OAuth credential sync and app integration enhancements

.env.example

@@ -230,6 +230,19 @@ AUTH_BEARER_TOKEN_VERCEL=
 E2E_TEST_APPLE_CALENDAR_EMAIL=""
 E2E_TEST_APPLE_CALENDAR_PASSWORD=""
 
+# - APP CREDENTIAL SYNC ***********************************************************************************
+# Used for self-hosters that are implementing Cal.com into their applications that already have certain integrations
+# Under settings/admin/apps ensure that all app secrets are set the same as the parent application
+# You can use: `openssl rand -base64 32` to generate one
+CALCOM_WEBHOOK_SECRET=""
+# This is the header name that will be used to verify the webhook secret. Should be in lowercase
+CALCOM_WEBHOOK_HEADER_NAME="calcom-webhook-secret"
+CALCOM_CREDENTIAL_SYNC_ENDPOINT=""
+# Key should match on Cal.com and your application
+# must be 32 bytes for AES256 encryption algorithm
+# You can use: `openssl rand -base64 24` to generate one
+CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY=""
+
 # - OIDC E2E TEST *******************************************************************************************
 
 # Ensure this ADMIN EMAIL is present in the SAML_ADMINS list
@@ -243,4 +256,4 @@ E2E_TEST_OIDC_PROVIDER_DOMAIN=
 E2E_TEST_OIDC_USER_EMAIL=
 E2E_TEST_OIDC_USER_PASSWORD=
 
-# ***********************************************************************************************************
+# ***********************************************************************************************************

apps/web/pages/api/webhook/app-credential.ts

@@ -0,0 +1,93 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import z from "zod";
+
+import { appStoreMetadata } from "@calcom/app-store/appStoreMetaData";
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+import { symmetricDecrypt } from "@calcom/lib/crypto";
+import prisma from "@calcom/prisma";
+
+const appCredentialWebhookRequestBodySchema = z.object({
+  // UserId of the cal.com user
+  userId: z.number().int(),
+  appSlug: z.string(),
+  // Keys should be AES256 encrypted with the CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY
+  keys: z.string(),
+});
+/** */
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  // Check that credential sharing is enabled
+  if (!APP_CREDENTIAL_SHARING_ENABLED) {
+    return res.status(403).json({ message: "Credential sharing is not enabled" });
+  }
+
+  // Check that the webhook secret matches
+  if (
+    req.headers[process.env.CALCOM_WEBHOOK_HEADER_NAME || "calcom-webhook-secret"] !==
+    process.env.CALCOM_WEBHOOK_SECRET
+  ) {
+    return res.status(403).json({ message: "Invalid webhook secret" });
+  }
+
+  const reqBody = appCredentialWebhookRequestBodySchema.parse(req.body);
+
+  // Check that the user exists
+  const user = await prisma.user.findUnique({ where: { id: reqBody.userId } });
+
+  if (!user) {
+    return res.status(404).json({ message: "User not found" });
+  }
+
+  const app = await prisma.app.findUnique({
+    where: { slug: reqBody.appSlug },
+    select: { slug: true },
+  });
+
+  if (!app) {
+    return res.status(404).json({ message: "App not found" });
+  }
+
+  //   Search for the app's slug and type
+  const appMetadata = appStoreMetadata[app.slug as keyof typeof appStoreMetadata];
+
+  if (!appMetadata) {
+    return res.status(404).json({ message: "App not found. Ensure that you have the correct app slug" });
+  }
+
+  // Decrypt the keys
+  const keys = JSON.parse(
+    symmetricDecrypt(reqBody.keys, process.env.CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY || "")
+  );
+
+  // Can't use prisma upsert as we don't know the id of the credential
+  const appCredential = await prisma.credential.findFirst({
+    where: {
+      userId: reqBody.userId,
+      appId: appMetadata.slug,
+    },
+    select: {
+      id: true,
+    },
+  });
+
+  if (appCredential) {
+    await prisma.credential.update({
+      where: {
+        id: appCredential.id,
+      },
+      data: {
+        key: keys,
+      },
+    });
+    return res.status(200).json({ message: `Credentials updated for userId: ${reqBody.userId}` });
+  } else {
+    await prisma.credential.create({
+      data: {
+        key: keys,
+        userId: reqBody.userId,
+        appId: appMetadata.slug,
+        type: appMetadata.type,
+      },
+    });
+    return res.status(200).json({ message: `Credentials created for userId: ${reqBody.userId}` });
+  }
+}

packages/app-store/_utils/createOAuthAppCredential.ts → packages/app-store/_utils/oauth/createOAuthAppCredential.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest } from "next";
 import { HttpError } from "@calcom/lib/http-error";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "./decodeOAuthState";
-import { throwIfNotHaveAdminAccessToTeam } from "./throwIfNotHaveAdminAccessToTeam";
+import { decodeOAuthState } from "../oauth/decodeOAuthState";
+import { throwIfNotHaveAdminAccessToTeam } from "../throwIfNotHaveAdminAccessToTeam";
 
