fix(selectors): secure OAuth tokens in JSM and Confluence selector routes

Convert JSM selector-servicedesks, selector-requesttypes, and Confluence
selector-spaces routes from GET (with access token in URL query params) to
POST with authorizeCredentialUse + refreshAccessTokenIfNeeded pattern. Also
adds missing ensureCredential guard to microsoft.planner.plans registry entry.

Author: waleedlatif1

apps/sim/app/api/tools/confluence/selector-spaces/route.ts

@@ -0,0 +1,98 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { getConfluenceCloudId } from '@/tools/confluence/utils'
+
+const logger = createLogger('ConfluenceSelectorSpacesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  try {
+    const requestId = generateRequestId()
+    const body = await request.json()
+    const { credential, workflowId, domain } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!domain) {
+      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const cloudId = await getConfluenceCloudId(domain, accessToken)
+
+    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
+    if (!cloudIdValidation.isValid) {
+      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
+    }
+
+    const url = `https://api.atlassian.com/ex/confluence/${cloudId}/wiki/api/v2/spaces?limit=250`
+
+    const response = await fetch(url, {
+      method: 'GET',
+      headers: {
+        Accept: 'application/json',
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => null)
+      logger.error('Confluence API error:', {
+        status: response.status,
+        statusText: response.statusText,
+        error: errorData,
+      })
+      const errorMessage =
+        errorData?.message || `Failed to list Confluence spaces (${response.status})`
+      return NextResponse.json({ error: errorMessage }, { status: response.status })
+    }
+
+    const data = await response.json()
+    const spaces = (data.results || []).map(
+      (space: { id: string; name: string; key: string }) => ({
+        id: space.id,
+        name: space.name,
+        key: space.key,
+      })
+    )
+
+    return NextResponse.json({ spaces })
+  } catch (error) {
+    logger.error('Error listing Confluence spaces:', error)
+    return NextResponse.json(
+      { error: (error as Error).message || 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/jsm/selector-requesttypes/route.ts

@@ -1,33 +1,30 @@
 import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { getJiraCloudId, getJsmApiBaseUrl, getJsmHeaders } from '@/tools/jsm/utils'
 
 const logger = createLogger('JsmSelectorRequestTypesAPI')
 
 export const dynamic = 'force-dynamic'
 
-export async function GET(request: NextRequest) {
+export async function POST(request: Request) {
   try {
-    const auth = await checkSessionOrInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
+    const requestId = generateRequestId()
+    const body = await request.json()
+    const { credential, workflowId, domain, serviceDeskId } = body
 
-    const { searchParams } = new URL(request.url)
-    const domain = searchParams.get('domain')
-    const accessToken = searchParams.get('accessToken')
-    const serviceDeskId = searchParams.get('serviceDeskId')
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
 
     if (!domain) {
       return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
     }
 
-    if (!accessToken) {
-      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
-    }
-
     if (!serviceDeskId) {
       return NextResponse.json({ error: 'Service Desk ID is required' }, { status: 400 })
     }
@@ -37,6 +34,30 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: serviceDeskIdValidation.error }, { status: 400 })
     }
 
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
     const cloudId = await getJiraCloudId(domain, accessToken)
 
     const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')

apps/sim/app/api/tools/jsm/selector-servicedesks/route.ts

@@ -1,30 +1,52 @@
 import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { getJiraCloudId, getJsmApiBaseUrl, getJsmHeaders } from '@/tools/jsm/utils'
 
 const logger = createLogger('JsmSelectorServiceDesksAPI')
 
 export const dynamic = 'force-dynamic'
 
-export async function GET(request: NextRequest) {
+export async function POST(request: Request) {
   try {
-    const auth = await checkSessionOrInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
+    const requestId = generateRequestId()
+    const body = await request.json()
+    const { credential, workflowId, domain } = body
 
-    const { searchParams } = new URL(request.url)
-    const domain = searchParams.get('domain')
-    const accessToken = searchParams.get('accessToken')
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
 
     if (!domain) {
       return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
     }
 
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
     if (!accessToken) {
-      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
     }
 
     const cloudId = await getJiraCloudId(domain, accessToken)

