feat: Sync app credentials between Cal.com & self-hosted platforms (#11059)

* Add credential sync .env variables

* Add webhook to send app credentials

* Upsert credentials when webhook called

* Refresh oauth token from a specific endpoint

* Pass appSlug

* Add credential encryption

* Move oauth helps into a folder

* Create parse token response wrapper

* Add OAuth helpers to apps

* Clean up

* Refactor `appDirName` to `appSlug`

* Address feedback

* Change to safe parse

* Remove console.log

---------

Co-authored-by: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com>
Co-authored-by: Omar López <zomars@me.com>

.env.example

@@ -230,6 +230,19 @@ AUTH_BEARER_TOKEN_VERCEL=
 E2E_TEST_APPLE_CALENDAR_EMAIL=""
 E2E_TEST_APPLE_CALENDAR_PASSWORD=""
 
+# - APP CREDENTIAL SYNC ***********************************************************************************
+# Used for self-hosters that are implementing Cal.com into their applications that already have certain integrations
+# Under settings/admin/apps ensure that all app secrets are set the same as the parent application
+# You can use: `openssl rand -base64 32` to generate one
+CALCOM_WEBHOOK_SECRET=""
+# This is the header name that will be used to verify the webhook secret. Should be in lowercase
+CALCOM_WEBHOOK_HEADER_NAME="calcom-webhook-secret"
+CALCOM_CREDENTIAL_SYNC_ENDPOINT=""
+# Key should match on Cal.com and your application
+# must be 32 bytes for AES256 encryption algorithm
+# You can use: `openssl rand -base64 24` to generate one
+CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY=""
+
 # - OIDC E2E TEST *******************************************************************************************
 
 # Ensure this ADMIN EMAIL is present in the SAML_ADMINS list
@@ -243,4 +256,4 @@ E2E_TEST_OIDC_PROVIDER_DOMAIN=
 E2E_TEST_OIDC_USER_EMAIL=
 E2E_TEST_OIDC_USER_PASSWORD=
 
-# ***********************************************************************************************************
+# ***********************************************************************************************************

apps/web/pages/api/webhook/app-credential.ts

@@ -0,0 +1,93 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import z from "zod";
+
+import { appStoreMetadata } from "@calcom/app-store/appStoreMetaData";
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+import { symmetricDecrypt } from "@calcom/lib/crypto";
+import prisma from "@calcom/prisma";
+
+const appCredentialWebhookRequestBodySchema = z.object({
+  // UserId of the cal.com user
+  userId: z.number().int(),
+  appSlug: z.string(),
+  // Keys should be AES256 encrypted with the CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY
+  keys: z.string(),
+});
+/** */
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
+  // Check that credential sharing is enabled
+  if (!APP_CREDENTIAL_SHARING_ENABLED) {
+    return res.status(403).json({ message: "Credential sharing is not enabled" });
+  }
+
+  // Check that the webhook secret matches
+  if (
+    req.headers[process.env.CALCOM_WEBHOOK_HEADER_NAME || "calcom-webhook-secret"] !==
+    process.env.CALCOM_WEBHOOK_SECRET
+  ) {
+    return res.status(403).json({ message: "Invalid webhook secret" });
+  }
+
+  const reqBody = appCredentialWebhookRequestBodySchema.parse(req.body);
+
+  // Check that the user exists
+  const user = await prisma.user.findUnique({ where: { id: reqBody.userId } });
+
+  if (!user) {
+    return res.status(404).json({ message: "User not found" });
+  }
+
+  const app = await prisma.app.findUnique({
+    where: { slug: reqBody.appSlug },
+    select: { slug: true },
+  });
+
+  if (!app) {
+    return res.status(404).json({ message: "App not found" });
+  }
+
+  //   Search for the app's slug and type
+  const appMetadata = appStoreMetadata[app.slug as keyof typeof appStoreMetadata];
+
+  if (!appMetadata) {
+    return res.status(404).json({ message: "App not found. Ensure that you have the correct app slug" });
+  }
+
+  // Decrypt the keys
+  const keys = JSON.parse(
+    symmetricDecrypt(reqBody.keys, process.env.CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY || "")
+  );
+
+  // Can't use prisma upsert as we don't know the id of the credential
+  const appCredential = await prisma.credential.findFirst({
+    where: {
+      userId: reqBody.userId,
+      appId: appMetadata.slug,
+    },
+    select: {
+      id: true,
+    },
+  });
+
+  if (appCredential) {
+    await prisma.credential.update({
+      where: {
+        id: appCredential.id,
+      },
+      data: {
+        key: keys,
+      },
+    });
+    return res.status(200).json({ message: `Credentials updated for userId: ${reqBody.userId}` });
+  } else {
+    await prisma.credential.create({
+      data: {
+        key: keys,
+        userId: reqBody.userId,
+        appId: appMetadata.slug,
+        type: appMetadata.type,
+      },
+    });
+    return res.status(200).json({ message: `Credentials created for userId: ${reqBody.userId}` });
+  }
+}

