fix(pdf): PDF previews by adding the missing preview endpoint and allowing same-origin blob URLs in iframe CSP (#4225)

* fix(pdf): PDF previews by adding the missing preview endpoint and allowing same-origin blob URLs in iframe CSP

* fixed

* add preview routes and tests

* follow nextjs route gen strat

Author: icecrasher321

apps/sim/app/api/workspaces/[id]/_preview/create-preview-route.ts

@@ -0,0 +1,90 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { toError } from '@/lib/core/utils/helpers'
+import { MAX_DOCUMENT_PREVIEW_CODE_BYTES } from '@/lib/execution/constants'
+import { runSandboxTask } from '@/lib/execution/sandbox/run-task'
+import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
+import type { SandboxTaskId } from '@/sandbox-tasks/registry'
+
+/**
+ * Config for a document preview route handler.
+ *
+ * All three document preview endpoints (PDF / PPTX / DOCX) share the same
+ * shape: auth → workspace membership → JSON body parse → `code` validation →
+ * size guard → `runSandboxTask(taskId, ...)` → binary response. The only
+ * differences between them are the sandbox task, the response MIME type, and
+ * the logger/label used for the 500 path.
+ */
+export interface DocumentPreviewRouteConfig {
+  /** Sandbox task registered in `apps/sim/sandbox-tasks/registry.ts`. */
+  taskId: SandboxTaskId
+  /** Content-Type of the binary returned on success. */
+  contentType: string
+  /** Short label used for the logger name + 500 log message. */
+  label: 'PDF' | 'PPTX' | 'DOCX'
+}
+
+/**
+ * Build a Next.js POST handler for one of the document preview endpoints.
+ *
+ * Everything security-relevant (session, workspace membership, JSON shape,
+ * empty/oversized code) is enforced before we ever reach the isolated-vm
+ * sandbox, and `runSandboxTask` is always invoked with the session owner key
+ * + `req.signal` so pool fairness and client-disconnect cancellation behave
+ * identically across all three formats.
+ */
+export function createDocumentPreviewRoute(config: DocumentPreviewRouteConfig) {
+  const logger = createLogger(`${config.label}PreviewAPI`)
+
+  return async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+    const { id: workspaceId } = await params
+
+    try {
+      const session = await getSession()
+      if (!session?.user?.id) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+      }
+
+      const membership = await verifyWorkspaceMembership(session.user.id, workspaceId)
+      if (!membership) {
+        return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })
+      }
+
+      let body: unknown
+      try {
+        body = await req.json()
+      } catch {
+        return NextResponse.json({ error: 'Invalid or missing JSON body' }, { status: 400 })
+      }
+      const { code } = body as { code?: string }
+
+      if (typeof code !== 'string' || code.trim().length === 0) {
+        return NextResponse.json({ error: 'code is required' }, { status: 400 })
+      }
+
+      if (Buffer.byteLength(code, 'utf-8') > MAX_DOCUMENT_PREVIEW_CODE_BYTES) {
+        return NextResponse.json({ error: 'code exceeds maximum size' }, { status: 413 })
+      }
+
+      const buffer = await runSandboxTask(
+        config.taskId,
+        { code, workspaceId },
+        { ownerKey: `user:${session.user.id}`, signal: req.signal }
+      )
+
+      return new NextResponse(new Uint8Array(buffer), {
+        status: 200,
+        headers: {
+          'Content-Type': config.contentType,
+          'Content-Length': String(buffer.length),
+          'Cache-Control': 'private, no-store',
+        },
+      })
+    } catch (err) {
+      const message = toError(err).message
+      logger.error(`${config.label} preview generation failed`, { error: message, workspaceId })
+      return NextResponse.json({ error: message }, { status: 500 })
+    }
+  }
+}

apps/sim/app/api/workspaces/[id]/docx/preview/route.test.ts

@@ -0,0 +1,197 @@
+/**
+ * @vitest-environment node
+ */
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { MAX_DOCUMENT_PREVIEW_CODE_BYTES } from '@/lib/execution/constants'
+
+const { mockGetSession, mockVerifyWorkspaceMembership, mockRunSandboxTask } = vi.hoisted(() => ({
+  mockGetSession: vi.fn(),
+  mockVerifyWorkspaceMembership: vi.fn(),
+  mockRunSandboxTask: vi.fn(),
+}))
+
+vi.mock('@/lib/auth', () => ({
+  getSession: mockGetSession,
+}))
+
+vi.mock('@/app/api/workflows/utils', () => ({
+  verifyWorkspaceMembership: mockVerifyWorkspaceMembership,
+}))
+
+vi.mock('@/lib/execution/sandbox/run-task', () => ({
+  runSandboxTask: mockRunSandboxTask,
+}))
+
+import { POST } from '@/app/api/workspaces/[id]/docx/preview/route'
+
+const DOCX_MIME = 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+
+describe('DOCX preview API route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
+    mockVerifyWorkspaceMembership.mockResolvedValue(true)
+    mockRunSandboxTask.mockResolvedValue(Buffer.from('PK\x03\x04docx'))
+  })
+
+  it('returns a generated DOCX for authorized workspace members', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(200)
+    expect(response.headers.get('Content-Type')).toBe(DOCX_MIME)
+    expect(response.headers.get('Cache-Control')).toBe('private, no-store')
+    expect(mockVerifyWorkspaceMembership).toHaveBeenCalledWith('user-1', 'workspace-1')
+    expect(mockRunSandboxTask).toHaveBeenCalledWith(
+      'docx-generate',
+      { code: 'return 1', workspaceId: 'workspace-1' },
+      { ownerKey: 'user:user-1', signal: request.signal }
+    )
+    expect(Buffer.from(await response.arrayBuffer()).toString()).toBe('PK\x03\x04docx')
+  })
+
+  it('rejects requests without code', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({}),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(400)
+    await expect(response.json()).resolves.toEqual({ error: 'code is required' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('rejects oversized preview source payloads', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'x'.repeat(MAX_DOCUMENT_PREVIEW_CODE_BYTES + 1) }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(413)
+    await expect(response.json()).resolves.toEqual({ error: 'code exceeds maximum size' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 401 for unauthenticated requests', async () => {
+    mockGetSession.mockResolvedValue(null)
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(401)
+    await expect(response.json()).resolves.toEqual({ error: 'Unauthorized' })
+    expect(mockVerifyWorkspaceMembership).not.toHaveBeenCalled()
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 403 when the user is not a workspace member', async () => {
+    mockVerifyWorkspaceMembership.mockResolvedValue(false)
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(403)
+    await expect(response.json()).resolves.toEqual({ error: 'Insufficient permissions' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 400 for requests with invalid JSON bodies', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: '{ not valid json',
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(400)
+    await expect(response.json()).resolves.toEqual({ error: 'Invalid or missing JSON body' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 500 when DOCX generation throws', async () => {
+    mockRunSandboxTask.mockRejectedValue(new Error('boom: sandbox failed'))
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(500)
+    await expect(response.json()).resolves.toEqual({ error: 'boom: sandbox failed' })
+  })
+})

apps/sim/app/api/workspaces/[id]/docx/preview/route.ts

@@ -0,0 +1,14 @@
+import { createDocumentPreviewRoute } from '@/app/api/workspaces/[id]/_preview/create-preview-route'
+
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
+
+/**
+ * POST /api/workspaces/[id]/docx/preview
+ * Compile docx source code and return the binary DOCX for streaming preview.
+ */
+export const POST = createDocumentPreviewRoute({
+  taskId: 'docx-generate',
+  contentType: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+  label: 'DOCX',
+})