 /**
  * This function is used to create app credentials for either a user or a team

packages/app-store/_utils/decodeOAuthState.ts → packages/app-store/_utils/oauth/decodeOAuthState.ts

@@ -1,6 +1,6 @@
 import type { NextApiRequest } from "next";
 
-import type { IntegrationOAuthCallbackState } from "../types";
+import type { IntegrationOAuthCallbackState } from "../../types";
 
 export function decodeOAuthState(req: NextApiRequest) {
   if (typeof req.query.state !== "string") {

packages/app-store/_utils/encodeOAuthState.ts → packages/app-store/_utils/oauth/encodeOAuthState.ts

@@ -1,6 +1,6 @@
 import type { NextApiRequest } from "next";
 
-import type { IntegrationOAuthCallbackState } from "../types";
+import type { IntegrationOAuthCallbackState } from "../../types";
 
 export function encodeOAuthState(req: NextApiRequest) {
   if (typeof req.query.state !== "string") {

packages/app-store/_utils/oauth/parseRefreshTokenResponse.ts

@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+
+const minimumTokenResponseSchema = z.object({
+  access_token: z.string(),
+  //   Assume that any property with a number is the expiry
+  [z.string().toString()]: z.number(),
+  //   Allow other properties in the token response
+  [z.string().optional().toString()]: z.unknown().optional(),
+});
+
+const parseRefreshTokenResponse = (response: any, schema: z.ZodTypeAny) => {
+  let refreshTokenResponse;
+  if (APP_CREDENTIAL_SHARING_ENABLED && process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT) {
+    refreshTokenResponse = minimumTokenResponseSchema.safeParse(response);
+  } else {
+    refreshTokenResponse = schema.safeParse(response);
+  }
+
+  if (!refreshTokenResponse.success) {
+    throw new Error("Invalid refreshed tokens were returned");
+  }
+
+  if (!refreshTokenResponse.data.refresh_token) {
+    refreshTokenResponse.data.refresh_token = "refresh_token";
+  }
+
+  return refreshTokenResponse;
+};
+
+export default parseRefreshTokenResponse;

packages/app-store/_utils/oauth/refreshOAuthTokens.ts

@@ -0,0 +1,22 @@
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+
+const refreshOAuthTokens = async (refreshFunction: () => any, appSlug: string, userId: number | null) => {
+  // Check that app syncing is enabled and that the credential belongs to a user
+  if (APP_CREDENTIAL_SHARING_ENABLED && process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT && userId) {
+    // Customize the payload based on what your endpoint requires
+    // The response should only contain the access token and expiry date
+    const response = await fetch(process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT, {
+      method: "POST",
+      body: new URLSearchParams({
+        calcomUserId: userId.toString(),
+        appSlug,
+      }),
+    });
+    return response;
+  } else {
+    const response = await refreshFunction();
+    return response;
+  }
+};
+
+export default refreshOAuthTokens;

packages/app-store/googlecalendar/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL_FOR_OAUTH } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = [
   "https://www.googleapis.com/auth/calendar.readonly",

packages/app-store/googlecalendar/api/callback.ts

@@ -5,9 +5,9 @@ import { WEBAPP_URL_FOR_OAUTH, CAL_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/googlecalendar/lib/CalendarService.ts

@@ -18,6 +18,8 @@ import type {
 } from "@calcom/types/Calendar";
 import type { CredentialPayload } from "@calcom/types/Credential";
 
+import parseRefreshTokenResponse from "../../_utils/oauth/parseRefreshTokenResponse";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { getGoogleAppKeys } from "./getGoogleAppKeys";
 import { googleCredentialSchema } from "./googleCredentialSchema";
 