packages/app-store/_utils/oauth/createOAuthAppCredential.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest } from "next";
 import { HttpError } from "@calcom/lib/http-error";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "./decodeOAuthState";
+import { decodeOAuthState } from "../oauth/decodeOAuthState";
-import { throwIfNotHaveAdminAccessToTeam } from "./throwIfNotHaveAdminAccessToTeam";
+import { throwIfNotHaveAdminAccessToTeam } from "../throwIfNotHaveAdminAccessToTeam";
 
 /**
  * This function is used to create app credentials for either a user or a team

packages/app-store/_utils/oauth/decodeOAuthState.ts

@@ -1,6 +1,6 @@
 import type { NextApiRequest } from "next";
 
-import type { IntegrationOAuthCallbackState } from "../types";
+import type { IntegrationOAuthCallbackState } from "../../types";
 
 export function decodeOAuthState(req: NextApiRequest) {
   if (typeof req.query.state !== "string") {

packages/app-store/_utils/oauth/encodeOAuthState.ts

@@ -1,6 +1,6 @@
 import type { NextApiRequest } from "next";
 
-import type { IntegrationOAuthCallbackState } from "../types";
+import type { IntegrationOAuthCallbackState } from "../../types";
 
 export function encodeOAuthState(req: NextApiRequest) {
   if (typeof req.query.state !== "string") {

packages/app-store/_utils/oauth/parseRefreshTokenResponse.ts

@@ -0,0 +1,32 @@
+import { z } from "zod";
+
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+
+const minimumTokenResponseSchema = z.object({
+  access_token: z.string(),
+  //   Assume that any property with a number is the expiry
+  [z.string().toString()]: z.number(),
+  //   Allow other properties in the token response
+  [z.string().optional().toString()]: z.unknown().optional(),
+});
+
+const parseRefreshTokenResponse = (response: any, schema: z.ZodTypeAny) => {
+  let refreshTokenResponse;
+  if (APP_CREDENTIAL_SHARING_ENABLED && process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT) {
+    refreshTokenResponse = minimumTokenResponseSchema.safeParse(response);
+  } else {
+    refreshTokenResponse = schema.safeParse(response);
+  }
+
+  if (!refreshTokenResponse.success) {
+    throw new Error("Invalid refreshed tokens were returned");
+  }
+
+  if (!refreshTokenResponse.data.refresh_token) {
+    refreshTokenResponse.data.refresh_token = "refresh_token";
+  }
+
+  return refreshTokenResponse;
+};
+
+export default parseRefreshTokenResponse;

