improvement(chat): deployed chat no longer uses subdomains, uses sim.ai/chat/[identifier]#1474
Merged
Conversation
added 7 commits
September 27, 2025 14:04
…ai/chat/[identifier]
Contributor
There was a problem hiding this comment.
Greptile Overview
Summary
This PR successfully migrates chat deployments from subdomain-based URLs (x.sim.ai) to path-based URLs (sim.ai/chat/x), addressing a significant security vulnerability where subdomains could be abused.
Key Changes:
- Database migration renames
subdomaincolumn toidentifierwith proper indexing - API endpoints updated to use path-based routing with
/chat/[identifier]structure - URL generation logic changed from
${identifier}.sim.aitosim.ai/chat/${identifier} - Proper validation maintains regex pattern
/^[a-z0-9-]+$/for identifiers - Authentication and CORS handling preserved for new path structure
- UI components updated to display new URL format correctly
Security Improvements:
- Eliminates subdomain abuse potential on sim.ai domain
- Maintains all existing authentication mechanisms (public, password, email)
- Preserves CSRF protection and validation patterns
Testing & Validation:
- Comprehensive test coverage maintained for API routes
- Identifier validation ensures backward compatibility
- Database migration properly handles existing deployments
The implementation is thorough and maintains feature parity while significantly improving security posture.
Confidence Score: 4/5
- This PR is safe to merge with one minor cookie domain configuration issue to address
- Score reflects comprehensive implementation with proper database migration, validation, and security improvements, but includes one logic issue with cookie domain settings that should be reviewed
- Pay close attention to apps/sim/app/api/chat/utils.ts for cookie domain configuration with path-based routing
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| apps/sim/app/api/chat/route.ts | 4/5 | Chat creation API updated to use path-based URLs instead of subdomains, includes proper validation and identifier uniqueness checks |
| apps/sim/app/api/chat/[identifier]/route.ts | 4/5 | Chat execution API using path-based identifier with proper authentication and CORS handling |
| packages/db/schema.ts | 5/5 | Database schema updated with identifier column and unique index, removing subdomain references |
| packages/db/migrations/0094_perpetual_the_watchers.sql | 5/5 | Database migration renames subdomain to identifier and updates index accordingly |
| apps/sim/app/api/chat/utils.ts | 3/5 | Critical chat utility functions with complex authentication and workflow execution logic - extensive but potential edge case handling needed |
Sequence Diagram
sequenceDiagram
participant User as User
participant UI as Deploy Modal UI
participant API as Chat API (/api/chat)
participant Validate as Validate API
participant DB as Database
participant Workflow as Workflow Engine
Note over User,Workflow: New Path-Based Chat Deployment Flow
User->>UI: Configure chat deployment
UI->>Validate: GET /api/chat/validate?identifier=myChat
Validate->>DB: Check if identifier exists
DB-->>Validate: Return availability
Validate-->>UI: {available: true/false}
alt identifier available
User->>UI: Submit deployment
UI->>API: POST /api/chat
Note over API: Validates identifier with regex: /^[a-z0-9-]+$/
API->>DB: Check workflow access & deployment status
DB-->>API: Return workflow info
API->>DB: INSERT new chat with identifier
DB-->>API: Return chat record
Note over API: Generate URL: sim.ai/chat/{identifier}
API-->>UI: {id, chatUrl: "https://sim.ai/chat/myChat"}
UI-->>User: Display success with new URL format
end
Note over User,Workflow: Chat Access Flow (Previously: subdomain.sim.ai)
User->>Workflow: GET sim.ai/chat/myChat
Workflow->>API: POST /api/chat/myChat
API->>DB: Find chat by identifier
DB-->>API: Return chat config
alt authentication required
API-->>Workflow: {error: "auth_required_password"}
Workflow-->>User: Show auth form
User->>Workflow: Submit credentials
Workflow->>API: POST with auth data
API->>API: Validate credentials
API-->>Workflow: Set auth cookie & continue
end
API->>Workflow: Execute workflow with input
Workflow-->>User: Stream response
36 files reviewed, 1 comment
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sim.ai/chat/xand all future chats will use the new notationType of Change
Testing
Tested manually.
Checklist