simstudioai
diff --git a/‎apps/sim/app/api/auth/oauth/utils.ts‎
Lines changed: 45 additions & 7 deletions b/‎apps/sim/app/api/auth/oauth/utils.ts‎
Lines changed: 45 additions & 7 deletions
diff --git a/‎apps/sim/app/api/auth/snowflake/authorize/route.ts‎
Lines changed: 21 additions & 38 deletions b/‎apps/sim/app/api/auth/snowflake/authorize/route.ts‎
Lines changed: 21 additions & 38 deletions
diff --git a/‎apps/sim/app/api/auth/snowflake/callback/route.ts‎
Lines changed: 24 additions & 17 deletions b/‎apps/sim/app/api/auth/snowflake/callback/route.ts‎
Lines changed: 24 additions & 17 deletions
@@ -69,6 +69,7 @@ export async function getOAuthToken(userId: string, providerId: string): Promise
       accessTokenExpiresAt: account.accessTokenExpiresAt,
       accountId: account.accountId,
       providerId: account.providerId,
+      password: account.password, // Include password field for Snowflake OAuth credentials
     })
     .from(account)
     .where(and(eq(account.userId, userId), eq(account.providerId, providerId)))
@@ -95,10 +96,21 @@ export async function getOAuthToken(userId: string, providerId: string): Promise
     )
 
     try {
-      // Extract account URL from accountId for Snowflake
-      let metadata: { accountUrl?: string } | undefined
+      // Extract account URL and OAuth credentials for Snowflake
+      let metadata: { accountUrl?: string; clientId?: string; clientSecret?: string } | undefined
       if (providerId === 'snowflake' && credential.accountId) {
         metadata = { accountUrl: credential.accountId }
+
+        // Extract clientId and clientSecret from the password field (stored as JSON)
+        if (credential.password) {
+          try {
+            const oauthCredentials = JSON.parse(credential.password)
+            metadata.clientId = oauthCredentials.clientId
+            metadata.clientSecret = oauthCredentials.clientSecret
+          } catch (e) {
+            logger.error('Failed to parse Snowflake OAuth credentials', { error: e })
+          }
+        }
       }
 
       // Use the existing refreshOAuthToken function
@@ -185,10 +197,21 @@ export async function refreshAccessTokenIfNeeded(
   if (shouldRefresh) {
     logger.info(`[${requestId}] Token expired, attempting to refresh for credential`)
     try {
-      // Extract account URL from accountId for Snowflake
-      let metadata: { accountUrl?: string } | undefined
+      // Extract account URL and OAuth credentials for Snowflake
+      let metadata: { accountUrl?: string; clientId?: string; clientSecret?: string } | undefined
       if (credential.providerId === 'snowflake' && credential.accountId) {
         metadata = { accountUrl: credential.accountId }
+
+        // Extract clientId and clientSecret from the password field (stored as JSON)
+        if (credential.password) {
+          try {
+            const oauthCredentials = JSON.parse(credential.password)
+            metadata.clientId = oauthCredentials.clientId
+            metadata.clientSecret = oauthCredentials.clientSecret
+          } catch (e) {
+            logger.error('Failed to parse Snowflake OAuth credentials', { error: e })
+          }
+        }
       }
 
       const refreshedToken = await refreshOAuthToken(
@@ -266,13 +289,28 @@ export async function refreshTokenIfNeeded(
   }
 
   try {
-    // Extract account URL from accountId for Snowflake
-    let metadata: { accountUrl?: string } | undefined
+    // Extract account URL and OAuth credentials for Snowflake
+    let metadata: { accountUrl?: string; clientId?: string; clientSecret?: string } | undefined
     if (credential.providerId === 'snowflake' && credential.accountId) {
       metadata = { accountUrl: credential.accountId }
+
+      // Extract clientId and clientSecret from the password field (stored as JSON)
+      if (credential.password) {
+        try {
+          const oauthCredentials = JSON.parse(credential.password)
+          metadata.clientId = oauthCredentials.clientId
+          metadata.clientSecret = oauthCredentials.clientSecret
+        } catch (e) {
+          logger.error('Failed to parse Snowflake OAuth credentials', { error: e })
+        }
+      }
     }
 
