first push

Author: aadamgough

apps/sim/app/api/auth/oauth/utils.ts

@@ -67,6 +67,8 @@ export async function getOAuthToken(userId: string, providerId: string): Promise
       accessToken: account.accessToken,
       refreshToken: account.refreshToken,
       accessTokenExpiresAt: account.accessTokenExpiresAt,
+      accountId: account.accountId,
+      providerId: account.providerId,
     })
     .from(account)
     .where(and(eq(account.userId, userId), eq(account.providerId, providerId)))
@@ -93,8 +95,14 @@ export async function getOAuthToken(userId: string, providerId: string): Promise
     )
 
     try {
+      // Extract account URL from accountId for Snowflake
+      let metadata: { accountUrl?: string } | undefined
+      if (providerId === 'snowflake' && credential.accountId) {
+        metadata = { accountUrl: credential.accountId }
+      }
+
       // Use the existing refreshOAuthToken function
-      const refreshResult = await refreshOAuthToken(providerId, credential.refreshToken!)
+      const refreshResult = await refreshOAuthToken(providerId, credential.refreshToken!, metadata)
 
       if (!refreshResult) {
         logger.error(`Failed to refresh token for user ${userId}, provider ${providerId}`, {
@@ -177,9 +185,16 @@ export async function refreshAccessTokenIfNeeded(
   if (shouldRefresh) {
     logger.info(`[${requestId}] Token expired, attempting to refresh for credential`)
     try {
+      // Extract account URL from accountId for Snowflake
+      let metadata: { accountUrl?: string } | undefined
+      if (credential.providerId === 'snowflake' && credential.accountId) {
+        metadata = { accountUrl: credential.accountId }
+      }
+
       const refreshedToken = await refreshOAuthToken(
         credential.providerId,
-        credential.refreshToken!
+        credential.refreshToken!,
+        metadata
       )
 
       if (!refreshedToken) {
@@ -251,7 +266,13 @@ export async function refreshTokenIfNeeded(
   }
 
   try {
-    const refreshResult = await refreshOAuthToken(credential.providerId, credential.refreshToken!)
+    // Extract account URL from accountId for Snowflake
+    let metadata: { accountUrl?: string } | undefined
+    if (credential.providerId === 'snowflake' && credential.accountId) {
+      metadata = { accountUrl: credential.accountId }
+    }
+
+    const refreshResult = await refreshOAuthToken(credential.providerId, credential.refreshToken!, metadata)
 
     if (!refreshResult) {
       logger.error(`[${requestId}] Failed to refresh token for credential`)

