fix draft timing issue

Author: icecrasher321

apps/sim/app/api/auth/oauth2/authorize/route.ts

@@ -1,15 +1,81 @@
+import { db } from '@sim/db'
+import { pendingCredentialDraft, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { generateId } from '@sim/utils/id'
+import { and, eq, lt } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeOAuth2Contract } from '@/lib/api/contracts/oauth-connections'
 import { parseRequest } from '@/lib/api/server'
 import { auth, getSession } from '@/lib/auth/auth'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { getAllOAuthServices } from '@/lib/oauth/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('OAuth2Authorize')
 
 export const dynamic = 'force-dynamic'
 
+const DRAFT_TTL_MS = 15 * 60 * 1000
+
+/**
+ * Creates the pending credential draft at click time so its TTL starts when the
+ * user actually initiates the connect. Better Auth's `account.create.after` hook
+ * consumes this draft to materialize the real credential after the OAuth
+ * callback; starting the clock here guarantees the draft outlives the (≤5 min)
+ * OAuth round-trip rather than expiring mid-flow and silently producing no
+ * credential.
+ */
+async function createConnectDraft(params: {
+  userId: string
+  workspaceId: string
+  providerId: string
+}): Promise<void> {
+  const { userId, workspaceId, providerId } = params
+
+  const service = getAllOAuthServices().find((s) => s.providerId === providerId)
+  const serviceName = service?.name ?? providerId
+
+  let displayName = serviceName
+  try {
+    const [row] = await db.select({ name: user.name }).from(user).where(eq(user.id, userId))
+    if (row?.name) {
+      displayName = `${row.name}'s ${serviceName}`
+    }
+  } catch {
+    // Fall back to service name only
+  }
+
+  const now = new Date()
+  const expiresAt = new Date(now.getTime() + DRAFT_TTL_MS)
+  await db
+    .delete(pendingCredentialDraft)
+    .where(
+      and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
+    )
+  await db
+    .insert(pendingCredentialDraft)
+    .values({
+      id: generateId(),
+      userId,
+      workspaceId,
+      providerId,
+      displayName,
+      expiresAt,
+      createdAt: now,
+    })
+    .onConflictDoUpdate({
+      target: [
+        pendingCredentialDraft.userId,
+        pendingCredentialDraft.providerId,
+        pendingCredentialDraft.workspaceId,
+      ],
+      set: { displayName, expiresAt, createdAt: now },
+    })
+
+  logger.info('Created OAuth connect credential draft', { userId, workspaceId, providerId })
+}
+
 /**
  * Browser-initiated entrypoint for linking a generic OAuth2 account.
  */
@@ -22,16 +88,32 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     loginUrl.searchParams.set('callbackUrl', request.nextUrl.pathname + request.nextUrl.search)
     return NextResponse.redirect(loginUrl.toString())
   }
+  const userId = session.user.id
 
   const parsed = await parseRequest(authorizeOAuth2Contract, request, {})
   if (!parsed.success) return parsed.response
-  const { providerId, callbackURL: requestedCallback } = parsed.data.query
+  const { providerId, workspaceId, callbackURL: requestedCallback } = parsed.data.query
 
   const callbackURL = requestedCallback?.startsWith(`${baseUrl}/`)
     ? requestedCallback
     : `${baseUrl}/workspace`
 
   try {
+    const access = await checkWorkspaceAccess(workspaceId, userId)
+    if (!access.canWrite) {
+      logger.warn('Workspace write access denied for OAuth2 authorize', {
+        userId,
+        workspaceId,
+        providerId,
+      })
+      return NextResponse.redirect(`${baseUrl}/workspace?error=workspace_access_denied`)
+    }
+
+    // Create the draft before initiating the link so it is guaranteed to exist
+    // (and freshly clocked) when the OAuth callback's `account.create.after`
+    // hook runs. If this throws, we never start the OAuth flow.
+    await createConnectDraft({ userId, workspaceId, providerId })
+
     const linkResponse = await auth.api.oAuth2LinkAccount({
       body: { providerId, callbackURL },
       headers: request.headers,

apps/sim/lib/api/contracts/oauth-connections.ts

@@ -1,4 +1,5 @@
 import { z } from 'zod'
+import { workspaceIdSchema } from '@/lib/api/contracts/primitives'
 import type {
   ContractBody,
   ContractBodyInput,
@@ -192,6 +193,7 @@ export const trelloCallbackContract = defineRouteContract({
 