-    const refreshResult = await refreshOAuthToken(credential.providerId, credential.refreshToken!, metadata)
+    const refreshResult = await refreshOAuthToken(
+      credential.providerId,
+      credential.refreshToken!,
+      metadata
+    )
 
     if (!refreshResult) {
       logger.error(`[${requestId}] Failed to refresh token for credential`)
 
@@ -1,48 +1,40 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
-import { env } from '@/lib/env'
 import { createLogger } from '@/lib/logs/console/logger'
-import { getBaseUrl } from '@/lib/urls/utils'
 import { generateCodeChallenge, generateCodeVerifier } from '@/lib/oauth/pkce'
+import { getBaseUrl } from '@/lib/urls/utils'
 
 const logger = createLogger('SnowflakeAuthorize')
 
 export const dynamic = 'force-dynamic'
 
 /**
  * Initiates Snowflake OAuth flow
- * Requires accountUrl as query parameter
+ * Expects credentials to be posted in the request body (accountUrl, clientId, clientSecret)
  */
-export async function GET(request: NextRequest) {
+export async function POST(request: NextRequest) {
   try {
     const session = await getSession()
     if (!session?.user?.id) {
       logger.warn('Unauthorized Snowflake OAuth attempt')
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { searchParams } = new URL(request.url)
-    const accountUrl = searchParams.get('accountUrl')
+    const body = await request.json()
+    const { accountUrl, clientId, clientSecret } = body
 
-    if (!accountUrl) {
-      logger.error('Missing accountUrl parameter')
+    if (!accountUrl || !clientId || !clientSecret) {
+      logger.error('Missing required Snowflake OAuth parameters', {
+        hasAccountUrl: !!accountUrl,
+        hasClientId: !!clientId,
+        hasClientSecret: !!clientSecret,
+      })
       return NextResponse.json(
-        { error: 'accountUrl parameter is required' },
+        { error: 'accountUrl, clientId, and clientSecret are required' },
         { status: 400 }
       )
     }
 
-    const clientId = env.SNOWFLAKE_CLIENT_ID
-    const clientSecret = env.SNOWFLAKE_CLIENT_SECRET
-
-    if (!clientId || !clientSecret) {
-      logger.error('Snowflake OAuth credentials not configured')
-      return NextResponse.json(
-        { error: 'Snowflake OAuth not configured' },
-        { status: 500 }
-      )
-    }
-
     // Parse and clean the account URL
     let cleanAccountUrl = accountUrl.replace(/^https?:\/\//, '')
     cleanAccountUrl = cleanAccountUrl.replace(/\/$/, '')
@@ -57,11 +49,13 @@ export async function GET(request: NextRequest) {
     const codeVerifier = generateCodeVerifier()
     const codeChallenge = await generateCodeChallenge(codeVerifier)
 
-
+    // Store user-provided credentials in the state (will be used in callback)
     const state = Buffer.from(
       JSON.stringify({
         userId: session.user.id,
         accountUrl: cleanAccountUrl,
+        clientId,
+        clientSecret,
         timestamp: Date.now(),
         codeVerifier,
       })
@@ -78,32 +72,21 @@ export async function GET(request: NextRequest) {
     // Add PKCE parameters for security and compatibility with OAUTH_ENFORCE_PKCE
     authUrl.searchParams.set('code_challenge', codeChallenge)
     authUrl.searchParams.set('code_challenge_method', 'S256')
-    
-    logger.info('Initiating Snowflake OAuth flow (CONFIDENTIAL client with PKCE)', {
+
+    logger.info('Initiating Snowflake OAuth flow with user-provided credentials (PKCE)', {
       userId: session.user.id,
       accountUrl: cleanAccountUrl,
-      authUrl: authUrl.toString(),
-      redirectUri,
-      clientId,
+      hasClientId: !!clientId,
       hasClientSecret: !!clientSecret,
+      redirectUri,
       hasPkce: true,
-      parametersCount: authUrl.searchParams.toString().length,
     })
 