@@ -81,11 +83,18 @@ export default class GoogleCalendarService implements Calendar {
 
     const refreshAccessToken = async (myGoogleAuth: Awaited<ReturnType<typeof getGoogleAuth>>) => {
       try {
-        const { res } = await myGoogleAuth.refreshToken(googleCredentials.refresh_token);
+        const res = await refreshOAuthTokens(
+          async () => {
+            const fetchTokens = await myGoogleAuth.refreshToken(googleCredentials.refresh_token);
+            return fetchTokens.res;
+          },
+          "google-calendar",
+          credential.userId
+        );
         const token = res?.data;
         googleCredentials.access_token = token.access_token;
         googleCredentials.expiry_date = token.expiry_date;
-        const key = googleCredentialSchema.parse(googleCredentials);
+        const key = parseRefreshTokenResponse(googleCredentials, googleCredentialSchema);
         await prisma.credential.update({
           where: { id: credential.id },
           data: { key },

packages/app-store/hubspot/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = ["crm.objects.contacts.read", "crm.objects.contacts.write"];
 

packages/app-store/hubspot/api/callback.ts

@@ -5,10 +5,10 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/hubspot/lib/CalendarService.ts

@@ -23,6 +23,7 @@ import type {
 import type { CredentialPayload } from "@calcom/types/Credential";
 
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import type { HubspotToken } from "../api/callback";
 
 const hubspotClient = new hubspot.Client();
@@ -173,13 +174,18 @@ export default class HubspotCalendarService implements Calendar {
 
     const refreshAccessToken = async (refreshToken: string) => {
       try {
-        const hubspotRefreshToken: HubspotToken = await hubspotClient.oauth.tokensApi.createToken(
-          "refresh_token",
-          undefined,
-          WEBAPP_URL + "/api/integrations/hubspot/callback",
-          this.client_id,
-          this.client_secret,
-          refreshToken
+        const hubspotRefreshToken: HubspotToken = await refreshOAuthTokens(
+          async () =>
+            await hubspotClient.oauth.tokensApi.createToken(
+              "refresh_token",
+              undefined,
+              WEBAPP_URL + "/api/integrations/hubspot/callback",
+              this.client_id,
+              this.client_secret,
+              refreshToken
+            ),
+          "hubspot",
+          credential.userId
         );
 
         // set expiry date as offset from current time.

packages/app-store/larkcalendar/api/add.ts

@@ -5,8 +5,8 @@ import { z } from "zod";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 import { LARK_HOST } from "../common";
 
 const larkKeysSchema = z.object({

packages/app-store/larkcalendar/api/callback.ts

@@ -6,8 +6,8 @@ import logger from "@calcom/lib/logger";
 import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 import { LARK_HOST } from "../common";
 import { getAppAccessToken } from "../lib/AppAccessToken";
 import type { LarkAuthCredentials } from "../types/LarkCalendar";

packages/app-store/larkcalendar/lib/CalendarService.ts

@@ -11,6 +11,7 @@ import type {
 } from "@calcom/types/Calendar";
 import type { CredentialPayload } from "@calcom/types/Credential";
 
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { handleLarkError, isExpired, LARK_HOST } from "../common";
 import type {
   CreateAttendeesResp,
@@ -63,17 +64,22 @@ export default class LarkCalendarService implements Calendar {
     }
     try {
       const appAccessToken = await getAppAccessToken();
-      const resp = await fetch(`${this.url}/authen/v1/refresh_access_token`, {
-        method: "POST",
-        headers: {
-          Authorization: `Bearer ${appAccessToken}`,
-          "Content-Type": "application/json; charset=utf-8",
-        },
-        body: JSON.stringify({
-          grant_type: "refresh_token",
-          refresh_token: refreshToken,
-        }),
-      });
+      const resp = await refreshOAuthTokens(
+        async () =>
+          await fetch(`${this.url}/authen/v1/refresh_access_token`, {
+            method: "POST",
+            headers: {
+              Authorization: `Bearer ${appAccessToken}`,
+              "Content-Type": "application/json; charset=utf-8",
+            },
+            body: JSON.stringify({
+              grant_type: "refresh_token",
+              refresh_token: refreshToken,
+            }),
+          }),
+        "lark-calendar",
+        credential.userId
+      );
 
       const data = await handleLarkError<RefreshTokenResp>(resp, this.log);
       this.log.debug(

packages/app-store/office365calendar/api/add.ts

@@ -3,8 +3,8 @@ import { stringify } from "querystring";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = ["User.Read", "Calendars.Read", "Calendars.ReadWrite", "offline_access"];
 

packages/app-store/office365calendar/api/callback.ts

@@ -4,9 +4,9 @@ import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 const scopes = ["offline_access", "Calendars.Read", "Calendars.ReadWrite"];