fix(grafana): route update_folder egress server-side (carry over #5082)

#5082 added a grafana update_folder tool that does SSRF-pinned fetch in its
postProcess, re-introducing the client-bundle leak. Convert it to the internal
API route pattern like the other update tools so the def is declarative and
input-validation.server stays out of the client bundle.

Author: waleedlatif1

apps/sim/app/api/tools/grafana/update_folder/route.ts

@@ -0,0 +1,148 @@
+import { createLogger } from '@sim/logger'
+import { getErrorMessage } from '@sim/utils/errors'
+import { type NextRequest, NextResponse } from 'next/server'
+import { grafanaUpdateFolderContract } from '@/lib/api/contracts/tools/grafana'
+import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('GrafanaUpdateFolderAPI')
+
+export const POST = withRouteHandler(async (request: NextRequest) => {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized Grafana update folder attempt: ${authResult.error}`)
+      return NextResponse.json(
+        { success: false, error: authResult.error || 'Authentication required' },
+        { status: 401 }
+      )
+    }
+
+    const parsed = await parseRequest(
+      grafanaUpdateFolderContract,
+      request,
+      {},
+      {
+        validationErrorResponse: (error) => {
+          logger.warn(`[${requestId}] Invalid request data`, { errors: error.issues })
+          return NextResponse.json(
+            {
+              success: false,
+              error: getValidationErrorMessage(error, 'Invalid request data'),
+              details: error.issues,
+            },
+            { status: 400 }
+          )
+        },
+      }
+    )
+    if (!parsed.success) return parsed.response
+    const params = parsed.data.body
+
+    const baseUrl = params.baseUrl.replace(/\/$/, '')
+
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${params.apiKey}`,
+    }
+    if (params.organizationId) {
+      headers['X-Grafana-Org-Id'] = params.organizationId
+    }
+
+    const folderUrl = `${baseUrl}/api/folders/${params.folderUid.trim()}`
+    const urlValidation = await validateUrlWithDNS(folderUrl, 'baseUrl')
+    if (!urlValidation.isValid || !urlValidation.resolvedIP) {
+      return NextResponse.json({
+        success: false,
+        output: {},
+        error: `Invalid Grafana baseUrl: ${urlValidation.error}`,
+      })
+    }
+
+    const getResponse = await secureFetchWithPinnedIP(folderUrl, urlValidation.resolvedIP, {
+      method: 'GET',
+      headers,
+    })
+
+    if (!getResponse.ok) {
+      const errorText = await getResponse.text()
+      return NextResponse.json({
+        success: false,
+        output: {},
+        error: `Failed to fetch existing folder: ${errorText}`,
+      })
+    }
+
+    const existingFolder = (await getResponse.json()) as any
+
+    if (!existingFolder || !existingFolder.uid) {
+      return NextResponse.json({
+        success: false,
+        output: {},
+        error: 'Failed to fetch existing folder',
+      })
+    }
+
+    const body: Record<string, unknown> = {
+      title: params.title ?? existingFolder.title,
+      version: existingFolder.version,
+      overwrite: true,
+    }
+
+    const updateResponse = await secureFetchWithPinnedIP(folderUrl, urlValidation.resolvedIP, {
+      method: 'PUT',
+      headers,
+      body: JSON.stringify(body),
+    })
+
+    if (!updateResponse.ok) {
+      const errorText = await updateResponse.text()
+      return NextResponse.json({
+        success: false,
+        output: {},
+        error: `Failed to update folder: ${errorText}`,
+      })
+    }
+
+    const data = (await updateResponse.json()) as Record<string, unknown>
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        id: (data.id as number) ?? null,
+        uid: (data.uid as string) ?? null,
+        title: (data.title as string) ?? null,
+        url: (data.url as string) ?? null,
+        parentUid: (data.parentUid as string) ?? null,
+        parents: (data.parents as { uid: string; title: string; url: string }[]) ?? [],
+        hasAcl: (data.hasAcl as boolean) ?? null,
+        canSave: (data.canSave as boolean) ?? null,
+        canEdit: (data.canEdit as boolean) ?? null,
+        canAdmin: (data.canAdmin as boolean) ?? null,
+        createdBy: (data.createdBy as string) ?? null,
+        created: (data.created as string) ?? null,
+        updatedBy: (data.updatedBy as string) ?? null,
+        updated: (data.updated as string) ?? null,
+        version: (data.version as number) ?? null,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error updating Grafana folder:`, error)
+    return NextResponse.json({
+      success: false,
+      output: {},
+      error: getErrorMessage(error),
+    })
+  }
+})

