NangoHQ · khaliqgant · Apr 5, 2024 · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024
diff --git a/packages/server/lib/controllers/connection.controller.ts b/packages/server/lib/controllers/connection.controller.ts
@@ -28,6 +28,7 @@ import {
     environmentService,
     accountService,
     connectionCreated as connectionCreatedHook,
+    connectionCreationStartCapCheck as connectionCreationStartCapCheckHook,
     slackNotificationService
 } from '@nangohq/shared';
 import { getUserAccountAndEnvironmentFromSession } from '../utils/utils.js';
@@ -527,6 +528,21 @@ class ConnectionController {
                 return;
             }
 
+            const account = await accountService.getAccountById(accountId);
+
+            if (!account) {
+                errorManager.errRes(res, 'unknown_account');
+                return;
+            }
+
+            if (account.is_capped && provider_config_key) {
+                const isCapped = await connectionCreationStartCapCheckHook({ providerConfigKey: provider_config_key, environmentId });
+                if (isCapped) {
+                    errorManager.errRes(res, 'resource_capped');
+                    return;
+                }
+            }
+
             const template = await configService.getTemplate(provider);
 
             let oAuthCredentials: ImportedCredentials;
@@ -732,6 +748,13 @@ class ConnectionController {
                     accountId
                 );
 
+                if (imported) {
+                    updatedConnection = imported;
+                    runHook = true;
+                }
+            } else if (template.auth_mode === ProviderAuthModes.None) {
+                const [imported] = await connectionService.upsertUnauthConnection(connection_id, provider_config_key, provider, environmentId, accountId);
+
                 if (imported) {
                     updatedConnection = imported;
                     runHook = true;

diff --git a/...rver/lib/controllers/access.middleware.ts → ...erver/lib/middleware/access.middleware.ts b/...rver/lib/controllers/access.middleware.ts → ...erver/lib/middleware/access.middleware.ts
@@ -14,7 +14,7 @@ import {
     telemetry,
     MetricTypes
 } from '@nangohq/shared';
-import { NANGO_ADMIN_UUID } from './account.controller.js';
+import { NANGO_ADMIN_UUID } from '../controllers/account.controller.js';
 import tracer from 'dd-trace';
 
 const logger = getLogger('AccessMiddleware');

diff --git a/...r/lib/controllers/ratelimit.middleware.ts → ...er/lib/middleware/ratelimit.middleware.ts b/...r/lib/controllers/ratelimit.middleware.ts → ...er/lib/middleware/ratelimit.middleware.ts
diff --git a/packages/server/lib/middleware/resource-capping.middleware.ts b/packages/server/lib/middleware/resource-capping.middleware.ts
@@ -0,0 +1,37 @@
+import type { Request, Response, NextFunction } from 'express';
+import {
+    accountService,
+    getEnvironmentAndAccountId,
+    errorManager,
+    connectionCreationStartCapCheck as connectionCreationStartCapCheckHook
+} from '@nangohq/shared';
+
+export const authCheck = async (req: Request, res: Response, next: NextFunction) => {
+    const { success, error, response } = await getEnvironmentAndAccountId(res, req);
+
+    if (!success || response === null) {
+        errorManager.errResFromNangoErr(res, error);
+        return;
+    }
+
+    const { accountId, environmentId } = response;
+
+    const account = await accountService.getAccountById(accountId);
+
+    if (!account) {
+        errorManager.errRes(res, 'unknown_account');
+        return;
+    }
+
+    const { providerConfigKey } = req.params;
+
+    if (account.is_capped && providerConfigKey) {
+        const isCapped = await connectionCreationStartCapCheckHook({ providerConfigKey, environmentId });
+        if (isCapped) {
+            errorManager.errRes(res, 'resource_capped');
+            return;
+        }
+    }
+
+    next();
+};
diff --git a/packages/server/lib/server.ts b/packages/server/lib/server.ts
@@ -9,7 +9,7 @@ import connectionController from './controllers/connection.controller.js';
 import authController from './controllers/auth.controller.js';
 import unAuthController from './controllers/unauth.controller.js';
 import appStoreAuthController from './controllers/appStoreAuth.controller.js';
-import authMiddleware from './controllers/access.middleware.js';
+import authMiddleware from './middleware/access.middleware.js';
 import userController from './controllers/user.controller.js';
 import proxyController from './controllers/proxy.controller.js';
 import activityController from './controllers/activity.controller.js';
@@ -19,7 +19,8 @@ import apiAuthController from './controllers/apiAuth.controller.js';
 import appAuthController from './controllers/appAuth.controller.js';
 import onboardingController from './controllers/onboarding.controller.js';
 import webhookController from './controllers/webhook.controller.js';
-import { rateLimiterMiddleware } from './controllers/ratelimit.middleware.js';
+import { rateLimiterMiddleware } from './middleware/ratelimit.middleware.js';
+import { authCheck } from './middleware/resource-capping.middleware.js';
 import path from 'path';
 import { dirname } from './utils/utils.js';
 import type { WebSocket } from 'ws';
@@ -50,7 +51,7 @@ setupAuth(app);
 