apps/sim/hooks/selectors/registry.ts

@@ -422,11 +422,15 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     fetchList: async ({ context }: SelectorQueryArgs) => {
       const credentialId = ensureCredential(context, 'confluence.spaces')
       const domain = ensureDomain(context, 'confluence.spaces')
-      const accessToken = await fetchOAuthToken(credentialId, context.workflowId)
-      if (!accessToken) throw new Error('Missing Confluence access token')
-      const data = await fetchJson<{ spaces: ConfluenceSpace[] }>('/api/tools/confluence/spaces', {
-        searchParams: { domain, accessToken, limit: '250' },
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        domain,
       })
+      const data = await fetchJson<{ spaces: ConfluenceSpace[] }>(
+        '/api/tools/confluence/selector-spaces',
+        { method: 'POST', body }
+      )
       return (data.spaces || []).map((space) => ({
         id: space.id,
         label: `${space.name} (${space.key})`,
@@ -436,11 +440,15 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
       if (!detailId) return null
       const credentialId = ensureCredential(context, 'confluence.spaces')
       const domain = ensureDomain(context, 'confluence.spaces')
-      const accessToken = await fetchOAuthToken(credentialId, context.workflowId)
-      if (!accessToken) throw new Error('Missing Confluence access token')
-      const data = await fetchJson<{ spaces: ConfluenceSpace[] }>('/api/tools/confluence/spaces', {
-        searchParams: { domain, accessToken, limit: '250' },
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        domain,
       })
+      const data = await fetchJson<{ spaces: ConfluenceSpace[] }>(
+        '/api/tools/confluence/selector-spaces',
+        { method: 'POST', body }
+      )
       const space = (data.spaces || []).find((s) => s.id === detailId) ?? null
       if (!space) return null
       return { id: space.id, label: `${space.name} (${space.key})` }
@@ -459,13 +467,14 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     fetchList: async ({ context }: SelectorQueryArgs) => {
       const credentialId = ensureCredential(context, 'jsm.serviceDesks')
       const domain = ensureDomain(context, 'jsm.serviceDesks')
-      const accessToken = await fetchOAuthToken(credentialId, context.workflowId)
-      if (!accessToken) throw new Error('Missing JSM access token')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        domain,
+      })
       const data = await fetchJson<{ serviceDesks: JsmServiceDesk[] }>(
         '/api/tools/jsm/selector-servicedesks',
-        {
-          searchParams: { domain, accessToken },
-        }
+        { method: 'POST', body }
       )
       return (data.serviceDesks || []).map((sd) => ({
         id: sd.id,
@@ -476,13 +485,14 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
       if (!detailId) return null
       const credentialId = ensureCredential(context, 'jsm.serviceDesks')
       const domain = ensureDomain(context, 'jsm.serviceDesks')
-      const accessToken = await fetchOAuthToken(credentialId, context.workflowId)
-      if (!accessToken) throw new Error('Missing JSM access token')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        domain,
+      })
       const data = await fetchJson<{ serviceDesks: JsmServiceDesk[] }>(
         '/api/tools/jsm/selector-servicedesks',
-        {
-          searchParams: { domain, accessToken },
-        }
+        { method: 'POST', body }
       )
       const sd = (data.serviceDesks || []).find((s) => s.id === detailId) ?? null
       if (!sd) return null
@@ -505,17 +515,15 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
       const credentialId = ensureCredential(context, 'jsm.requestTypes')
       const domain = ensureDomain(context, 'jsm.requestTypes')
       if (!context.serviceDeskId) throw new Error('Missing serviceDeskId for jsm.requestTypes')
-      const accessToken = await fetchOAuthToken(credentialId, context.workflowId)
-      if (!accessToken) throw new Error('Missing JSM access token')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        domain,
+        serviceDeskId: context.serviceDeskId,
+      })
       const data = await fetchJson<{ requestTypes: JsmRequestType[] }>(
         '/api/tools/jsm/selector-requesttypes',
-        {
-          searchParams: {
-            domain,
-            accessToken,
-            serviceDeskId: context.serviceDeskId,
-          },
-        }
+        { method: 'POST', body }
       )
       return (data.requestTypes || []).map((rt) => ({
         id: rt.id,
@@ -527,17 +535,15 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
       const credentialId = ensureCredential(context, 'jsm.requestTypes')
       const domain = ensureDomain(context, 'jsm.requestTypes')
       if (!context.serviceDeskId) return null
-      const accessToken = await fetchOAuthToken(credentialId, context.workflowId)
-      if (!accessToken) throw new Error('Missing JSM access token')
+      const body = JSON.stringify({
+        credential: credentialId,
+        workflowId: context.workflowId,
+        domain,
+        serviceDeskId: context.serviceDeskId,
+      })
       const data = await fetchJson<{ requestTypes: JsmRequestType[] }>(
         '/api/tools/jsm/selector-requesttypes',
-        {
-          searchParams: {
-            domain,
-            accessToken,
-            serviceDeskId: context.serviceDeskId,
-          },
-        }
+        { method: 'POST', body }
       )
       const rt = (data.requestTypes || []).find((r) => r.id === detailId) ?? null
       if (!rt) return null
@@ -585,15 +591,17 @@ const registry: Record<SelectorKey, SelectorDefinition> = {
     ],
     enabled: ({ context }) => Boolean(context.credentialId),
     fetchList: async ({ context }: SelectorQueryArgs) => {
+      const credentialId = ensureCredential(context, 'microsoft.planner.plans')
       const data = await fetchJson<{ plans: PlannerPlan[] }>('/api/tools/microsoft_planner/plans', {
-        searchParams: { credentialId: context.credentialId },
+        searchParams: { credentialId },
       })
       return (data.plans || []).map((plan) => ({ id: plan.id, label: plan.title }))
     },
     fetchById: async ({ context, detailId }: SelectorQueryArgs) => {
       if (!detailId) return null
+      const credentialId = ensureCredential(context, 'microsoft.planner.plans')
       const data = await fetchJson<{ plans: PlannerPlan[] }>('/api/tools/microsoft_planner/plans', {
-        searchParams: { credentialId: context.credentialId },
+        searchParams: { credentialId },
       })
       const plan = (data.plans || []).find((p) => p.id === detailId) ?? null
       if (!plan) return null