apps/sim/app/api/auth/snowflake/authorize/route.ts

@@ -0,0 +1,109 @@
+import { type NextRequest, NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { env } from '@/lib/env'
+import { createLogger } from '@/lib/logs/console/logger'
+import { getBaseUrl } from '@/lib/urls/utils'
+import { generateCodeChallenge, generateCodeVerifier } from '@/lib/oauth/pkce'
+
+const logger = createLogger('SnowflakeAuthorize')
+
+export const dynamic = 'force-dynamic'
+
+/**
+ * Initiates Snowflake OAuth flow
+ * Requires accountUrl as query parameter
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      logger.warn('Unauthorized Snowflake OAuth attempt')
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { searchParams } = new URL(request.url)
+    const accountUrl = searchParams.get('accountUrl')
+
+    if (!accountUrl) {
+      logger.error('Missing accountUrl parameter')
+      return NextResponse.json(
+        { error: 'accountUrl parameter is required' },
+        { status: 400 }
+      )
+    }
+
+    const clientId = env.SNOWFLAKE_CLIENT_ID
+    const clientSecret = env.SNOWFLAKE_CLIENT_SECRET
+
+    if (!clientId || !clientSecret) {
+      logger.error('Snowflake OAuth credentials not configured')
+      return NextResponse.json(
+        { error: 'Snowflake OAuth not configured' },
+        { status: 500 }
+      )
+    }
+
+    // Parse and clean the account URL
+    let cleanAccountUrl = accountUrl.replace(/^https?:\/\//, '')
+    cleanAccountUrl = cleanAccountUrl.replace(/\/$/, '')
+    if (!cleanAccountUrl.includes('snowflakecomputing.com')) {
+      cleanAccountUrl = `${cleanAccountUrl}.snowflakecomputing.com`
+    }
+
+    const baseUrl = getBaseUrl()
+    const redirectUri = `${baseUrl}/api/auth/snowflake/callback`
+
+    // Generate PKCE values
+    const codeVerifier = generateCodeVerifier()
+    const codeChallenge = await generateCodeChallenge(codeVerifier)
+
+
+    const state = Buffer.from(
+      JSON.stringify({
+        userId: session.user.id,
+        accountUrl: cleanAccountUrl,
+        timestamp: Date.now(),
+        codeVerifier,
+      })
+    ).toString('base64url')
+
+    // Construct Snowflake-specific authorization URL
+    const authUrl = new URL(`https://${cleanAccountUrl}/oauth/authorize`)
+    authUrl.searchParams.set('client_id', clientId)
+    authUrl.searchParams.set('response_type', 'code')
+    authUrl.searchParams.set('redirect_uri', redirectUri)
+    // Add scope parameter to specify a safe role (not ACCOUNTADMIN or SECURITYADMIN)
+    authUrl.searchParams.set('scope', 'refresh_token session:role:PUBLIC')
+    authUrl.searchParams.set('state', state)
+    // Add PKCE parameters for security and compatibility with OAUTH_ENFORCE_PKCE
+    authUrl.searchParams.set('code_challenge', codeChallenge)
+    authUrl.searchParams.set('code_challenge_method', 'S256')
+    
+    logger.info('Initiating Snowflake OAuth flow (CONFIDENTIAL client with PKCE)', {
+      userId: session.user.id,
+      accountUrl: cleanAccountUrl,
+      authUrl: authUrl.toString(),
+      redirectUri,
+      clientId,
+      hasClientSecret: !!clientSecret,
+      hasPkce: true,
+      parametersCount: authUrl.searchParams.toString().length,
+    })
+
+    logger.info('Authorization URL parameters:', {
+      client_id: authUrl.searchParams.get('client_id'),
+      response_type: authUrl.searchParams.get('response_type'),
+      redirect_uri: authUrl.searchParams.get('redirect_uri'),
+      state_length: authUrl.searchParams.get('state')?.length,
+      scope: authUrl.searchParams.get('scope'),
+      has_pkce: authUrl.searchParams.has('code_challenge'),
+      code_challenge_method: authUrl.searchParams.get('code_challenge_method'),
+    })
+
+    return NextResponse.redirect(authUrl.toString())
+  } catch (error) {
+    logger.error('Error initiating Snowflake authorization:', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+