 const apiAuth = [authMiddleware.secretKeyAuth.bind(authMiddleware), rateLimiterMiddleware];
 const adminAuth = [authMiddleware.secretKeyAuth.bind(authMiddleware), authMiddleware.adminKeyAuth.bind(authMiddleware), rateLimiterMiddleware];
-const apiPublicAuth = [authMiddleware.publicKeyAuth.bind(authMiddleware), rateLimiterMiddleware];
+const apiPublicAuth = [authMiddleware.publicKeyAuth.bind(authMiddleware), authCheck, rateLimiterMiddleware];
 const webAuth =
     isCloud || isEnterprise
         ? [passport.authenticate('session'), authMiddleware.sessionAuth.bind(authMiddleware), rateLimiterMiddleware]
@@ -89,11 +90,12 @@ await oAuthSessionService.clearStaleSessions();
 app.get('/health', (_, res) => {
     res.status(200).send({ result: 'ok' });
 });
+
 app.route('/oauth/callback').get(oauthController.oauthCallback.bind(oauthController));
+app.route('/webhook/:environmentUuid/:providerConfigKey').post(webhookController.receive.bind(proxyController));
 app.route('/app-auth/connect').get(appAuthController.connect.bind(appAuthController));
 app.route('/oauth/connect/:providerConfigKey').get(apiPublicAuth, oauthController.oauthRequest.bind(oauthController));
 app.route('/oauth2/auth/:providerConfigKey').post(apiPublicAuth, oauthController.oauth2RequestCC.bind(oauthController));
-app.route('/webhook/:environmentUuid/:providerConfigKey').post(webhookController.receive.bind(proxyController));
 app.route('/api-auth/api-key/:providerConfigKey').post(apiPublicAuth, apiAuthController.apiKey.bind(apiAuthController));
 app.route('/api-auth/basic/:providerConfigKey').post(apiPublicAuth, apiAuthController.basic.bind(apiAuthController));
 app.route('/app-store-auth/:providerConfigKey').post(apiPublicAuth, appStoreAuthController.auth.bind(appStoreAuthController));

diff --git a/packages/shared/lib/hooks/hooks.ts b/packages/shared/lib/hooks/hooks.ts
@@ -11,9 +11,45 @@ import integrationPostConnectionScript from '../integrations/scripts/connection/
 import webhookService from '../services/notification/webhook.service.js';
 import { SpanTypes } from '../utils/telemetry.js';
 import { isCloud, isLocal, isEnterprise } from '../utils/temp/environment/detection.js';
+import { getSyncConfigsWithConnections } from '../services/sync/config/config.service.js';
 import type { Result } from '../utils/result.js';
 import { resultOk, resultErr } from '../utils/result.js';
 import { NangoError } from '../utils/error.js';
+import { getLogger } from '../utils/temp/logger.js';
+
+const logger = getLogger('hooks');
+
+const CONNECTIONS_WITH_SCRIPTS_CAP_LIMIT = 3;
+
+export const connectionCreationStartCapCheck = async ({
+    providerConfigKey,
+    environmentId
+}: {
+    providerConfigKey: string | undefined;
+    environmentId: number;
+}): Promise<boolean> => {
+    if (!providerConfigKey) {
+        return false;
+    }
+
+    const scriptConfigs = await getSyncConfigsWithConnections(providerConfigKey, environmentId);
+
+    const reachedCap = false;
+
+    if (scriptConfigs.length > 0) {
+        for (const script of scriptConfigs) {
+            const { connections } = script;
+
+            if (connections.length >= CONNECTIONS_WITH_SCRIPTS_CAP_LIMIT) {
+                //reachedCap = true;
+                logger.info(`Reached cap for providerConfigKey: ${providerConfigKey} and environmentId: ${environmentId}`);
+                break;
+            }
+        }
+    }
+
+    return reachedCap;
+};
 
 export const connectionCreated = async (
     connection: RecentlyCreatedConnection,

diff --git a/packages/shared/lib/services/sync/config/config.service.ts b/packages/shared/lib/services/sync/config/config.service.ts
@@ -569,6 +569,44 @@ export async function getSyncConfigsWithConnectionsByEnvironmentId(environment_i
     return result;
 }
 
+export async function getSyncConfigsWithConnections(
+    providerConfigKey: string,
+    environment_id: number
+): Promise<{ connections: { connection_id: string }[]; provider: string; unique_key: string }[]> {
+    const result = await db.knex
+        .select(
+            `${TABLE}.id`,
+            '_nango_configs.provider',
+            '_nango_configs.unique_key',
+            db.knex.raw(
+                `(
+                    SELECT json_agg(
+                        json_build_object(
+                            'connection_id', _nango_connections.connection_id
+                        )
+                    )
+                    FROM _nango_connections
+                    WHERE _nango_configs.environment_id = _nango_connections.environment_id
+                    AND _nango_configs.unique_key = _nango_connections.provider_config_key
+                    AND _nango_configs.deleted = false
+                    AND _nango_connections.deleted = false
+                ) as connections
+                `
+            )
+        )
+        .from<SyncConfig>(TABLE)
+        .join('_nango_configs', `${TABLE}.nango_config_id`, '_nango_configs.id')
+        .where({
+            '_nango_configs.environment_id': environment_id,
+            '_nango_configs.unique_key': providerConfigKey,
+            active: true,
+            '_nango_configs.deleted': false,
+            [`${TABLE}.deleted`]: false
+        });
+
+    return result;
+}
+
 /**
  * Get Sync Configs By Provider Key
  * @desc grab all the sync configs by a provider key

diff --git a/packages/shared/lib/utils/error.ts b/packages/shared/lib/utils/error.ts
@@ -559,6 +559,13 @@ export class NangoError extends Error {
                 this.message = `Missing an account name for account login/signup.`;
                 break;
 
+            case 'resource_capped':
+                this.status = 400;
+                // TODO docs link
+                this.message =
+                    'You have reached the maximum number of integrations with active scripts. Upgrade or deactivate the scripts to create more connections (https://docs.nango.dev/relevant-link).';
+                break;
+
             default:
                 this.status = 500;
                 this.type = 'unhandled_' + type;