apps/sim/lib/api/contracts/tools/grafana.ts

@@ -84,6 +84,38 @@ export const grafanaUpdateAlertRuleResponseSchema = z.object({
   error: z.string().optional(),
 })
 
+const grafanaUpdateFolderBodySchema = z.object({
+  apiKey: z.string().min(1, 'Grafana Service Account Token is required'),
+  baseUrl: z.string().min(1, 'Grafana instance URL is required'),
+  organizationId: z.string().optional(),
+  folderUid: z.string().min(1, 'Folder UID is required'),
+  title: z.string().min(1, 'Folder title is required'),
+})
+
+const grafanaUpdateFolderOutputSchema = z.object({
+  id: z.number().nullable(),
+  uid: z.string().nullable(),
+  title: z.string().nullable(),
+  url: z.string().nullable(),
+  parentUid: z.string().nullable(),
+  parents: z.array(z.object({ uid: z.string(), title: z.string(), url: z.string() })),
+  hasAcl: z.boolean().nullable(),
+  canSave: z.boolean().nullable(),
+  canEdit: z.boolean().nullable(),
+  canAdmin: z.boolean().nullable(),
+  createdBy: z.string().nullable(),
+  created: z.string().nullable(),
+  updatedBy: z.string().nullable(),
+  updated: z.string().nullable(),
+  version: z.number().nullable(),
+})
+
+export const grafanaUpdateFolderResponseSchema = z.object({
+  success: z.boolean(),
+  output: z.union([grafanaUpdateFolderOutputSchema, z.object({})]),
+  error: z.string().optional(),
+})
+
 export const grafanaUpdateDashboardContract = defineRouteContract({
   method: 'POST',
   path: '/api/tools/grafana/update_dashboard',
@@ -98,11 +130,20 @@ export const grafanaUpdateAlertRuleContract = defineRouteContract({
   response: { mode: 'json', schema: grafanaUpdateAlertRuleResponseSchema },
 })
 
+export const grafanaUpdateFolderContract = defineRouteContract({
+  method: 'POST',
+  path: '/api/tools/grafana/update_folder',
+  body: grafanaUpdateFolderBodySchema,
+  response: { mode: 'json', schema: grafanaUpdateFolderResponseSchema },
+})
+
 export {
   grafanaUpdateDashboardBodySchema,
   grafanaUpdateDashboardOutputSchema,
   grafanaUpdateAlertRuleBodySchema,
   grafanaUpdateAlertRuleOutputSchema,
+  grafanaUpdateFolderBodySchema,
+  grafanaUpdateFolderOutputSchema,
 }
 
 export type GrafanaUpdateDashboardBody = ContractBody<typeof grafanaUpdateDashboardContract>
@@ -113,3 +154,5 @@ export type GrafanaUpdateAlertRuleBody = ContractBody<typeof grafanaUpdateAlertR
 export type GrafanaUpdateAlertRuleResponse = ContractJsonResponse<
   typeof grafanaUpdateAlertRuleContract
 >
+export type GrafanaUpdateFolderBody = ContractBody<typeof grafanaUpdateFolderContract>
+export type GrafanaUpdateFolderResponse = ContractJsonResponse<typeof grafanaUpdateFolderContract>

apps/sim/tools/grafana/update_folder.ts

@@ -1,7 +1,3 @@
-import {
-  secureFetchWithPinnedIP,
-  validateUrlWithDNS,
-} from '@/lib/core/security/input-validation.server'
 import type { GrafanaUpdateFolderParams } from '@/tools/grafana/types'
 import type { ToolConfig, ToolResponse } from '@/tools/types'
 