packages/app-store/_utils/oauth/refreshOAuthTokens.ts

@@ -0,0 +1,22 @@
+import { APP_CREDENTIAL_SHARING_ENABLED } from "@calcom/lib/constants";
+
+const refreshOAuthTokens = async (refreshFunction: () => any, appSlug: string, userId: number | null) => {
+  // Check that app syncing is enabled and that the credential belongs to a user
+  if (APP_CREDENTIAL_SHARING_ENABLED && process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT && userId) {
+    // Customize the payload based on what your endpoint requires
+    // The response should only contain the access token and expiry date
+    const response = await fetch(process.env.CALCOM_CREDENTIAL_SYNC_ENDPOINT, {
+      method: "POST",
+      body: new URLSearchParams({
+        calcomUserId: userId.toString(),
+        appSlug,
+      }),
+    });
+    return response;
+  } else {
+    const response = await refreshFunction();
+    return response;
+  }
+};
+
+export default refreshOAuthTokens;

packages/app-store/googlecalendar/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL_FOR_OAUTH } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = [
   "https://www.googleapis.com/auth/calendar.readonly",

packages/app-store/googlecalendar/api/callback.ts

@@ -5,9 +5,9 @@ import { WEBAPP_URL_FOR_OAUTH, CAL_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/googlecalendar/lib/CalendarService.ts

@@ -18,6 +18,8 @@ import type {
 } from "@calcom/types/Calendar";
 import type { CredentialPayload } from "@calcom/types/Credential";
 
+import parseRefreshTokenResponse from "../../_utils/oauth/parseRefreshTokenResponse";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { getGoogleAppKeys } from "./getGoogleAppKeys";
 import { googleCredentialSchema } from "./googleCredentialSchema";
 
@@ -81,11 +83,18 @@ export default class GoogleCalendarService implements Calendar {
 
     const refreshAccessToken = async (myGoogleAuth: Awaited<ReturnType<typeof getGoogleAuth>>) => {
       try {
-        const { res } = await myGoogleAuth.refreshToken(googleCredentials.refresh_token);
+        const res = await refreshOAuthTokens(
+          async () => {
+            const fetchTokens = await myGoogleAuth.refreshToken(googleCredentials.refresh_token);
+            return fetchTokens.res;
+          },
+          "google-calendar",
+          credential.userId
+        );
         const token = res?.data;
         googleCredentials.access_token = token.access_token;
         googleCredentials.expiry_date = token.expiry_date;
-        const key = googleCredentialSchema.parse(googleCredentials);
+        const key = parseRefreshTokenResponse(googleCredentials, googleCredentialSchema);
         await prisma.credential.update({
           where: { id: credential.id },
           data: { key },

packages/app-store/hubspot/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = ["crm.objects.contacts.read", "crm.objects.contacts.write"];
 

packages/app-store/hubspot/api/callback.ts

@@ -5,10 +5,10 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/hubspot/lib/CalendarService.ts

@@ -23,6 +23,7 @@ import type {
 import type { CredentialPayload } from "@calcom/types/Credential";
 
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import type { HubspotToken } from "../api/callback";
 
 const hubspotClient = new hubspot.Client();
@@ -173,13 +174,18 @@ export default class HubspotCalendarService implements Calendar {
 
     const refreshAccessToken = async (refreshToken: string) => {
       try {
-        const hubspotRefreshToken: HubspotToken = await hubspotClient.oauth.tokensApi.createToken(
+        const hubspotRefreshToken: HubspotToken = await refreshOAuthTokens(
-          "refresh_token",
+          async () =>
-          undefined,
+            await hubspotClient.oauth.tokensApi.createToken(
-          WEBAPP_URL + "/api/integrations/hubspot/callback",
+              "refresh_token",
-          this.client_id,
+              undefined,
-          this.client_secret,
+              WEBAPP_URL + "/api/integrations/hubspot/callback",
-          refreshToken
+              this.client_id,
+              this.client_secret,
+              refreshToken
+            ),
+          "hubspot",
+          credential.userId
         );
 
         // set expiry date as offset from current time.

