feat: Sync app credentials between Cal.com & self-hosted platforms (#11059)

* Add credential sync .env variables

* Add webhook to send app credentials

* Upsert credentials when webhook called

* Refresh oauth token from a specific endpoint

* Pass appSlug

* Add credential encryption

* Move oauth helps into a folder

* Create parse token response wrapper

* Add OAuth helpers to apps

* Clean up

* Refactor `appDirName` to `appSlug`

* Address feedback

* Change to safe parse

* Remove console.log

---------

Co-authored-by: Syed Ali Shahbaz <[email protected]>
Co-authored-by: Omar López <[email protected]>

Author: 3 people

.env.example

@@ -230,6 +230,19 @@ AUTH_BEARER_TOKEN_VERCEL=
 E2E_TEST_APPLE_CALENDAR_EMAIL=""
 E2E_TEST_APPLE_CALENDAR_PASSWORD=""
 
+# - APP CREDENTIAL SYNC ***********************************************************************************
+# Used for self-hosters that are implementing Cal.com into their applications that already have certain integrations
+# Under settings/admin/apps ensure that all app secrets are set the same as the parent application
+# You can use: `openssl rand -base64 32` to generate one
+CALCOM_WEBHOOK_SECRET=""
+# This is the header name that will be used to verify the webhook secret. Should be in lowercase
+CALCOM_WEBHOOK_HEADER_NAME="calcom-webhook-secret"
+CALCOM_CREDENTIAL_SYNC_ENDPOINT=""
+# Key should match on Cal.com and your application
+# must be 32 bytes for AES256 encryption algorithm
+# You can use: `openssl rand -base64 24` to generate one
+CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY=""
+
 # - OIDC E2E TEST *******************************************************************************************
 
 # Ensure this ADMIN EMAIL is present in the SAML_ADMINS list
@@ -243,4 +256,4 @@ E2E_TEST_OIDC_PROVIDER_DOMAIN=
 E2E_TEST_OIDC_USER_EMAIL=
 E2E_TEST_OIDC_USER_PASSWORD=
 
-# ***********************************************************************************************************
+# ***********************************************************************************************************

apps/web/pages/api/webhook/app-credential.ts

@@ -0,0 +1,93 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import z from "zod";
+
+import { appStoreMetadata } from "@calcom/app-store/appStoreMetaData";
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+import { symmetricDecrypt } from "@calcom/lib/crypto";
+import prisma from "@calcom/prisma";
+
+const appCredentialWebhookRequestBodySchema = z.object({
+  // UserId of the cal.com user
+  userId: z.number().int(),
+  appSlug: z.string(),
+  // Keys should be AES256 encrypted with the CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY
+  keys: z.string(),
+});
+/** */
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  // Check that credential sharing is enabled
+  if (!APP_CREDENTIAL_SHARING_ENABLED) {
+    return res.status(403).json({ message: "Credential sharing is not enabled" });
+  }
+
+  // Check that the webhook secret matches
+  if (
+    req.headers[process.env.CALCOM_WEBHOOK_HEADER_NAME || "calcom-webhook-secret"] !==
+    process.env.CALCOM_WEBHOOK_SECRET
+  ) {
+    return res.status(403).json({ message: "Invalid webhook secret" });
+  }
+
+  const reqBody = appCredentialWebhookRequestBodySchema.parse(req.body);
+
+  // Check that the user exists
+  const user = await prisma.user.findUnique({ where: { id: reqBody.userId } });
+
+  if (!user) {
+    return res.status(404).json({ message: "User not found" });
+  }
+
+  const app = await prisma.app.findUnique({
+    where: { slug: reqBody.appSlug },
+    select: { slug: true },
+  });
+
+  if (!app) {
+    return res.status(404).json({ message: "App not found" });
+  }
+
+  //   Search for the app's slug and type
+  const appMetadata = appStoreMetadata[app.slug as keyof typeof appStoreMetadata];
+
+  if (!appMetadata) {
+    return res.status(404).json({ message: "App not found. Ensure that you have the correct app slug" });
+  }
+
+  // Decrypt the keys
+  const keys = JSON.parse(
+    symmetricDecrypt(reqBody.keys, process.env.CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY || "")
+  );
+
+  // Can't use prisma upsert as we don't know the id of the credential
+  const appCredential = await prisma.credential.findFirst({
+    where: {
+      userId: reqBody.userId,
+      appId: appMetadata.slug,
+    },
+    select: {
+      id: true,
+    },
+  });
+
+  if (appCredential) {
+    await prisma.credential.update({
+      where: {
+        id: appCredential.id,
+      },
+      data: {
+        key: keys,
+      },
+    });
+    return res.status(200).json({ message: `Credentials updated for userId: ${reqBody.userId}` });
+  } else {
+    await prisma.credential.create({
+      data: {
+        key: keys,
+        userId: reqBody.userId,
+        appId: appMetadata.slug,
+        type: appMetadata.type,
+      },
+    });
+    return res.status(200).json({ message: `Credentials created for userId: ${reqBody.userId}` });
+  }
+}

packages/app-store/_utils/createOAuthAppCredential.ts renamed to packages/app-store/_utils/oauth/createOAuthAppCredential.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest } from "next";
 import { HttpError } from "@calcom/lib/http-error";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "./decodeOAuthState";
-import { throwIfNotHaveAdminAccessToTeam } from "./throwIfNotHaveAdminAccessToTeam";
+import { decodeOAuthState } from "../oauth/decodeOAuthState";
+import { throwIfNotHaveAdminAccessToTeam } from "../throwIfNotHaveAdminAccessToTeam";
 
