Merge branch 'staging' into feat/workspace-files-folders

Author: icecrasher321

apps/realtime/src/database/operations.ts

@@ -30,7 +30,7 @@ const socketDb = drizzle(
     prepare: false,
     idle_timeout: 10,
     connect_timeout: 20,
-    max: 30,
+    max: 15,
     onnotice: () => {},
   }),
   { schema }

apps/sim/app/(landing)/seo.test.ts

@@ -26,9 +26,21 @@ const SEO_SCAN_DIRS = [
 
 const SEO_SCAN_INDIVIDUAL_FILES = [
   path.resolve(APP_DIR, 'page.tsx'),
+  path.resolve(APP_DIR, 'robots.ts'),
+  path.resolve(APP_DIR, 'sitemap.ts'),
   path.resolve(SIM_ROOT, 'ee', 'whitelabeling', 'metadata.ts'),
 ]
 
+/**
+ * Files whose entire URL output is SEO-facing (robots.txt, sitemap.xml).
+ * Unlike metadata exports, these don't use `metadataBase`, so the existing
+ * `getBaseUrl()`-in-metadata check would miss a regression here.
+ */
+const SEO_DEFAULT_EXPORT_FILES = [
+  path.resolve(APP_DIR, 'robots.ts'),
+  path.resolve(APP_DIR, 'sitemap.ts'),
+]
+
 function collectFiles(dir: string, exts: string[]): string[] {
   const results: string[] = []
   if (!fs.existsSync(dir)) return results
@@ -97,6 +109,21 @@ describe('SEO canonical URLs', () => {
     ).toHaveLength(0)
   })
 
+  it('robots.ts and sitemap.ts do not import getBaseUrl', () => {
+    const violations: string[] = []
+    for (const file of SEO_DEFAULT_EXPORT_FILES) {
+      if (!fs.existsSync(file)) continue
+      const content = fs.readFileSync(file, 'utf-8')
+      if (content.includes('getBaseUrl')) {
+        violations.push(path.relative(SIM_ROOT, file))
+      }
+    }
+    expect(
+      violations,
+      `robots.ts/sitemap.ts must use SITE_URL, not getBaseUrl():\n${violations.join('\n')}`
+    ).toHaveLength(0)
+  })
+
   it('public pages do not use getBaseUrl() for SEO metadata', () => {
     const files = getAllSeoFiles(['.ts', '.tsx'])
     const violations: string[] = []

apps/sim/app/api/auth/socket-token/route.ts

@@ -1,18 +1,26 @@
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { headers } from 'next/headers'
-import { NextResponse } from 'next/server'
+import { type NextRequest, NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'
+import { enforceIpRateLimit } from '@/lib/core/rate-limiter'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('SocketTokenAPI')
 
-export const POST = withRouteHandler(async () => {
+export const POST = withRouteHandler(async (request: NextRequest) => {
   if (isAuthDisabled) {
     return NextResponse.json({ token: 'anonymous-socket-token' })
   }
 
+  const rateLimited = await enforceIpRateLimit('socket-token', request, {
+    maxTokens: 30,
+    refillRate: 30,
+    refillIntervalMs: 60_000,
+  })
+  if (rateLimited) return rateLimited
+
   try {
     const hdrs = await headers()
     const response = await auth.api.generateOneTimeToken({

apps/sim/app/api/auth/sso/providers/route.ts

@@ -5,6 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { listSsoProvidersContract } from '@/lib/api/contracts/auth'
 import { parseRequest } from '@/lib/api/server'
 import { getSession } from '@/lib/auth'
+import { enforceIpRateLimit } from '@/lib/core/rate-limiter'
 import { REDACTED_MARKER } from '@/lib/core/security/redaction'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -13,6 +14,14 @@ const logger = createLogger('SSOProvidersRoute')
 export const GET = withRouteHandler(async (request: NextRequest) => {
   try {
     const session = await getSession()
+    if (!session?.user?.id) {
+      const rateLimited = await enforceIpRateLimit('sso-providers', request, {
+        maxTokens: 20,
+        refillRate: 20,
+        refillIntervalMs: 60_000,
+      })
+      if (rateLimited) return rateLimited
+    }
     const parsed = await parseRequest(listSsoProvidersContract, request, {})
     if (!parsed.success) return parsed.response
     const { organizationId } = parsed.data.query

apps/sim/app/api/chat/[identifier]/otp/route.test.ts

@@ -423,7 +423,7 @@ describe('Chat OTP API Route', () => {
       expect(headerSet).toHaveBeenCalledWith('Retry-After', '900')
     })
 
-    it('skips IP rate limit when client IP is unknown', async () => {
+    it('folds spoofed `unknown` client IPs into a single shared bucket', async () => {
       requestUtilsMockFns.mockGetClientIp.mockReturnValueOnce('unknown')
       buildDeploymentSelect()
 
@@ -434,8 +434,11 @@ describe('Chat OTP API Route', () => {
 
       await POST(request, { params: Promise.resolve({ identifier: mockIdentifier }) })
 