packages/app-store/larkcalendar/api/add.ts

@@ -5,8 +5,8 @@ import { z } from "zod";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 import { LARK_HOST } from "../common";
 
 const larkKeysSchema = z.object({

packages/app-store/larkcalendar/api/callback.ts

@@ -6,8 +6,8 @@ import logger from "@calcom/lib/logger";
 import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 import { LARK_HOST } from "../common";
 import { getAppAccessToken } from "../lib/AppAccessToken";
 import type { LarkAuthCredentials } from "../types/LarkCalendar";

packages/app-store/larkcalendar/lib/CalendarService.ts

@@ -11,6 +11,7 @@ import type {
 } from "@calcom/types/Calendar";
 import type { CredentialPayload } from "@calcom/types/Credential";
 
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { handleLarkError, isExpired, LARK_HOST } from "../common";
 import type {
   CreateAttendeesResp,
@@ -63,17 +64,22 @@ export default class LarkCalendarService implements Calendar {
     }
     try {
       const appAccessToken = await getAppAccessToken();
-      const resp = await fetch(`${this.url}/authen/v1/refresh_access_token`, {
+      const resp = await refreshOAuthTokens(
-        method: "POST",
+        async () =>
-        headers: {
+          await fetch(`${this.url}/authen/v1/refresh_access_token`, {
-          Authorization: `Bearer ${appAccessToken}`,
+            method: "POST",
-          "Content-Type": "application/json; charset=utf-8",
+            headers: {
-        },
+              Authorization: `Bearer ${appAccessToken}`,
-        body: JSON.stringify({
+              "Content-Type": "application/json; charset=utf-8",
-          grant_type: "refresh_token",
+            },
-          refresh_token: refreshToken,
+            body: JSON.stringify({
-        }),
+              grant_type: "refresh_token",
-      });
+              refresh_token: refreshToken,
+            }),
+          }),
+        "lark-calendar",
+        credential.userId
+      );
 
       const data = await handleLarkError<RefreshTokenResp>(resp, this.log);
       this.log.debug(

packages/app-store/office365calendar/api/add.ts

@@ -3,8 +3,8 @@ import { stringify } from "querystring";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = ["User.Read", "Calendars.Read", "Calendars.ReadWrite", "offline_access"];
 

packages/app-store/office365calendar/api/callback.ts

@@ -4,9 +4,9 @@ import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 import prisma from "@calcom/prisma";
 
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 const scopes = ["offline_access", "Calendars.Read", "Calendars.ReadWrite"];
 

packages/app-store/office365calendar/lib/CalendarService.ts

@@ -17,6 +17,8 @@ import type {
 } from "@calcom/types/Calendar";
 import type { CredentialPayload } from "@calcom/types/Credential";
 
+import parseRefreshTokenResponse from "../../_utils/oauth/parseRefreshTokenResponse";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import type { O365AuthCredentials } from "../types/Office365Calendar";
 import { getOfficeAppKeys } from "./getOfficeAppKeys";
 
@@ -241,28 +243,25 @@ export default class Office365CalendarService implements Calendar {
 
     const refreshAccessToken = async (o365AuthCredentials: O365AuthCredentials) => {
       const { client_id, client_secret } = await getOfficeAppKeys();
-      const response = await fetch("https://login.microsoftonline.com/common/oauth2/v2.0/token", {
+      const response = await refreshOAuthTokens(
-        method: "POST",
+        async () =>
-        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          await fetch("https://login.microsoftonline.com/common/oauth2/v2.0/token", {
-        body: new URLSearchParams({
+            method: "POST",
-          scope: "User.Read Calendars.Read Calendars.ReadWrite",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
-          client_id,
+            body: new URLSearchParams({
-          refresh_token: o365AuthCredentials.refresh_token,
+              scope: "User.Read Calendars.Read Calendars.ReadWrite",
-          grant_type: "refresh_token",
+              client_id,
-          client_secret,
+              refresh_token: o365AuthCredentials.refresh_token,
-        }),
+              grant_type: "refresh_token",
-      });
+              client_secret,
+            }),
+          }),
+        "office365-calendar",
+        credential.userId
+      );
       const responseJson = await handleErrorsJson(response);
-      const tokenResponse = refreshTokenResponseSchema.safeParse(responseJson);
+      const tokenResponse = parseRefreshTokenResponse(responseJson, refreshTokenResponseSchema);
       o365AuthCredentials = { ...o365AuthCredentials, ...(tokenResponse.success && tokenResponse.data) };
-      if (!tokenResponse.success) {
-        console.error(
-          "Outlook error grabbing new tokens ~ zodError:",
-          tokenResponse.error,
-          "MS response:",
-          responseJson
-        );
-      }
       await prisma.credential.update({
         where: {
           id: credential.id,

