progress on cred sets

Author: icecrasher321

apps/sim/app/api/auth/oauth/token/route.ts

@@ -4,20 +4,25 @@ import { z } from 'zod'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { getCredential, refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { getCredential, getOAuthToken, refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
 const logger = createLogger('OAuthTokenAPI')
 
 const SALESFORCE_INSTANCE_URL_REGEX = /__sf_instance__:([^\s]+)/
 
-const tokenRequestSchema = z.object({
-  credentialId: z
-    .string({ required_error: 'Credential ID is required' })
-    .min(1, 'Credential ID is required'),
-  workflowId: z.string().min(1, 'Workflow ID is required').nullish(),
-})
+const tokenRequestSchema = z
+  .object({
+    credentialId: z.string().min(1).optional(),
+    credentialAccountUserId: z.string().min(1).optional(),
+    providerId: z.string().min(1).optional(),
+    workflowId: z.string().min(1).nullish(),
+  })
+  .refine(
+    (data) => data.credentialId || (data.credentialAccountUserId && data.providerId),
+    'Either credentialId or (credentialAccountUserId + providerId) is required'
+  )
 
 const tokenQuerySchema = z.object({
   credentialId: z
@@ -58,9 +63,31 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const { credentialId, workflowId } = parseResult.data
+    const { credentialId, credentialAccountUserId, providerId, workflowId } = parseResult.data
+
+    if (credentialAccountUserId && providerId) {
+      logger.info(`[${requestId}] Fetching token by credentialAccountUserId + providerId`, {
+        credentialAccountUserId,
+        providerId,
+      })
+
+      const accessToken = await getOAuthToken(credentialAccountUserId, providerId)
+      if (!accessToken) {
+        return NextResponse.json(
+          {
+            error: `No credential found for user ${credentialAccountUserId} and provider ${providerId}`,
+          },
+          { status: 404 }
+        )
+      }
+
+      return NextResponse.json({ accessToken }, { status: 200 })
+    }
+
+    if (!credentialId) {
+      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
+    }
 
-    // We already have workflowId from the parsed body; avoid forcing hybrid auth to re-read it
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       workflowId: workflowId ?? undefined,
@@ -70,15 +97,13 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    // Fetch the credential as the owner to enforce ownership scoping
     const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     try {
-      // Refresh the token if needed
       const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
 
       let instanceUrl: string | undefined

apps/sim/app/api/auth/oauth/utils.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
-import { account, workflow } from '@sim/db/schema'
+import { account, credentialSetMember, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, desc, eq } from 'drizzle-orm'
+import { and, desc, eq, inArray } from 'drizzle-orm'
 import { getSession } from '@/lib/auth'
 import { refreshOAuthToken } from '@/lib/oauth'
 
@@ -335,3 +335,99 @@ export async function refreshTokenIfNeeded(
     throw error
   }
 }
+
+export interface CredentialSetCredential {
+  userId: string
+  credentialId: string
+  accessToken: string
+  providerId: string
+}
+
+export async function getCredentialsForCredentialSet(
+  credentialSetId: string,
+  providerId: string
+): Promise<CredentialSetCredential[]> {
+  const members = await db
+    .select({ userId: credentialSetMember.userId })
+    .from(credentialSetMember)
+    .where(
+      and(
+        eq(credentialSetMember.credentialSetId, credentialSetId),
+        eq(credentialSetMember.status, 'active')
+      )
+    )
+
+  if (members.length === 0) {
+    logger.warn(`No active members found for credential set ${credentialSetId}`)
+    return []
+  }
+
+  const userIds = members.map((m) => m.userId)
+
+  const credentials = await db
+    .select({
+      id: account.id,
+      userId: account.userId,
+      providerId: account.providerId,
+      accessToken: account.accessToken,
+      refreshToken: account.refreshToken,
+      accessTokenExpiresAt: account.accessTokenExpiresAt,
+    })
+    .from(account)
+    .where(and(inArray(account.userId, userIds), eq(account.providerId, providerId)))
+
+  const results: CredentialSetCredential[] = []
+
+  for (const cred of credentials) {
+    const now = new Date()
+    const tokenExpiry = cred.accessTokenExpiresAt
+    const shouldRefresh =
+      !!cred.refreshToken && (!cred.accessToken || (tokenExpiry && tokenExpiry < now))
+
+    let accessToken = cred.accessToken
+
+    if (shouldRefresh && cred.refreshToken) {
+      try {
+        const refreshResult = await refreshOAuthToken(providerId, cred.refreshToken)
+
+        if (refreshResult) {
+          accessToken = refreshResult.accessToken
+
+          const updateData: Record<string, unknown> = {
+            accessToken: refreshResult.accessToken,
+            accessTokenExpiresAt: new Date(Date.now() + refreshResult.expiresIn * 1000),
+            updatedAt: new Date(),
+          }
+
+          if (refreshResult.refreshToken && refreshResult.refreshToken !== cred.refreshToken) {
+            updateData.refreshToken = refreshResult.refreshToken
+          }
+
+          await db.update(account).set(updateData).where(eq(account.id, cred.id))
+
+          logger.info(`Refreshed token for user ${cred.userId}, provider ${providerId}`)
+        }
+      } catch (error) {
+        logger.error(`Failed to refresh token for user ${cred.userId}, provider ${providerId}`, {
+          error: error instanceof Error ? error.message : String(error),
+        })
+        continue
+      }
+    }
+
+    if (accessToken) {
+      results.push({
+        userId: cred.userId,
+        credentialId: cred.id,
+        accessToken,
+        providerId,
+      })
+    }
+  }
+
+  logger.info(
+    `Found ${results.length} valid credentials for credential set ${credentialSetId}, provider ${providerId}`
+  )
+
+  return results
+}