@@ -45,90 +41,23 @@ export const updateFolderTool: ToolConfig<GrafanaUpdateFolderParams, ToolRespons
   },
 
   request: {
-    url: (params) => `${params.baseUrl.replace(/\/$/, '')}/api/folders/${params.folderUid.trim()}`,
-    method: 'GET',
-    headers: (params) => {
-      const headers: Record<string, string> = {
-        'Content-Type': 'application/json',
-        Authorization: `Bearer ${params.apiKey}`,
-      }
-      if (params.organizationId) {
-        headers['X-Grafana-Org-Id'] = params.organizationId
-      }
-      return headers
-    },
+    url: () => '/api/tools/grafana/update_folder',
+    method: 'POST',
+    headers: () => ({ 'Content-Type': 'application/json' }),
+    body: (params) => ({
+      apiKey: params.apiKey,
+      baseUrl: params.baseUrl,
+      organizationId: params.organizationId,
+      folderUid: params.folderUid,
+      title: params.title,
+    }),
   },
 
   transformResponse: async (response: Response) => {
     const data = await response.json()
     return {
       success: true,
-      output: { _existingFolder: data },
-    }
-  },
-
-  postProcess: async (result, params) => {
-    const existingFolder = result.output._existingFolder
-
-    if (!existingFolder || !existingFolder.uid) {
-      return { success: false, output: {}, error: 'Failed to fetch existing folder' }
-    }
-
-    const body: Record<string, unknown> = {
-      title: params.title ?? existingFolder.title,
-      version: existingFolder.version,
-      overwrite: true,
-    }
-
-    const headers: Record<string, string> = {
-      'Content-Type': 'application/json',
-      Authorization: `Bearer ${params.apiKey}`,
-    }
-    if (params.organizationId) {
-      headers['X-Grafana-Org-Id'] = params.organizationId
-    }
-
-    const updateUrl = `${params.baseUrl.replace(/\/$/, '')}/api/folders/${params.folderUid.trim()}`
-    const urlValidation = await validateUrlWithDNS(updateUrl, 'baseUrl')
-    if (!urlValidation.isValid || !urlValidation.resolvedIP) {
-      return {
-        success: false,
-        output: {},
-        error: `Invalid Grafana baseUrl: ${urlValidation.error}`,
-      }
-    }
-
-    const updateResponse = await secureFetchWithPinnedIP(updateUrl, urlValidation.resolvedIP, {
-      method: 'PUT',
-      headers,
-      body: JSON.stringify(body),
-    })
-
-    if (!updateResponse.ok) {
-      const errorText = await updateResponse.text()
-      return { success: false, output: {}, error: `Failed to update folder: ${errorText}` }
-    }
-
-    const data = (await updateResponse.json()) as Record<string, unknown>
-    return {
-      success: true,
-      output: {
-        id: (data.id as number) ?? null,
-        uid: (data.uid as string) ?? null,
-        title: (data.title as string) ?? null,
-        url: (data.url as string) ?? null,
-        parentUid: (data.parentUid as string) ?? null,
-        parents: (data.parents as { uid: string; title: string; url: string }[]) ?? [],
-        hasAcl: (data.hasAcl as boolean) ?? null,
-        canSave: (data.canSave as boolean) ?? null,
-        canEdit: (data.canEdit as boolean) ?? null,
-        canAdmin: (data.canAdmin as boolean) ?? null,
-        createdBy: (data.createdBy as string) ?? null,
-        created: (data.created as string) ?? null,
-        updatedBy: (data.updatedBy as string) ?? null,
-        updated: (data.updated as string) ?? null,
-        version: (data.version as number) ?? null,
-      },
+      output: data.output,
     }
   },
 

scripts/check-api-validation-contracts.ts

@@ -9,8 +9,8 @@ const QUERY_HOOKS_DIR = path.join(ROOT, 'apps/sim/hooks/queries')
 const SELECTOR_HOOKS_DIR = path.join(ROOT, 'apps/sim/hooks/selectors')
 
 const BASELINE = {
-  totalRoutes: 850,
-  zodRoutes: 850,
+  totalRoutes: 851,
+  zodRoutes: 851,
   nonZodRoutes: 0,
 } as const