packages/app-store/office365video/api/add.ts

@@ -3,8 +3,8 @@ import { stringify } from "querystring";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 const scopes = ["OnlineMeetings.ReadWrite", "offline_access"];
 

packages/app-store/office365video/api/callback.ts

@@ -4,10 +4,10 @@ import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 import prisma from "@calcom/prisma";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 const scopes = ["OnlineMeetings.ReadWrite", "offline_access"];
 

packages/app-store/office365video/lib/VideoApiAdapter.ts

@@ -9,6 +9,7 @@ import type { PartialReference } from "@calcom/types/EventManager";
 import type { VideoApiAdapter, VideoCallData } from "@calcom/types/VideoApiAdapter";
 
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 
 let client_id = "";
 let client_secret = "";
@@ -57,16 +58,21 @@ const o365Auth = async (credential: CredentialPayload) => {
   const o365AuthCredentials = credential.key as unknown as O365AuthCredentials;
 
   const refreshAccessToken = async (refreshToken: string) => {
-    const response = await fetch("https://login.microsoftonline.com/common/oauth2/v2.0/token", {
+    const response = await refreshOAuthTokens(
-      method: "POST",
+      async () =>
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        await fetch("https://login.microsoftonline.com/common/oauth2/v2.0/token", {
-      body: new URLSearchParams({
+          method: "POST",
-        client_id,
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        refresh_token: refreshToken,
+          body: new URLSearchParams({
-        grant_type: "refresh_token",
+            client_id,
-        client_secret,
+            refresh_token: refreshToken,
-      }),
+            grant_type: "refresh_token",
-    });
+            client_secret,
+          }),
+        }),
+      "msteams",
+      credential.userId
+    );
 
     const responseBody = await handleErrorsJson<ITokenResponse>(response);
 

packages/app-store/salesforce/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 let consumer_key = "";
 

packages/app-store/salesforce/api/callback.ts

@@ -4,10 +4,10 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let consumer_key = "";
 let consumer_secret = "";

packages/app-store/salesforce/lib/CalendarService.ts

@@ -1,6 +1,7 @@
 import type { TokenResponse } from "jsforce";
 import jsforce from "jsforce";
 import { RRule } from "rrule";
+import { z } from "zod";
 
 import { getLocation } from "@calcom/lib/CalEventParser";
 import { WEBAPP_URL } from "@calcom/lib/constants";
@@ -16,6 +17,7 @@ import type {
 import type { CredentialPayload } from "@calcom/types/Credential";
 
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import parseRefreshTokenResponse from "../../_utils/oauth/parseRefreshTokenResponse";
 
 type ExtendedTokenResponse = TokenResponse & {
   instance_url: string;
@@ -34,6 +36,16 @@ const sfApiErrors = {
   INVALID_EVENTWHOIDS: "INVALID_FIELD: No such column 'EventWhoIds' on sobject of type Event",
 };
 