 /**
  * This function is used to create app credentials for either a user or a team

packages/app-store/_utils/decodeOAuthState.ts renamed to packages/app-store/_utils/oauth/decodeOAuthState.ts

@@ -1,6 +1,6 @@
 import type { NextApiRequest } from "next";
 
-import type { IntegrationOAuthCallbackState } from "../types";
+import type { IntegrationOAuthCallbackState } from "../../types";
 
 export function decodeOAuthState(req: NextApiRequest) {
   if (typeof req.query.state !== "string") {

packages/app-store/_utils/encodeOAuthState.ts renamed to packages/app-store/_utils/oauth/encodeOAuthState.ts

@@ -1,6 +1,6 @@
 import type { NextApiRequest } from "next";
 
-import type { IntegrationOAuthCallbackState } from "../types";
+import type { IntegrationOAuthCallbackState } from "../../types";
 
 export function encodeOAuthState(req: NextApiRequest) {
   if (typeof req.query.state !== "string") {

packages/app-store/_utils/oauth/parseRefreshTokenResponse.ts

@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+
+const minimumTokenResponseSchema = z.object({
+  access_token: z.string(),
+  //   Assume that any property with a number is the expiry
+  [z.string().toString()]: z.number(),
+  //   Allow other properties in the token response
+  [z.string().optional().toString()]: z.unknown().optional(),
+});
+
+const parseRefreshTokenResponse = (response: any, schema: z.ZodTypeAny) => {
+  let refreshTokenResponse;
+  if (APP_CREDENTIAL_SHARING_ENABLED && process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT) {
+    refreshTokenResponse = minimumTokenResponseSchema.safeParse(response);
+  } else {
+    refreshTokenResponse = schema.safeParse(response);
+  }
+
+  if (!refreshTokenResponse.success) {
+    throw new Error("Invalid refreshed tokens were returned");
+  }
+
+  if (!refreshTokenResponse.data.refresh_token) {
+    refreshTokenResponse.data.refresh_token = "refresh_token";
+  }
+
+  return refreshTokenResponse;
+};
+
+export default parseRefreshTokenResponse;

packages/app-store/_utils/oauth/refreshOAuthTokens.ts

@@ -0,0 +1,22 @@
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+
+const refreshOAuthTokens = async (refreshFunction: () => any, appSlug: string, userId: number | null) => {
+  // Check that app syncing is enabled and that the credential belongs to a user
+  if (APP_CREDENTIAL_SHARING_ENABLED && process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT && userId) {
+    // Customize the payload based on what your endpoint requires
+    // The response should only contain the access token and expiry date
+    const response = await fetch(process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT, {
+      method: "POST",
+      body: new URLSearchParams({
+        calcomUserId: userId.toString(),
+        appSlug,
+      }),
+    });
+    return response;
+  } else {
+    const response = await refreshFunction();
+    return response;
+  }
+};
+
+export default refreshOAuthTokens;

packages/app-store/googlecalendar/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL_FOR_OAUTH } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = [
   "https://www.googleapis.com/auth/calendar.readonly",

packages/app-store/googlecalendar/api/callback.ts

@@ -5,9 +5,9 @@ import { WEBAPP_URL_FOR_OAUTH, CAL_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/googlecalendar/lib/CalendarService.ts

@@ -18,6 +18,8 @@ import type {
 } from "@calcom/types/Calendar";
 import type { CredentialPayload } from "@calcom/types/Credential";
 
+import parseRefreshTokenResponse from "../../_utils/oauth/parseRefreshTokenResponse";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { getGoogleAppKeys } from "./getGoogleAppKeys";
 import { googleCredentialSchema } from "./googleCredentialSchema";
 
@@ -81,11 +83,18 @@ export default class GoogleCalendarService implements Calendar {
 
     const refreshAccessToken = async (myGoogleAuth: Awaited<ReturnType<typeof getGoogleAuth>>) => {
       try {
-        const { res } = await myGoogleAuth.refreshToken(googleCredentials.refresh_token);
+        const res = await refreshOAuthTokens(
+          async () => {
+            const fetchTokens = await myGoogleAuth.refreshToken(googleCredentials.refresh_token);
+            return fetchTokens.res;
+          },
+          "google-calendar",
+          credential.userId
+        );
         const token = res?.data;
         googleCredentials.access_token = token.access_token;
         googleCredentials.expiry_date = token.expiry_date;
-        const key = googleCredentialSchema.parse(googleCredentials);
+        const key = parseRefreshTokenResponse(googleCredentials, googleCredentialSchema);
         await prisma.credential.update({
           where: { id: credential.id },
           data: { key },