 export const authorizeOAuth2QuerySchema = z.object({
   providerId: z.string().min(1, 'providerId is required'),
+  workspaceId: workspaceIdSchema,
   callbackURL: z.string().min(1).optional(),
 })
 

apps/sim/lib/copilot/tools/handlers/oauth.ts

@@ -1,8 +1,4 @@
-import { db } from '@sim/db'
-import { pendingCredentialDraft, user } from '@sim/db/schema'
 import { toError } from '@sim/utils/errors'
-import { generateId } from '@sim/utils/id'
-import { and, eq, lt } from 'drizzle-orm'
 import type { ExecutionContext, ToolCallResult } from '@/lib/copilot/request/types'
 import { ensureWorkspaceAccess } from '@/lib/copilot/tools/handlers/access'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -20,7 +16,6 @@ export async function executeOAuthGetAuthLink(
     }
     await ensureWorkspaceAccess(context.workspaceId, context.userId, 'write')
     const result = await generateOAuthLink(
-      context.userId,
       context.workspaceId,
       context.workflowId,
       context.chatId,
@@ -72,13 +67,13 @@ export async function executeOAuthRequestAccess(
  * Resolves a human-friendly provider name to a providerId and returns a
  * browser-initiated authorize URL the user opens to connect the service.
  *
- * Steps: resolve provider → create credential draft → return the Sim
- * `/api/auth/oauth2/authorize` URL. That endpoint (not this server-side handler)
- * calls Better Auth, so the signed `state` cookie is planted in the user's
- * browser and the OAuth callback's state check passes.
+ * Steps: resolve provider → return the Sim `/api/auth/oauth2/authorize` URL.
+ * That endpoint (not this server-side handler) creates the credential draft and
+ * calls Better Auth, so the draft's TTL starts at click and the signed `state`
+ * cookie is planted in the user's browser and the OAuth callback's state check
+ * passes.
  */
 async function generateOAuthLink(
-  userId: string,
   workspaceId: string | undefined,
   workflowId: string | undefined,
   chatId: string | undefined,
@@ -129,54 +124,19 @@ async function generateOAuthLink(
     }
   }
 
-  let displayName = serviceName
-  try {
-    const [row] = await db.select({ name: user.name }).from(user).where(eq(user.id, userId))
-    if (row?.name) {
-      displayName = `${row.name}'s ${serviceName}`
-    }
-  } catch {
-    // Fall back to service name only
-  }
-
-  const now = new Date()
-  await db
-    .delete(pendingCredentialDraft)
-    .where(
-      and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
-    )
-  await db
-    .insert(pendingCredentialDraft)
-    .values({
-      id: generateId(),
-      userId,
-      workspaceId,
-      providerId,
-      displayName,
-      expiresAt: new Date(now.getTime() + 15 * 60 * 1000),
-      createdAt: now,
-    })
-    .onConflictDoUpdate({
-      target: [
-        pendingCredentialDraft.userId,
-        pendingCredentialDraft.providerId,
-        pendingCredentialDraft.workspaceId,
-      ],
-      set: {
-        displayName,
-        expiresAt: new Date(now.getTime() + 15 * 60 * 1000),
-        createdAt: now,
-      },
-    })
-
   // Hand back a browser-initiated authorize URL rather than calling
   // oAuth2LinkAccount here. Generating the link server-side would set Better
   // Auth's signed `state` cookie on this server-to-server response instead of the
   // user's browser, so the OAuth callback would fail with `state_mismatch`. The
   // authorize endpoint runs the link inside the user's browser, planting the
   // cookie correctly while keeping the callback's state check enabled.
+  //
+  // The pending credential draft is created by that authorize endpoint at click
+  // time (not here), so the draft's TTL starts when the user actually initiates
+  // the connect and reliably outlives the OAuth round-trip.
   const authorizeUrl = new URL(`${baseUrl}/api/auth/oauth2/authorize`)
   authorizeUrl.searchParams.set('providerId', providerId)
+  authorizeUrl.searchParams.set('workspaceId', workspaceId)
   authorizeUrl.searchParams.set('callbackURL', callbackURL)
 
   return { url: authorizeUrl.toString(), providerId, serviceName }