+const salesforceTokenSchema = z.object({
+  id: z.string(),
+  issued_at: z.string(),
+  instance_url: z.string(),
+  signature: z.string(),
+  access_token: z.string(),
+  scope: z.string(),
+  token_type: z.string(),
+});
+
 export default class SalesforceCalendarService implements Calendar {
   private integrationName = "";
   private conn: Promise<jsforce.Connection>;
@@ -60,6 +72,32 @@ export default class SalesforceCalendarService implements Calendar {
 
     const credentialKey = credential.key as unknown as ExtendedTokenResponse;
 
+    const response = await fetch("https://login.salesforce.com/services/oauth2/token", {
+      method: "POST",
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: consumer_key,
+        client_secret: consumer_secret,
+        refresh_token: credentialKey.refresh_token,
+        format: "json",
+      }),
+    });
+
+    if (response.statusText !== "OK") throw new HttpError({ statusCode: 400, message: response.statusText });
+
+    const accessTokenJson = await response.json();
+
+    const accessTokenParsed = parseRefreshTokenResponse(accessTokenJson, salesforceTokenSchema);
+
+    if (!accessTokenParsed.success) {
+      return Promise.reject(new Error("Invalid refreshed tokens were returned"));
+    }
+
+    await prisma.credential.update({
+      where: { id: credential.id },
+      data: { key: { ...accessTokenParsed.data, refresh_token: credentialKey.refresh_token } },
+    });
+
     return new jsforce.Connection({
       clientId: consumer_key,
       clientSecret: consumer_secret,

packages/app-store/stripepayment/api/callback.ts

@@ -2,8 +2,8 @@ import type { Prisma } from "@prisma/client";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { stringify } from "querystring";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
 import type { StripeData } from "../lib/server";
 import stripe from "../lib/server";
 

packages/app-store/tandemvideo/api/callback.ts

@@ -2,9 +2,9 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import prisma from "@calcom/prisma";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/webex/api/callback.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import prisma from "@calcom/prisma";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
 import config from "../config.json";
 import { getWebexAppKeys } from "../lib/getWebexAppKeys";
 

packages/app-store/webex/lib/VideoApiAdapter.ts

@@ -8,6 +8,7 @@ import type { CredentialPayload } from "@calcom/types/Credential";
 import type { PartialReference } from "@calcom/types/EventManager";
 import type { VideoApiAdapter, VideoCallData } from "@calcom/types/VideoApiAdapter";
 
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { getWebexAppKeys } from "./getWebexAppKeys";
 
 /** @link https://developer.webex.com/docs/meetings **/
@@ -58,18 +59,23 @@ const webexAuth = (credential: CredentialPayload) => {
   const refreshAccessToken = async (refreshToken: string) => {
     const { client_id, client_secret } = await getWebexAppKeys();
 
-    const response = await fetch("https://webexapis.com/v1/access_token", {
+    const response = await refreshOAuthTokens(
-      method: "POST",
+      async () =>
-      headers: {
+        await fetch("https://webexapis.com/v1/access_token", {
-        "Content-type": "application/x-www-form-urlencoded",
+          method: "POST",
-      },
+          headers: {
-      body: new URLSearchParams({
+            "Content-type": "application/x-www-form-urlencoded",
-        grant_type: "refresh_token",
+          },
-        client_id: client_id,
+          body: new URLSearchParams({
-        client_secret: client_secret,
+            grant_type: "refresh_token",
-        refresh_token: refreshToken,
+            client_id: client_id,
-      }),
+            client_secret: client_secret,
-    });
+            refresh_token: refreshToken,
+          }),
+        }),
+      "webex",
+      credential.userId
+    );
 
     const responseBody = await handleWebexResponse(response, credential.id);
 

packages/app-store/zoho-bigin/api/add.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 import appConfig from "../config.json";
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
@@ -14,7 +14,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     const clientId = typeof appKeys.client_id === "string" ? appKeys.client_id : "";
     if (!clientId) return res.status(400).json({ message: "Zoho Bigin client_id missing." });
 
