nobalmako 1.0.0

package/src/app/api/variables/route.ts

@@ -0,0 +1,476 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getUserFromToken } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { environmentVariables, teams, environments, variableHistory, teamMembers } from '@/lib/schema';
+import { eq, and, or, exists } from 'drizzle-orm';
+import { encrypt, decrypt } from '@/lib/crypto';
+import { createAuditLog } from '@/lib/audit';
+import { hasPermission, Permissions } from '@/lib/permissions';
+import { triggerWebhook } from '@/lib/webhooks';
+import { resolveDynamicSecret } from '@/lib/dynamic-providers';
+
+export async function GET(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { searchParams } = new URL(request.url);
+    const teamName = searchParams.get('team');
+    const environmentName = searchParams.get('environment');
+    const teamId = searchParams.get('teamId');
+    const environmentId = searchParams.get('environmentId');
+
+    // Build the query
+    let query = db
+      .select({
+        id: environmentVariables.id,
+        key: environmentVariables.key,
+        value: environmentVariables.value,
+        description: environmentVariables.description,
+        isSecret: environmentVariables.isSecret,
+        teamId: environmentVariables.teamId,
+        environmentId: environmentVariables.environmentId,
+        isDynamic: environmentVariables.isDynamic,
+        provider: environmentVariables.provider,
+        createdAt: environmentVariables.createdAt,
+        teamName: teams.name,
+        environmentName: environments.name,
+      })
+      .from(environmentVariables)
+      .innerJoin(environments, eq(environmentVariables.environmentId, environments.id))
+      .innerJoin(teams, eq(environmentVariables.teamId, teams.id));
+
+    // Base filters: User must have access
+    const accessFilter = or(
+      eq(teams.ownerId, user.id),
+      exists(
+        db.select()
+          .from(teamMembers)
+          .where(and(eq(teamMembers.teamId, teams.id), eq(teamMembers.userId, user.id)))
+      )
+    );
+
+    const filters = [accessFilter];
+
+    if (teamName) filters.push(eq(teams.name, teamName));
+    if (environmentName) filters.push(eq(environments.name, environmentName));
+    if (teamId) filters.push(eq(teams.id, teamId));
+    
+    // Inheritance Logic
+    let environmentIds: string[] = [];
+    if (environmentId || (teamName && environmentName) || (teamId && environmentName)) {
+      // Find the specific environment first
+      let targetEnv;
+      if (environmentId) {
+        [targetEnv] = await db.select().from(environments).where(eq(environments.id, environmentId)).limit(1);
+      } else {
+        const teamFilter = teamId ? eq(teams.id, teamId) : eq(teams.name, teamName!);
+        [targetEnv] = await db.select({
+          id: environments.id,
+          parentId: environments.parentId
+        })
+        .from(environments)
+        .innerJoin(teams, eq(environments.teamId, teams.id))
+        .where(and(teamFilter, eq(environments.name, environmentName!)))
+        .limit(1);
+      }
+
+      if (targetEnv) {
+        environmentIds.push(targetEnv.id);
+        let currentParentId = targetEnv.parentId;
+        
+        // Traverse up the inheritance tree (limit depth to 10 to prevent cycles)
+        for (let i = 0; i < 10 && currentParentId; i++) {
+          const [parent] = await db.select().from(environments).where(eq(environments.id, currentParentId)).limit(1);
+          if (parent) {
+            environmentIds.push(parent.id);
+            currentParentId = parent.parentId;
+          } else {
+            break;
+          }
+        }
+      }
+    }
+
+    if (environmentIds.length > 0) {
+      // @ts-ignore
+      filters.push(or(...environmentIds.map(id => eq(environments.id, id))));
+    } else if (environmentName) {
+      filters.push(eq(environments.name, environmentName));
+    }
+
+    const userVariables = await query.where(and(...filters));
+
+    // Decrypt and Merge duplicates (Child variables overwrite parents)
+    // environmentIds is [child, parent, grandparent...]
+    // So we iterate backwards to let child values win.
