Files
simstudioai--sim/apps/sim/lib/copilot/tools/handlers/oauth.ts
T
wehub-resource-sync d25d482dc2
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

144 lines
5.3 KiB
TypeScript

import { toError } from '@sim/utils/errors'
import type { ExecutionContext, ToolCallResult } from '@/lib/copilot/request/types'
import { ensureWorkspaceAccess } from '@/lib/copilot/tools/handlers/access'
import { getBaseUrl } from '@/lib/core/utils/urls'
import { getAllOAuthServices } from '@/lib/oauth/utils'
export async function executeOAuthGetAuthLink(
rawParams: Record<string, unknown>,
context: ExecutionContext
): Promise<ToolCallResult> {
const providerName = String(rawParams.providerName || rawParams.provider_name || '')
const baseUrl = getBaseUrl()
try {
if (!context.workspaceId || !context.userId) {
throw new Error('workspaceId and userId are required to generate an OAuth link')
}
await ensureWorkspaceAccess(context.workspaceId, context.userId, 'write')
const result = await generateOAuthLink(
context.workspaceId,
context.workflowId,
context.chatId,
providerName,
baseUrl
)
return {
success: true,
output: {
message: `Authorization URL generated for ${result.serviceName}.`,
oauth_url: result.url,
instructions: `Open this URL in your browser to connect ${result.serviceName}: ${result.url}`,
provider: result.serviceName,
providerId: result.providerId,
},
}
} catch (err) {
const workspaceUrl = context.workspaceId
? `${baseUrl}/workspace/${context.workspaceId}`
: `${baseUrl}/workspace`
return {
success: false,
error: toError(err).message,
output: {
message: `Could not generate a direct OAuth link for ${providerName}. Connect manually from the workspace.`,
oauth_url: workspaceUrl,
error: toError(err).message,
},
}
}
}
export async function executeOAuthRequestAccess(
rawParams: Record<string, unknown>,
_context: ExecutionContext
): Promise<ToolCallResult> {
const providerName = String(rawParams.providerName || rawParams.provider_name || 'the provider')
return {
success: true,
output: {
status: 'requested',
providerName,
message: `Requested ${providerName} OAuth connection.`,
},
}
}
/**
* Resolves a human-friendly provider name to a providerId and returns a
* browser-initiated authorize URL the user opens to connect the service.
*
* Steps: resolve provider → return the Sim `/api/auth/oauth2/authorize` URL.
* That endpoint (not this server-side handler) creates the credential draft and
* calls Better Auth, so the draft's TTL starts at click and the signed `state`
* cookie is planted in the user's browser and the OAuth callback's state check
* passes.
*/
async function generateOAuthLink(
workspaceId: string | undefined,
workflowId: string | undefined,
chatId: string | undefined,
providerName: string,
baseUrl: string
): Promise<{ url: string; providerId: string; serviceName: string }> {
if (!workspaceId) {
throw new Error('workspaceId is required to generate an OAuth link')
}
const allServices = getAllOAuthServices()
const normalizedInput = providerName.toLowerCase().trim()
const matched =
allServices.find((s) => s.providerId === normalizedInput) ||
allServices.find((s) => s.name.toLowerCase() === normalizedInput) ||
allServices.find(
(s) =>
s.name.toLowerCase().includes(normalizedInput) ||
normalizedInput.includes(s.name.toLowerCase())
) ||
allServices.find(
(s) => s.providerId.includes(normalizedInput) || normalizedInput.includes(s.providerId)
)
if (!matched) {
const available = allServices.map((s) => s.name).join(', ')
throw new Error(`Provider "${providerName}" not found. Available providers: ${available}`)
}
const { providerId, name: serviceName } = matched
const callbackURL =
workflowId && workspaceId
? `${baseUrl}/workspace/${workspaceId}/w/${workflowId}`
: chatId && workspaceId
? `${baseUrl}/workspace/${workspaceId}/chat/${chatId}`
: `${baseUrl}/workspace/${workspaceId}`
if (providerId === 'trello') {
return { url: `${baseUrl}/api/auth/trello/authorize`, providerId, serviceName }
}
if (providerId === 'shopify') {
const returnUrl = encodeURIComponent(callbackURL)
return {
url: `${baseUrl}/api/auth/shopify/authorize?returnUrl=${returnUrl}`,
providerId,
serviceName,
}
}
// Hand back a browser-initiated authorize URL rather than calling
// oAuth2LinkAccount here. Generating the link server-side would set Better
// Auth's signed `state` cookie on this server-to-server response instead of the
// user's browser, so the OAuth callback would fail with `state_mismatch`. The
// authorize endpoint runs the link inside the user's browser, planting the
// cookie correctly while keeping the callback's state check enabled.
//
// The pending credential draft is created by that authorize endpoint at click
// time (not here), so the draft's TTL starts when the user actually initiates
// the connect and reliably outlives the OAuth round-trip.
const authorizeUrl = new URL(`${baseUrl}/api/auth/oauth2/authorize`)
authorizeUrl.searchParams.set('providerId', providerId)
authorizeUrl.searchParams.set('workspaceId', workspaceId)
authorizeUrl.searchParams.set('callbackURL', callbackURL)
return { url: authorizeUrl.toString(), providerId, serviceName }
}