-    const redirectUri = WEBAPP_URL + `/api/integrations/${appConfig.slug}/callback`;
+    const redirectUri = WEBAPP_URL + `/api/integrations/zoho-bigin/callback`;
 
     const authUrl = axios.getUri({
       url: "https://accounts.zoho.com/oauth/v2/auth",

packages/app-store/zoho-bigin/api/callback.ts

@@ -5,10 +5,10 @@ import qs from "qs";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 import appConfig from "../config.json";
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {

packages/app-store/zoho-bigin/lib/CalendarService.ts

@@ -15,6 +15,7 @@ import type {
 import type { CredentialPayload } from "@calcom/types/Credential";
 
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { appKeysSchema } from "../zod";
 
 export type BiginToken = {
@@ -81,11 +82,16 @@ export default class BiginCalendarService implements Calendar {
       refresh_token: credentialKey.refresh_token,
     };
 
-    const tokenInfo = await axios.post(accountsUrl, qs.stringify(formData), {
+    const tokenInfo = await refreshOAuthTokens(
-      headers: {
+      async () =>
-        "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
+        await axios.post(accountsUrl, qs.stringify(formData), {
-      },
+          headers: {
-    });
+            "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
+          },
+        }),
+      "zoho-bigin",
+      credentialId
+    );
 
     if (!tokenInfo.data.error) {
       // set expiry date as offset from current time.

packages/app-store/zohocrm/api/_getAdd.ts

@@ -3,8 +3,8 @@ import { stringify } from "querystring";
 
 import { WEBAPP_URL } from "@calcom/lib/constants";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 
 let client_id = "";
 

packages/app-store/zohocrm/api/callback.ts

@@ -5,10 +5,10 @@ import qs from "qs";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import { getSafeRedirectUrl } from "@calcom/lib/getSafeRedirectUrl";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
-import { decodeOAuthState } from "../../_utils/decodeOAuthState";
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
+import { decodeOAuthState } from "../../_utils/oauth/decodeOAuthState";
 
 let client_id = "";
 let client_secret = "";

packages/app-store/zohocrm/lib/CalendarService.ts

@@ -16,6 +16,7 @@ import type {
 import type { CredentialPayload } from "@calcom/types/Credential";
 
 import getAppKeysFromSlug from "../../_utils/getAppKeysFromSlug";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 
 export type ZohoToken = {
   scope: string;
@@ -200,14 +201,19 @@ export default class ZohoCrmCalendarService implements Calendar {
           client_secret: this.client_secret,
           refresh_token: credentialKey.refresh_token,
         };
-        const zohoCrmTokenInfo = await axios({
+        const zohoCrmTokenInfo = await refreshOAuthTokens(
-          method: "post",
+          async () =>
-          url: url,
+            await axios({
-          data: qs.stringify(formData),
+              method: "post",
-          headers: {
+              url: url,
-            "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
+              data: qs.stringify(formData),
-          },
+              headers: {
-        });
+                "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
+              },
+            }),
+          "zohocrm",
+          credential.userId
+        );
         if (!zohoCrmTokenInfo.data.error) {
           // set expiry date as offset from current time.
           zohoCrmTokenInfo.data.expiryDate = Math.round(Date.now() + 60 * 60);

packages/app-store/zoomvideo/api/add.ts

@@ -5,7 +5,7 @@ import { WEBAPP_URL } from "@calcom/lib/constants";
 import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 import prisma from "@calcom/prisma";
 
-import { encodeOAuthState } from "../../_utils/encodeOAuthState";
+import { encodeOAuthState } from "../../_utils/oauth/encodeOAuthState";
 import { getZoomAppKeys } from "../lib";
 
 async function handler(req: NextApiRequest) {

packages/app-store/zoomvideo/api/callback.ts

@@ -3,8 +3,8 @@ import type { NextApiRequest, NextApiResponse } from "next";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import prisma from "@calcom/prisma";
 