+    const mergedVars: Record<string, any> = {};
+    
+    // Sort variables by their index in environmentIds (higher index means further up the tree)
+    const sortedVariables = [...userVariables].sort((a, b) => {
+      const indexA = environmentIds.indexOf(a.environmentId);
+      const indexB = environmentIds.indexOf(b.environmentId);
+      return (indexB === -1 ? 999 : indexB) - (indexA === -1 ? 999 : indexA);
+    });
+
+    for (const v of sortedVariables) {
+      let value = decrypt(v.value);
+      
+      if (v.isDynamic) {
+        value = await resolveDynamicSecret(v);
+      }
+
+      mergedVars[v.key] = {
+        ...v,
+        value
+      };
+    }
+
+    return NextResponse.json({ variables: Object.values(mergedVars) });
+  } catch (error) {
+    console.error('Get variables error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { key, value, description, isSecret, teamId, environmentId, expiresAt, isDynamic, provider } = await request.json();
+
+    if (!key || (value === undefined && !isDynamic) || !teamId || !environmentId) {
+      return NextResponse.json(
+        { error: 'Key, value (or dynamic provider), teamId, and environmentId are required' },
+        { status: 400 }
+      );
+    }
+
+    const encryptedValue = encrypt(value || '');
+
+    // Verify user has permission to manage secrets
+    const canManage = await hasPermission(user.id, teamId, Permissions.MANAGE_SECRETS);
+
+    if (!canManage) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage secrets in this project' },
+        { status: 403 }
+      );
+    }
+
+    // Verify environment belongs to the team
+    const [environment] = await db
+      .select()
+      .from(environments)
+      .where(and(eq(environments.id, environmentId), eq(environments.teamId, teamId)))
+      .limit(1);
+
+    if (!environment) {
+      return NextResponse.json(
+        { error: 'Environment not found or does not belong to the team' },
+        { status: 403 }
+      );
+    }
+
+    // Check if variable already exists in this environment
+    const [existingVariable] = await db
+      .select()
+      .from(environmentVariables)
+      .where(
+        and(
+          eq(environmentVariables.key, key),
+          eq(environmentVariables.environmentId, environmentId)
+        )
+      )
+      .limit(1);
+
+    let variable;
+    let changeType: 'create' | 'update' = 'create';
+
+    if (existingVariable) {
+      // Update existing variable
+      changeType = 'update';
+      const [updatedVariable] = await db
+        .update(environmentVariables)
+        .set({
+          value: encryptedValue,
+          description: description || existingVariable.description,
+          isSecret: isSecret !== undefined ? isSecret : existingVariable.isSecret,
+          isDynamic: isDynamic !== undefined ? isDynamic : existingVariable.isDynamic,
+          provider: provider || existingVariable.provider,
+          expiresAt: expiresAt !== undefined ? expiresAt : existingVariable.expiresAt,
+          lastRotatedAt: value !== decrypt(existingVariable.value) ? new Date() : existingVariable.lastRotatedAt,
+          updatedBy: user.id,
+          updatedAt: new Date(),
+        })
+        .where(eq(environmentVariables.id, existingVariable.id))
+        .returning();
+      variable = updatedVariable;
+    } else {
+      // Insert new variable
+      const [newVariable] = await db.insert(environmentVariables).values({
+        key,
+        value: encryptedValue,
+        description,
+        isSecret: isSecret || false,
+        isDynamic: isDynamic || false,
+        provider: provider || null,
+        expiresAt: expiresAt || null,
+        lastRotatedAt: new Date(),
+        teamId,
+        environmentId,
+        createdBy: user.id,
+      }).returning();
+      variable = newVariable;
+    }
+
+    // Create history entry
+    await db.insert(variableHistory).values({
+      variableId: variable.id,
+      teamId,
+      environmentId,
+      key,
+      value: encryptedValue,
+      description: description || variable.description,
+      isSecret: variable.isSecret,
+      changedBy: user.id,
+      changeType,
+    });
+
+    // Trigger Webhook
+    triggerWebhook(teamId, 'variable.update', {
+      key,
+      environmentId,
+      changeType,
+      updatedBy: user.email,
+    });
+
+    // Create audit log
+    await createAuditLog({
+      userId: user.id,
+      teamId,
+      action: 'create',
+      resourceType: 'variable',
+      resourceId: variable.id,
+      newValue: { key, isSecret },
+    });
+
+    return NextResponse.json({ variable: variable });
+  } catch (error) {
+    console.error('Create variable error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+export async function PUT(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { id, key, value, description, isSecret, expiresAt, isDynamic, provider } = await request.json();
+
+    if (!id) {
+      return NextResponse.json(
+        { error: 'Variable ID is required' },
+        { status: 400 }
+      );
+    }
+
+    if (!key || (value === undefined && !isDynamic)) {
+      return NextResponse.json(
+        { error: 'Key and value (or dynamic provider) are required' },
+        { status: 400 }
+      );
+    }
+
+    // Check if user has permission to manage secrets
+    const existingVar = await db
+      .select()
+      .from(environmentVariables)
+      .where(eq(environmentVariables.id, id))
+      .limit(1);
+
+    if (!existingVar.length) {
+      return NextResponse.json(
+        { error: 'Variable not found' },
+        { status: 404 }
+      );
+    }
+
+    const canManage = await hasPermission(user.id, existingVar[0].teamId, Permissions.MANAGE_SECRETS);
+    if (!canManage) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage secrets in this project' },
+        { status: 403 }
+      );
+    }
+
+    // Encrypt the value