apps/sim/app/api/auth/snowflake/callback/route.ts

@@ -0,0 +1,211 @@
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { env } from '@/lib/env'
+import { createLogger } from '@/lib/logs/console/logger'
+import { getBaseUrl } from '@/lib/urls/utils'
+import { db } from '@/../../packages/db'
+import { account } from '@/../../packages/db/schema'
+
+const logger = createLogger('SnowflakeCallback')
+
+export const dynamic = 'force-dynamic'
+
+/**
+ * Handles Snowflake OAuth callback
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      logger.warn('Unauthorized Snowflake OAuth callback')
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=unauthorized`)
+    }
+
+    const { searchParams } = new URL(request.url)
+    const code = searchParams.get('code')
+    const state = searchParams.get('state')
+    const error = searchParams.get('error')
+    const errorDescription = searchParams.get('error_description')
+
+    // Handle OAuth errors
+    if (error) {
+      logger.error('Snowflake OAuth error', { error, errorDescription })
+      return NextResponse.redirect(
+        `${getBaseUrl()}/workspace?error=snowflake_${error}&description=${encodeURIComponent(errorDescription || '')}`
+      )
+    }
+
+    if (!code || !state) {
+      logger.error('Missing code or state in callback')
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_invalid_callback`)
+    }
+
+    // Decode state to get account URL and code verifier
+    let stateData: {
+      userId: string
+      accountUrl: string
+      timestamp: number
+      codeVerifier: string
+    }
+
+    try {
+      stateData = JSON.parse(Buffer.from(state, 'base64url').toString())
+      logger.info('Decoded state successfully', {
+        userId: stateData.userId,
+        accountUrl: stateData.accountUrl,
+        age: Date.now() - stateData.timestamp,
+        hasCodeVerifier: !!stateData.codeVerifier,
+      })
+    } catch (e) {
+      logger.error('Invalid state parameter', { error: e, state })
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_invalid_state`)
+    }
+
+    // Verify the user matches
+    if (stateData.userId !== session.user.id) {
+      logger.error('User ID mismatch in state', {
+        stateUserId: stateData.userId,
+        sessionUserId: session.user.id,
+      })
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_user_mismatch`)
+    }
+
+    // Verify state is not too old (15 minutes)
+    if (Date.now() - stateData.timestamp > 15 * 60 * 1000) {
+      logger.error('State expired', {
+        age: Date.now() - stateData.timestamp,
+      })
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_state_expired`)
+    }
+
+    const clientId = env.SNOWFLAKE_CLIENT_ID
+    const clientSecret = env.SNOWFLAKE_CLIENT_SECRET
+
+    if (!clientId || !clientSecret) {
+      logger.error('Snowflake OAuth credentials not configured')
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_not_configured`)
+    }
+
+    // Exchange authorization code for tokens
+    const tokenUrl = `https://${stateData.accountUrl}/oauth/token-request`
+    const redirectUri = `${getBaseUrl()}/api/auth/snowflake/callback`
+
+    const tokenParams = new URLSearchParams({
+      grant_type: 'authorization_code',
+      code,
+      redirect_uri: redirectUri,
+      client_id: clientId,
+      client_secret: clientSecret,
+      code_verifier: stateData.codeVerifier,
+    })
+
+    logger.info('Exchanging authorization code for tokens (with PKCE)', {
+      tokenUrl,
+      redirectUri,
+      clientId,
+      hasCode: !!code,
+      hasClientSecret: !!clientSecret,
+      hasCodeVerifier: !!stateData.codeVerifier,
+      paramsLength: tokenParams.toString().length,
+    })
+
+    const tokenResponse = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: tokenParams.toString(),
+    })
+
+    if (!tokenResponse.ok) {
+      const errorText = await tokenResponse.text()
+      logger.error('Failed to exchange code for token', {
+        status: tokenResponse.status,
+        statusText: tokenResponse.statusText,
+        error: errorText,
+        tokenUrl,
+        redirectUri,
+      })
+      
+      // Try to parse error as JSON for better diagnostics
+      try {
+        const errorJson = JSON.parse(errorText)
+        logger.error('Snowflake error details:', errorJson)
+      } catch (e) {
+        logger.error('Error text (not JSON):', errorText)
+      }
+      
+      return NextResponse.redirect(
+        `${getBaseUrl()}/workspace?error=snowflake_token_exchange_failed&details=${encodeURIComponent(errorText)}`
+      )
+    }
+
+    const tokens = await tokenResponse.json()
+
+    logger.info('Token exchange for Snowflake successful', {
+      hasAccessToken: !!tokens.access_token,
+      hasRefreshToken: !!tokens.refresh_token,
+      expiresIn: tokens.expires_in,
+      scope: tokens.scope,
+    })
+
+    if (!tokens.access_token) {
+      logger.error('No access token in response', { tokens })
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_no_access_token`)
+    }
+
+    // Store the account and tokens in the database
+    const existing = await db.query.account.findFirst({
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'snowflake')
+      ),
+    })
+
+    const now = new Date()
+    const expiresAt = tokens.expires_in
+      ? new Date(now.getTime() + tokens.expires_in * 1000)
+      : new Date(now.getTime() + 10 * 60 * 1000) // Default 10 minutes
+
+    const accountData = {
+      userId: session.user.id,
+      providerId: 'snowflake',
+      accountId: stateData.accountUrl, // Store the Snowflake account URL here
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token || null,
+      accessTokenExpiresAt: expiresAt,
+      scope: tokens.scope || null,
+      updatedAt: now,
+    }
+
+    if (existing) {
+      await db
+        .update(account)
+        .set(accountData)
+        .where(eq(account.id, existing.id))
+
+      logger.info('Updated existing Snowflake account', {
+        userId: session.user.id,
+        accountUrl: stateData.accountUrl,
+      })
+    } else {
+      await db.insert(account).values({
+        ...accountData,
+        id: `snowflake_${session.user.id}_${Date.now()}`,
+        createdAt: now,
+      })
+
+      logger.info('Created new Snowflake account', {
+        userId: session.user.id,
+        accountUrl: stateData.accountUrl,
+      })
+    }
+
+    return NextResponse.redirect(`${getBaseUrl()}/workspace?snowflake_connected=true`)
+  } catch (error) {
+    logger.error('Error in Snowflake callback:', error)
+    return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_callback_failed`)
+  }
+}
+