|
1 | 1 | import { NextRequest } from 'next/server' |
2 | 2 | import { eq } from 'drizzle-orm' |
3 | 3 | import { createLogger } from '@/lib/logs/console-logger' |
4 | | -import { validateWorkflowAccess } from '@/app/api/workflows/middleware' |
5 | 4 | import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils' |
| 5 | +import { getSession } from '@/lib/auth' |
6 | 6 | import { db } from '@/db' |
7 | 7 | import * as schema from '@/db/schema' |
8 | 8 |
|
9 | 9 | const logger = createLogger('MarketplaceUnpublishAPI') |
10 | 10 |
|
| 11 | +/** |
| 12 | + * API endpoint to unpublish a workflow from the marketplace by its marketplace ID |
| 13 | + * |
| 14 | + * Security: |
| 15 | + * - Requires authentication |
| 16 | + * - Validates that the current user is the author of the marketplace entry |
| 17 | + * - Only allows the owner to unpublish |
| 18 | + */ |
11 | 19 | export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) { |
12 | 20 | const requestId = crypto.randomUUID().slice(0, 8) |
13 | 21 |
|
14 | 22 | try { |
15 | 23 | const { id } = await params |
16 | | - |
17 | | - // Validate access to the workflow (must be owner to unpublish) |
18 | | - // Pass false to requireDeployment since unpublishing doesn't require the workflow to be deployed |
19 | | - const validation = await validateWorkflowAccess(request, id, false) |
20 | | - if (validation.error) { |
21 | | - logger.warn(`[${requestId}] Workflow access validation failed: ${validation.error.message}`) |
22 | | - return createErrorResponse(validation.error.message, validation.error.status) |
| 24 | + |
| 25 | + // Get the session first for authorization |
| 26 | + const session = await getSession() |
| 27 | + if (!session?.user?.id) { |
| 28 | + logger.warn(`[${requestId}] Unauthorized unpublish attempt for marketplace ID: ${id}`) |
| 29 | + return createErrorResponse('Unauthorized', 401) |
23 | 30 | } |
24 | 31 |
|
25 | | - // Check if workflow is published |
| 32 | + const userId = session.user.id |
| 33 | + |
| 34 | + // Get the marketplace entry using the marketplace ID |
26 | 35 | const marketplaceEntry = await db |
27 | | - .select() |
| 36 | + .select({ |
| 37 | + id: schema.marketplace.id, |
| 38 | + workflowId: schema.marketplace.workflowId, |
| 39 | + authorId: schema.marketplace.authorId, |
| 40 | + name: schema.marketplace.name, |
| 41 | + }) |
28 | 42 | .from(schema.marketplace) |
29 | | - .where(eq(schema.marketplace.workflowId, id)) |
| 43 | + .where(eq(schema.marketplace.id, id)) |
30 | 44 | .limit(1) |
31 | 45 | .then((rows) => rows[0]) |
32 | 46 |
|
33 | 47 | if (!marketplaceEntry) { |
34 | | - logger.warn(`[${requestId}] No marketplace entry found for workflow: ${id}`) |
35 | | - return createErrorResponse('Workflow is not published to marketplace', 404) |
| 48 | + logger.warn(`[${requestId}] No marketplace entry found with ID: ${id}`) |
| 49 | + return createErrorResponse('Marketplace entry not found', 404) |
| 50 | + } |
| 51 | + |
| 52 | + // Check if the user is the author of the marketplace entry |
| 53 | + if (marketplaceEntry.authorId !== userId) { |
| 54 | + logger.warn( |
| 55 | + `[${requestId}] User ${userId} tried to unpublish marketplace entry they don't own: ${id}, author: ${marketplaceEntry.authorId}` |
| 56 | + ) |
| 57 | + return createErrorResponse('You do not have permission to unpublish this workflow', 403) |
36 | 58 | } |
37 | 59 |
|
38 | | - // Delete the marketplace entry |
39 | | - await db.delete(schema.marketplace).where(eq(schema.marketplace.workflowId, id)) |
40 | | - |
41 | | - // Update the workflow to mark it as unpublished |
42 | | - await db.update(schema.workflow).set({ isPublished: false }).where(eq(schema.workflow.id, id)) |
43 | | - |
44 | | - logger.info(`[${requestId}] Workflow unpublished from marketplace: ${id}`) |
45 | | - |
46 | | - return createSuccessResponse({ |
47 | | - success: true, |
48 | | - message: 'Workflow successfully unpublished from marketplace', |
49 | | - }) |
| 60 | + const workflowId = marketplaceEntry.workflowId |
| 61 | + |
| 62 | + // Verify the workflow exists and belongs to the user |
| 63 | + const workflow = await db |
| 64 | + .select({ |
| 65 | + id: schema.workflow.id, |
| 66 | + userId: schema.workflow.userId, |
| 67 | + }) |
| 68 | + .from(schema.workflow) |
| 69 | + .where(eq(schema.workflow.id, workflowId)) |
| 70 | + .limit(1) |
| 71 | + .then((rows) => rows[0]) |
| 72 | + |
| 73 | + if (!workflow) { |
| 74 | + logger.warn(`[${requestId}] Associated workflow not found: ${workflowId}`) |
| 75 | + // We'll still delete the marketplace entry even if the workflow is missing |
| 76 | + } else if (workflow.userId !== userId) { |
| 77 | + logger.warn( |
| 78 | + `[${requestId}] Workflow ${workflowId} belongs to user ${workflow.userId}, not current user ${userId}` |
| 79 | + ) |
| 80 | + return createErrorResponse('You do not have permission to unpublish this workflow', 403) |
| 81 | + } |
| 82 | + |
| 83 | + try { |
| 84 | + // Delete the marketplace entry - this is the primary action |
| 85 | + await db.delete(schema.marketplace).where(eq(schema.marketplace.id, id)) |
| 86 | + |
| 87 | + // Update the workflow to mark it as unpublished if it exists |
| 88 | + if (workflow) { |
| 89 | + await db.update(schema.workflow) |
| 90 | + .set({ isPublished: false }) |
| 91 | + .where(eq(schema.workflow.id, workflowId)) |
| 92 | + } |
| 93 | + |
| 94 | + logger.info(`[${requestId}] Workflow "${marketplaceEntry.name}" unpublished from marketplace: ID=${id}, workflowId=${workflowId}`) |
| 95 | + |
| 96 | + return createSuccessResponse({ |
| 97 | + success: true, |
| 98 | + message: 'Workflow successfully unpublished from marketplace', |
| 99 | + }) |
| 100 | + } catch (dbError) { |
| 101 | + logger.error(`[${requestId}] Database error unpublishing marketplace entry:`, dbError) |
| 102 | + return createErrorResponse('Failed to unpublish workflow due to a database error', 500) |
| 103 | + } |
50 | 104 | } catch (error) { |
51 | | - logger.error(`[${requestId}] Error unpublishing workflow: ${(await params).id}`, error) |
| 105 | + logger.error(`[${requestId}] Error unpublishing marketplace entry: ${(await params).id}`, error) |
52 | 106 | return createErrorResponse('Failed to unpublish workflow', 500) |
53 | 107 | } |
54 | 108 | } |
0 commit comments