+    const encryptedValue = encrypt(value || '');
+
+    const [updatedVariable] = await db
+      .update(environmentVariables)
+      .set({
+        key,
+        value: encryptedValue,
+        description,
+        isSecret: isSecret !== undefined ? isSecret : existingVar[0].isSecret,
+        isDynamic: isDynamic !== undefined ? isDynamic : existingVar[0].isDynamic,
+        provider: provider || existingVar[0].provider,
+        expiresAt: expiresAt !== undefined ? expiresAt : existingVar[0].expiresAt,
+        lastRotatedAt: value !== decrypt(existingVar[0].value) ? new Date() : existingVar[0].lastRotatedAt,
+        updatedAt: new Date(),
+        updatedBy: user.id,
+      })
+      .where(eq(environmentVariables.id, id))
+      .returning();
+
+    // Create history entry
+    await db.insert(variableHistory).values({
+      variableId: id,
+      teamId: existingVar[0].teamId,
+      environmentId: existingVar[0].environmentId,
+      key,
+      value: encryptedValue,
+      description,
+      isSecret: isSecret !== undefined ? isSecret : existingVar[0].isSecret,
+      changedBy: user.id,
+      changeType: 'update',
+    });
+
+    // Trigger Webhook
+    triggerWebhook(existingVar[0].teamId, 'variable.update', {
+      key,
+      environmentId: existingVar[0].environmentId,
+      changeType: 'update',
+      updatedBy: user.email,
+    });
+
+    // Create audit log
+    await createAuditLog({
+      userId: user.id,
+      teamId: existingVar[0].teamId,
+      action: 'update',
+      resourceType: 'variable',
+      resourceId: id,
+      oldValue: { key: existingVar[0].key, isSecret: existingVar[0].isSecret },
+      newValue: { key, isSecret },
+    });
+
+    return NextResponse.json({ variable: updatedVariable });
+  } catch (error) {
+    console.error('Update variable error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { id } = await request.json();
+
+    if (!id) {
+      return NextResponse.json(
+        { error: 'Variable ID is required' },
+        { status: 400 }
+      );
+    }
+
+    // Check if user has permission to manage secrets
+    const existingVar = await db
+      .select()
+      .from(environmentVariables)
+      .where(eq(environmentVariables.id, id))
+      .limit(1);
+
+    if (!existingVar.length) {
+      return NextResponse.json(
+        { error: 'Variable not found' },
+        { status: 404 }
+      );
+    }
+
+    const canManage = await hasPermission(user.id, existingVar[0].teamId, Permissions.MANAGE_SECRETS);
+    if (!canManage) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage secrets in this project' },
+        { status: 403 }
+      );
+    }
+
+    // Create history entry for deletion
+    await db.insert(variableHistory).values({
+      variableId: id,
+      teamId: existingVar[0].teamId,
+      environmentId: existingVar[0].environmentId,
+      key: existingVar[0].key,
+      value: existingVar[0].value,
+      description: existingVar[0].description,
+      isSecret: existingVar[0].isSecret,
+      changedBy: user.id,
+      changeType: 'delete',
+    });
+
+    await db.delete(environmentVariables).where(eq(environmentVariables.id, id));
+
+    // Trigger Webhook
+    triggerWebhook(existingVar[0].teamId, 'variable.delete', {
+      key: existingVar[0].key,
+      environmentId: existingVar[0].environmentId,
+      deletedBy: user.email,
+    });
+
+    // Create audit log
+    await createAuditLog({
+      userId: user.id,
+      teamId: existingVar[0].teamId,
+      action: 'delete',
+      resourceType: 'variable',
+      resourceId: id,
+      oldValue: { key: existingVar[0].key },
+    });
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Delete variable error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/webhooks/route.ts

@@ -0,0 +1,77 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { db } from '@/lib/db';
+import { webhooks } from '@/lib/schema';
+import { eq, and } from 'drizzle-orm';
+import { getUserFromToken } from '@/lib/auth';
+import { hasPermission, Permissions } from '@/lib/permissions';
+
+export async function GET(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+    const { searchParams } = new URL(request.url);
+    const teamId = searchParams.get('teamId');
+
+    if (!teamId) return NextResponse.json({ error: 'teamId is required' }, { status: 400 });
+
+    const results = await db
+      .select()
+      .from(webhooks)
+      .where(eq(webhooks.teamId, teamId));
+
+    return NextResponse.json({ webhooks: results });
+  } catch (error) {
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+    const { teamId, name, url, events, secret } = await request.json();
+
+    if (!teamId || !name || !url) {
+      return NextResponse.json({ error: 'Missing required fields' }, { status: 400 });
+    }
+
+    const canManage = await hasPermission(user.id, teamId, Permissions.MANAGE_TEAM);
+    if (!canManage) return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+
+    const [newWebhook] = await db.insert(webhooks).values({
+      teamId,
+      name,
+      url,
+      events: events || ['variable.update', 'variable.delete'],
+      secret,
+    }).returning();
+
+    return NextResponse.json({ webhook: newWebhook });
+  } catch (error) {
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+    if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+    const { id } = await request.json();
+    if (!id) return NextResponse.json({ error: 'ID is required' }, { status: 400 });
+
+    const [webhook] = await db.select().from(webhooks).where(eq(webhooks.id, id)).limit(1);
+    if (!webhook) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+
+    const canManage = await hasPermission(user.id, webhook.teamId, Permissions.MANAGE_TEAM);
+    if (!canManage) return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+
+    await db.delete(webhooks).where(eq(webhooks.id, id));
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}