apps/sim/app/api/credential-sets/[id]/invite/route.ts

@@ -0,0 +1,165 @@
+import { db } from '@sim/db'
+import { credentialSet, credentialSetInvitation, member } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+
+const logger = createLogger('CredentialSetInvite')
+
+const createInviteSchema = z.object({
+  email: z.string().email().optional(),
+})
+
+async function getCredentialSetWithAccess(credentialSetId: string, userId: string) {
+  const [set] = await db
+    .select({
+      id: credentialSet.id,
+      organizationId: credentialSet.organizationId,
+      name: credentialSet.name,
+    })
+    .from(credentialSet)
+    .where(eq(credentialSet.id, credentialSetId))
+    .limit(1)
+
+  if (!set) return null
+
+  const [membership] = await db
+    .select({ role: member.role })
+    .from(member)
+    .where(and(eq(member.userId, userId), eq(member.organizationId, set.organizationId)))
+    .limit(1)
+
+  if (!membership) return null
+
+  return { set, role: membership.role }
+}
+
+export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+  const result = await getCredentialSetWithAccess(id, session.user.id)
+
+  if (!result) {
+    return NextResponse.json({ error: 'Credential set not found' }, { status: 404 })
+  }
+
+  const invitations = await db
+    .select()
+    .from(credentialSetInvitation)
+    .where(eq(credentialSetInvitation.credentialSetId, id))
+
+  return NextResponse.json({ invitations })
+}
+
+export async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const result = await getCredentialSetWithAccess(id, session.user.id)
+
+    if (!result) {
+      return NextResponse.json({ error: 'Credential set not found' }, { status: 404 })
+    }
+
+    if (result.role !== 'admin') {
+      return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
+    }
+
+    const body = await req.json()
+    const { email } = createInviteSchema.parse(body)
+
+    const token = crypto.randomUUID()
+    const expiresAt = new Date()
+    expiresAt.setDate(expiresAt.getDate() + 7)
+
+    const invitation = {
+      id: crypto.randomUUID(),
+      credentialSetId: id,
+      email: email || null,
+      token,
+      invitedBy: session.user.id,
+      status: 'pending' as const,
+      expiresAt,
+      createdAt: new Date(),
+    }
+
+    await db.insert(credentialSetInvitation).values(invitation)
+
+    const inviteUrl = `${process.env.NEXTAUTH_URL || 'http://localhost:3000'}/credential-account/${token}`
+
+    logger.info('Created credential set invitation', {
+      credentialSetId: id,
+      invitationId: invitation.id,
+      userId: session.user.id,
+    })
+
+    return NextResponse.json({
+      invitation: {
+        ...invitation,
+        inviteUrl,
+      },
+    })
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return NextResponse.json({ error: error.errors[0].message }, { status: 400 })
+    }
+    logger.error('Error creating invitation', error)
+    return NextResponse.json({ error: 'Failed to create invitation' }, { status: 500 })
+  }
+}
+
+export async function DELETE(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+  const { searchParams } = new URL(req.url)
+  const invitationId = searchParams.get('invitationId')
+
+  if (!invitationId) {
+    return NextResponse.json({ error: 'invitationId is required' }, { status: 400 })
+  }
+
+  try {
+    const result = await getCredentialSetWithAccess(id, session.user.id)
+
+    if (!result) {
+      return NextResponse.json({ error: 'Credential set not found' }, { status: 404 })
+    }
+
+    if (result.role !== 'admin') {
+      return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
+    }
+
+    await db
+      .update(credentialSetInvitation)
+      .set({ status: 'cancelled' })
+      .where(
+        and(
+          eq(credentialSetInvitation.id, invitationId),
+          eq(credentialSetInvitation.credentialSetId, id)
+        )
+      )
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    logger.error('Error cancelling invitation', error)
+    return NextResponse.json({ error: 'Failed to cancel invitation' }, { status: 500 })
+  }
+}