simstudioai
diff --git a/‎apps/sim/app/api/workspaces/[id]/docx/preview/route.test.ts‎
Lines changed: 197 additions & 0 deletions b/‎apps/sim/app/api/workspaces/[id]/docx/preview/route.test.ts‎
Lines changed: 197 additions & 0 deletions
diff --git a/‎apps/sim/app/api/workspaces/[id]/docx/preview/route.ts‎
Lines changed: 67 additions & 0 deletions b/‎apps/sim/app/api/workspaces/[id]/docx/preview/route.ts‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎apps/sim/app/api/workspaces/[id]/pdf/preview/route.test.ts‎
Lines changed: 112 additions & 0 deletions b/‎apps/sim/app/api/workspaces/[id]/pdf/preview/route.test.ts‎
Lines changed: 112 additions & 0 deletions
@@ -0,0 +1,197 @@
+/**
+ * @vitest-environment node
+ */
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { MAX_DOCUMENT_PREVIEW_CODE_BYTES } from '@/lib/execution/constants'
+
+const { mockGetSession, mockVerifyWorkspaceMembership, mockRunSandboxTask } = vi.hoisted(() => ({
+  mockGetSession: vi.fn(),
+  mockVerifyWorkspaceMembership: vi.fn(),
+  mockRunSandboxTask: vi.fn(),
+}))
+
+vi.mock('@/lib/auth', () => ({
+  getSession: mockGetSession,
+}))
+
+vi.mock('@/app/api/workflows/utils', () => ({
+  verifyWorkspaceMembership: mockVerifyWorkspaceMembership,
+}))
+
+vi.mock('@/lib/execution/sandbox/run-task', () => ({
+  runSandboxTask: mockRunSandboxTask,
+}))
+
+import { POST } from '@/app/api/workspaces/[id]/docx/preview/route'
+
+const DOCX_MIME = 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+
+describe('DOCX preview API route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
+    mockVerifyWorkspaceMembership.mockResolvedValue(true)
+    mockRunSandboxTask.mockResolvedValue(Buffer.from('PK\x03\x04docx'))
+  })
+
+  it('returns a generated DOCX for authorized workspace members', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(200)
+    expect(response.headers.get('Content-Type')).toBe(DOCX_MIME)
+    expect(response.headers.get('Cache-Control')).toBe('private, no-store')
+    expect(mockVerifyWorkspaceMembership).toHaveBeenCalledWith('user-1', 'workspace-1')
+    expect(mockRunSandboxTask).toHaveBeenCalledWith(
+      'docx-generate',
+      { code: 'return 1', workspaceId: 'workspace-1' },
+      { ownerKey: 'user:user-1', signal: request.signal }
+    )
+    expect(Buffer.from(await response.arrayBuffer()).toString()).toBe('PK\x03\x04docx')
+  })
+
+  it('rejects requests without code', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({}),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(400)
+    await expect(response.json()).resolves.toEqual({ error: 'code is required' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('rejects oversized preview source payloads', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'x'.repeat(MAX_DOCUMENT_PREVIEW_CODE_BYTES + 1) }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(413)
+    await expect(response.json()).resolves.toEqual({ error: 'code exceeds maximum size' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 401 for unauthenticated requests', async () => {
+    mockGetSession.mockResolvedValue(null)
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(401)
+    await expect(response.json()).resolves.toEqual({ error: 'Unauthorized' })
+    expect(mockVerifyWorkspaceMembership).not.toHaveBeenCalled()
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 403 when the user is not a workspace member', async () => {
+    mockVerifyWorkspaceMembership.mockResolvedValue(false)
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(403)
+    await expect(response.json()).resolves.toEqual({ error: 'Insufficient permissions' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 400 for requests with invalid JSON bodies', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: '{ not valid json',
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(400)
+    await expect(response.json()).resolves.toEqual({ error: 'Invalid or missing JSON body' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 500 when DOCX generation throws', async () => {
+    mockRunSandboxTask.mockRejectedValue(new Error('boom: sandbox failed'))
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/docx/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(500)
+    await expect(response.json()).resolves.toEqual({ error: 'boom: sandbox failed' })
+  })
+})
@@ -0,0 +1,67 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { toError } from '@/lib/core/utils/helpers'
+import { MAX_DOCUMENT_PREVIEW_CODE_BYTES } from '@/lib/execution/constants'
+import { runSandboxTask } from '@/lib/execution/sandbox/run-task'
+import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
+
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
+
+const logger = createLogger('DocxPreviewAPI')
+
+/**
+ * POST /api/workspaces/[id]/docx/preview
+ * Compile docx source code and return the binary DOCX for streaming preview.
