (!logId) {
-        return NextResponse.json({ success: true });
+        return handleWorkflowCompletion(session, data);
       }
 
-      const duration = Date.now() - nodeStartTime;
-
-      await db
-        .update(workflowExecutionLogs)
-        .set({
-          status: nodeStatus,
-          output: nodeOutput,
-          error: nodeError,
-          completedAt: new Date(),
-          duration: duration.toString(),
-        })
-        .where(eq(workflowExecutionLogs.id, logId));
-
-      return NextResponse.json({ success: true });
+      return handleNodeCompletion(session, data);
     }
 
     return NextResponse.json({ error: "Invalid action" }, { status: 400 });
diff --git a/lib/db/schema.ts b/lib/db/schema.ts
@@ -151,6 +151,16 @@ export const workflowExecutionsRelations = relations(
   })
 );
 
+export const workflowExecutionLogsRelations = relations(
+  workflowExecutionLogs,
+  ({ one }) => ({
+    execution: one(workflowExecutions, {
+      fields: [workflowExecutionLogs.executionId],
+      references: [workflowExecutions.id],
+    }),
+  })
+);
+
 export type User = typeof users.$inferSelect;
 export type Session = typeof sessions.$inferSelect;
 export type Workflow = typeof workflows.$inferSelect;