-      // Only the email-scoped check should run, not the IP-scoped one
-      expect(mockCheckRateLimitDirect).toHaveBeenCalledTimes(1)
+      expect(mockCheckRateLimitDirect).toHaveBeenCalledTimes(2)
+      expect(mockCheckRateLimitDirect).toHaveBeenCalledWith(
+        expect.stringMatching(/^chat-otp:ip:.*:unknown$/),
+        expect.any(Object)
+      )
       expect(mockCheckRateLimitDirect).toHaveBeenCalledWith(
         expect.stringContaining('chat-otp:email:'),
         expect.any(Object)

apps/sim/app/api/chat/[identifier]/otp/route.ts

@@ -223,20 +223,18 @@ export const POST = withRouteHandler(
 
     try {
       const ip = getClientIp(request)
-      if (ip !== 'unknown') {
-        const ipRateLimit = await rateLimiter.checkRateLimitDirect(
-          `chat-otp:ip:${identifier}:${ip}`,
-          OTP_IP_RATE_LIMIT
+      const ipRateLimit = await rateLimiter.checkRateLimitDirect(
+        `chat-otp:ip:${identifier}:${ip}`,
+        OTP_IP_RATE_LIMIT
+      )
+      if (!ipRateLimit.allowed) {
+        logger.warn(`[${requestId}] OTP IP rate limit exceeded for ${identifier} from ${ip}`)
+        const retryAfter = Math.ceil(
+          (ipRateLimit.retryAfterMs ?? OTP_IP_RATE_LIMIT.refillIntervalMs) / 1000
         )
-        if (!ipRateLimit.allowed) {
-          logger.warn(`[${requestId}] OTP IP rate limit exceeded for ${identifier} from ${ip}`)
-          const retryAfter = Math.ceil(
-            (ipRateLimit.retryAfterMs ?? OTP_IP_RATE_LIMIT.refillIntervalMs) / 1000
-          )
-          const response = createErrorResponse('Too many requests. Please try again later.', 429)
-          response.headers.set('Retry-After', String(retryAfter))
-          return addCorsHeaders(response, request)
-        }
+        const response = createErrorResponse('Too many requests. Please try again later.', 429)
+        response.headers.set('Retry-After', String(retryAfter))
+        return addCorsHeaders(response, request)
       }
 
       const parsed = await parseRequest(requestChatEmailOtpContract, request, context, {

apps/sim/app/api/chat/[identifier]/sso/route.ts

@@ -30,20 +30,18 @@ export const POST = withRouteHandler(
     const requestId = generateRequestId()
 
     const ip = getClientIp(request)
-    if (ip !== 'unknown') {
-      const ipRateLimit = await rateLimiter.checkRateLimitDirect(
-        `chat-sso:ip:${ip}`,
-        SSO_IP_RATE_LIMIT
+    const ipRateLimit = await rateLimiter.checkRateLimitDirect(
+      `chat-sso:ip:${ip}`,
+      SSO_IP_RATE_LIMIT
+    )
+    if (!ipRateLimit.allowed) {
+      logger.warn(`[${requestId}] SSO eligibility rate limit exceeded from ${ip}`)
+      const retryAfter = Math.ceil(
+        (ipRateLimit.retryAfterMs ?? SSO_IP_RATE_LIMIT.refillIntervalMs) / 1000
       )
-      if (!ipRateLimit.allowed) {
-        logger.warn(`[${requestId}] SSO eligibility rate limit exceeded from ${ip}`)
-        const retryAfter = Math.ceil(
-          (ipRateLimit.retryAfterMs ?? SSO_IP_RATE_LIMIT.refillIntervalMs) / 1000
-        )
-        const response = createErrorResponse('Too many requests. Please try again later.', 429)
-        response.headers.set('Retry-After', String(retryAfter))
-        return addCorsHeaders(response, request)
-      }
+      const response = createErrorResponse('Too many requests. Please try again later.', 429)
+      response.headers.set('Retry-After', String(retryAfter))
+      return addCorsHeaders(response, request)
     }
 
     const parsed = await parseRequest(chatSSOContract, request, context)

apps/sim/app/api/mcp/servers/[id]/refresh/route.ts

@@ -2,7 +2,7 @@ import { db } from '@sim/db'
 import { mcpServers, workflow, workflowBlocks } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
-import { and, eq, isNull } from 'drizzle-orm'
+import { and, eq, inArray, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { mcpServerIdParamsSchema } from '@/lib/api/contracts/mcp'
 import { validationErrorResponse } from '@/lib/api/server'
@@ -77,13 +77,11 @@ async function syncToolSchemasToWorkflows(
       subBlocks: workflowBlocks.subBlocks,
     })
     .from(workflowBlocks)
-    .where(eq(workflowBlocks.type, 'agent'))
+    .where(and(eq(workflowBlocks.type, 'agent'), inArray(workflowBlocks.workflowId, workflowIds)))
 
   const updatedWorkflowIds = new Set<string>()
 
   for (const block of agentBlocks) {
-    if (!workflowIds.includes(block.workflowId)) continue
-
     const subBlocks = block.subBlocks as Record<string, unknown> | null
     if (!subBlocks) continue
 

apps/sim/app/api/mcp/tools/stored/route.ts

@@ -2,7 +2,7 @@ import { db } from '@sim/db'
 import { workflow, workflowBlocks } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
-import { eq } from 'drizzle-orm'
+import { and, eq, inArray } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { withMcpAuth } from '@/lib/mcp/middleware'
@@ -33,13 +33,13 @@ export const GET = withRouteHandler(
       const agentBlocks = await db
         .select({ workflowId: workflowBlocks.workflowId, subBlocks: workflowBlocks.subBlocks })
         .from(workflowBlocks)
-        .where(eq(workflowBlocks.type, 'agent'))
+        .where(
+          and(eq(workflowBlocks.type, 'agent'), inArray(workflowBlocks.workflowId, workflowIds))
+        )
 
       const storedTools: StoredMcpTool[] = []
 
       for (const block of agentBlocks) {
-        if (!workflowMap.has(block.workflowId)) continue
-
         const subBlocks = block.subBlocks as Record<string, unknown> | null
         if (!subBlocks) continue