-    logger.info('Authorization URL parameters:', {
-      client_id: authUrl.searchParams.get('client_id'),
-      response_type: authUrl.searchParams.get('response_type'),
-      redirect_uri: authUrl.searchParams.get('redirect_uri'),
-      state_length: authUrl.searchParams.get('state')?.length,
-      scope: authUrl.searchParams.get('scope'),
-      has_pkce: authUrl.searchParams.has('code_challenge'),
-      code_challenge_method: authUrl.searchParams.get('code_challenge_method'),
+    return NextResponse.json({
+      authUrl: authUrl.toString(),
     })
-
-    return NextResponse.redirect(authUrl.toString())
   } catch (error) {
     logger.error('Error initiating Snowflake authorization:', error)
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
-
@@ -1,7 +1,6 @@
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
-import { env } from '@/lib/env'
 import { createLogger } from '@/lib/logs/console/logger'
 import { getBaseUrl } from '@/lib/urls/utils'
 import { db } from '@/../../packages/db'
@@ -41,10 +40,12 @@ export async function GET(request: NextRequest) {
       return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_invalid_callback`)
     }
 
-    // Decode state to get account URL and code verifier
+    // Decode state to get account URL, credentials, and code verifier
     let stateData: {
       userId: string
       accountUrl: string
+      clientId: string
+      clientSecret: string
       timestamp: number
       codeVerifier: string
     }
@@ -54,6 +55,8 @@ export async function GET(request: NextRequest) {
       logger.info('Decoded state successfully', {
         userId: stateData.userId,
         accountUrl: stateData.accountUrl,
+        hasClientId: !!stateData.clientId,
+        hasClientSecret: !!stateData.clientSecret,
         age: Date.now() - stateData.timestamp,
         hasCodeVerifier: !!stateData.codeVerifier,
       })
@@ -79,12 +82,13 @@ export async function GET(request: NextRequest) {
       return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_state_expired`)
     }
 
-    const clientId = env.SNOWFLAKE_CLIENT_ID
-    const clientSecret = env.SNOWFLAKE_CLIENT_SECRET
+    // Use user-provided credentials from state
+    const clientId = stateData.clientId
+    const clientSecret = stateData.clientSecret
 
     if (!clientId || !clientSecret) {
-      logger.error('Snowflake OAuth credentials not configured')
-      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_not_configured`)
+      logger.error('Missing client credentials in state')
+      return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_missing_credentials`)
     }
 
     // Exchange authorization code for tokens
@@ -127,15 +131,15 @@ export async function GET(request: NextRequest) {
         tokenUrl,
         redirectUri,
       })
-      
+
       // Try to parse error as JSON for better diagnostics
       try {
         const errorJson = JSON.parse(errorText)
         logger.error('Snowflake error details:', errorJson)
       } catch (e) {
         logger.error('Error text (not JSON):', errorText)
       }
-      
+
       return NextResponse.redirect(
         `${getBaseUrl()}/workspace?error=snowflake_token_exchange_failed&details=${encodeURIComponent(errorText)}`
       )
@@ -157,33 +161,37 @@ export async function GET(request: NextRequest) {
 
     // Store the account and tokens in the database
     const existing = await db.query.account.findFirst({
-      where: and(
-        eq(account.userId, session.user.id),
-        eq(account.providerId, 'snowflake')
-      ),
+      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'snowflake')),
     })
 
     const now = new Date()
     const expiresAt = tokens.expires_in
       ? new Date(now.getTime() + tokens.expires_in * 1000)
       : new Date(now.getTime() + 10 * 60 * 1000) // Default 10 minutes
 
+    // Store user-provided OAuth credentials securely
+    // We use the password field to store a JSON object with clientId and clientSecret
+    // and idToken to store the accountUrl for easier retrieval
+    const oauthCredentials = JSON.stringify({
+      clientId: stateData.clientId,
+      clientSecret: stateData.clientSecret,
+    })
+
     const accountData = {
       userId: session.user.id,
       providerId: 'snowflake',
       accountId: stateData.accountUrl, // Store the Snowflake account URL here
       accessToken: tokens.access_token,
       refreshToken: tokens.refresh_token || null,
+      idToken: stateData.accountUrl, // Store accountUrl for easier access
+      password: oauthCredentials, // Store clientId and clientSecret as JSON
       accessTokenExpiresAt: expiresAt,
       scope: tokens.scope || null,
       updatedAt: now,
     }
 
     if (existing) {
-      await db
-        .update(account)
-        .set(accountData)
-        .where(eq(account.id, existing.id))
+      await db.update(account).set(accountData).where(eq(account.id, existing.id))
 
       logger.info('Updated existing Snowflake account', {
         userId: session.user.id,
@@ -208,4 +216,3 @@ export async function GET(request: NextRequest) {
     return NextResponse.redirect(`${getBaseUrl()}/workspace?error=snowflake_callback_failed`)
   }
 }
-