+ */
+export async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const { id: workspaceId } = await params
+
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const membership = await verifyWorkspaceMembership(session.user.id, workspaceId)
+    if (!membership) {
+      return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })
+    }
+
+    let body: unknown
+    try {
+      body = await req.json()
+    } catch {
+      return NextResponse.json({ error: 'Invalid or missing JSON body' }, { status: 400 })
+    }
+    const { code } = body as { code?: string }
+
+    if (typeof code !== 'string' || code.trim().length === 0) {
+      return NextResponse.json({ error: 'code is required' }, { status: 400 })
+    }
+
+    if (Buffer.byteLength(code, 'utf-8') > MAX_DOCUMENT_PREVIEW_CODE_BYTES) {
+      return NextResponse.json({ error: 'code exceeds maximum size' }, { status: 413 })
+    }
+
+    const buffer = await runSandboxTask(
+      'docx-generate',
+      { code, workspaceId },
+      { ownerKey: `user:${session.user.id}`, signal: req.signal }
+    )
+
+    return new NextResponse(new Uint8Array(buffer), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'Content-Length': String(buffer.length),
+        'Cache-Control': 'private, no-store',
+      },
+    })
+  } catch (err) {
+    const message = toError(err).message
+    logger.error('DOCX preview generation failed', { error: message, workspaceId })
+    return NextResponse.json({ error: message }, { status: 500 })
+  }
+}
@@ -3,6 +3,7 @@
  */
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { MAX_DOCUMENT_PREVIEW_CODE_BYTES } from '@/lib/execution/constants'
 
 const { mockGetSession, mockVerifyWorkspaceMembership, mockRunSandboxTask } = vi.hoisted(() => ({
   mockGetSession: vi.fn(),
@@ -80,4 +81,115 @@ describe('PDF preview API route', () => {
     await expect(response.json()).resolves.toEqual({ error: 'code is required' })
     expect(mockRunSandboxTask).not.toHaveBeenCalled()
   })
+
+  it('rejects oversized preview source payloads', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/pdf/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'x'.repeat(MAX_DOCUMENT_PREVIEW_CODE_BYTES + 1) }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(413)
+    await expect(response.json()).resolves.toEqual({ error: 'code exceeds maximum size' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 401 for unauthenticated requests', async () => {
+    mockGetSession.mockResolvedValue(null)
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/pdf/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(401)
+    await expect(response.json()).resolves.toEqual({ error: 'Unauthorized' })
+    expect(mockVerifyWorkspaceMembership).not.toHaveBeenCalled()
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 403 when the user is not a workspace member', async () => {
+    mockVerifyWorkspaceMembership.mockResolvedValue(false)
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/pdf/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(403)
+    await expect(response.json()).resolves.toEqual({ error: 'Insufficient permissions' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 400 for requests with invalid JSON bodies', async () => {
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/pdf/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: '{ not valid json',
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(400)
+    await expect(response.json()).resolves.toEqual({ error: 'Invalid or missing JSON body' })
+    expect(mockRunSandboxTask).not.toHaveBeenCalled()
+  })
+
+  it('returns 500 when PDF generation throws', async () => {
+    mockRunSandboxTask.mockRejectedValue(new Error('boom: sandbox failed'))
+
+    const request = new NextRequest(
+      'http://localhost:3000/api/workspaces/workspace-1/pdf/preview',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ code: 'return 1' }),
+      }
+    )
+
+    const response = await POST(request, {
+      params: Promise.resolve({ id: 'workspace-1' }),
+    })
+
+    expect(response.status).toBe(500)
+    await expect(response.json()).resolves.toEqual({ error: 'boom: sandbox failed' })
+  })
 })