-import createOAuthAppCredential from "../../_utils/createOAuthAppCredential";
 import getInstalledAppPath from "../../_utils/getInstalledAppPath";
+import createOAuthAppCredential from "../../_utils/oauth/createOAuthAppCredential";
 import { getZoomAppKeys } from "../lib";
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {

packages/app-store/zoomvideo/lib/VideoApiAdapter.ts

@@ -9,6 +9,8 @@ import type { CredentialPayload } from "@calcom/types/Credential";
 import type { PartialReference } from "@calcom/types/EventManager";
 import type { VideoApiAdapter, VideoCallData } from "@calcom/types/VideoApiAdapter";
 
+import parseRefreshTokenResponse from "../../_utils/oauth/parseRefreshTokenResponse";
+import refreshOAuthTokens from "../../_utils/oauth/refreshOAuthTokens";
 import { getZoomAppKeys } from "./getZoomAppKeys";
 
 /** @link https://marketplace.zoom.us/docs/api-reference/zoom-api/meetings/meetingcreate */
@@ -74,17 +76,22 @@ const zoomAuth = (credential: CredentialPayload) => {
     const { client_id, client_secret } = await getZoomAppKeys();
     const authHeader = "Basic " + Buffer.from(client_id + ":" + client_secret).toString("base64");
 
-    const response = await fetch("https://zoom.us/oauth/token", {
+    const response = await refreshOAuthTokens(
-      method: "POST",
+      async () =>
-      headers: {
+        await fetch("https://zoom.us/oauth/token", {
-        Authorization: authHeader,
+          method: "POST",
-        "Content-Type": "application/x-www-form-urlencoded",
+          headers: {
-      },
+            Authorization: authHeader,
-      body: new URLSearchParams({
+            "Content-Type": "application/x-www-form-urlencoded",
-        refresh_token: refreshToken,
+          },
-        grant_type: "refresh_token",
+          body: new URLSearchParams({
-      }),
+            refresh_token: refreshToken,
-    });
+            grant_type: "refresh_token",
+          }),
+        }),
+      "zoomvideo",
+      credential.userId
+    );
 
     const responseBody = await handleZoomResponse(response, credential.id);
 
@@ -94,7 +101,7 @@ const zoomAuth = (credential: CredentialPayload) => {
       }
     }
     // We check the if the new credentials matches the expected response structure
-    const parsedToken = zoomRefreshedTokenSchema.safeParse(responseBody);
+    const parsedToken = parseRefreshTokenResponse(responseBody, zoomRefreshedTokenSchema);
 
     // TODO: If the new token is invalid, initiate the fallback sequence instead of throwing
     // Expanding on this we can use server-to-server app and create meeting from admin calcom account

packages/lib/constants.ts

@@ -99,3 +99,6 @@ export const ORGANIZATION_MIN_SEATS = 30;
 // Needed for emails in E2E
 export const IS_MAILHOG_ENABLED = process.env.E2E_TEST_MAILHOG_ENABLED === "1";
 export const CALCOM_VERSION = process.env.NEXT_PUBLIC_CALCOM_VERSION as string;
+
+export const APP_CREDENTIAL_SHARING_ENABLED =
+  process.env.CALCOM_WEBHOOK_SECRET && process.env.CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY;

turbo.json

@@ -197,10 +197,14 @@
     "BASECAMP3_USER_AGENT",
     "AUTH_BEARER_TOKEN_VERCEL",
     "BUILD_ID",
+    "CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY",
+    "CALCOM_CREDENTIAL_SYNC_ENDPOINT",
     "CALCOM_ENV",
     "CALCOM_LICENSE_KEY",
     "CALCOM_TELEMETRY_DISABLED",
+    "CALCOM_WEBHOOK_HEADER_NAME",
     "CALENDSO_ENCRYPTION_KEY",
+    "CALCOM_WEBHOOK_SECRET",
     "CI",
     "CLOSECOM_API_KEY",
     "CRON_API_KEY",