fix(security): SSRF fixes (#4548)

* fix: address SSRF and token-leakage security vulnerabilities

- Azure TTS SSRF: validate region against /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/
  in both the contract (tts.ts) and runtime guard in synthesizeWithAzure,
  preventing user-supplied region from redirecting requests to arbitrary hosts
- HubSpot token in logs: remove fullResponse from logger.info call;
  log only non-sensitive metadata (hub_id, hub_domain, user_id) instead
  of the full introspection response which included the access token
- Wealthbox account takeover: replace hardcoded email with per-user identity
  by fetching /v1/users/me; fall back to token-derived stable identifier
  so distinct Wealthbox users no longer share the same email address
- Shopify SSRF: apply shopifyShopDomainSchema (.myshopify.com allowlist)
  to shopDomain from cookie before using it to build the fetch URL

* fix(wealthbox): correct getUserInfo endpoint, auth header, and stable identity

- Bug 1: Change API endpoint from /v1/users/me to /v1/me (correct Wealthbox API path)
- Bug 2: Replace ACCESS_TOKEN header with Authorization: Bearer <token> (standard OAuth 2.0)
- Bug 3: Remove generateId() from returned id (was non-deterministic, caused duplicate accounts);
  use refresh token (stable, long-lived) instead of access token (rotates every ~2 hours)
  as the hash source for the fallback identity; return null if no token is available

* fix(security): hash wealthbox fallback token identity, guard undefined userId

- Replace base64 encoding with SHA-256 hash for fallback token-derived identity
  so raw token bytes are never stored in the DB
- Return null early when Wealthbox API response lacks an id field to prevent
  all such users colliding on the wealthbox-undefined account

* fix(auth): replace stale wealthbox userInfoUrl placeholder with actual endpoint

The dummy URL comment was rendered obsolete when getUserInfo was updated
to fetch from api.crmworkspace.com/v1/me. Align userInfoUrl with the real
endpoint used in the getUserInfo implementation.

* fix(auth): append generateId() suffix to Wealthbox account IDs to match codebase pattern

All other providers use `${stableId}-${generateId()}` so the account.create.after
hook can strip the UUID suffix, find stale sibling rows, and migrate credential FKs.
Without the suffix the migration logic is skipped and reconnections would hit
duplicate key conflicts instead of gracefully updating credentials.

Author: waleedlatif1

apps/sim/app/api/auth/oauth2/shopify/store/route.ts

@@ -3,7 +3,10 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { shopifyStoreCookieSchema } from '@/lib/api/contracts/oauth-connections'
+import {
+  shopifyShopDomainSchema,
+  shopifyStoreCookieSchema,
+} from '@/lib/api/contracts/oauth-connections'
 import { getSession } from '@/lib/auth'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { isSameOrigin } from '@/lib/core/utils/validation'
@@ -38,6 +41,11 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     }
     const { accessToken, shopDomain, scope, returnUrl } = parsedCookies.data
 
+    if (!shopifyShopDomainSchema.safeParse(shopDomain).success) {
+      logger.error('Invalid shop domain format in cookie', { shopDomain })
+      return NextResponse.redirect(`${baseUrl}/workspace?error=shopify_invalid_domain`)
+    }
+
     const shopResponse = await fetch(`https://${shopDomain}/admin/api/2024-10/shop.json`, {
       headers: {
         'X-Shopify-Access-Token': accessToken,

apps/sim/app/api/tools/tts/unified/route.ts

@@ -659,6 +659,13 @@ async function synthesizeWithAzure(
     throw new Error('text and apiKey are required for Azure TTS')
   }
 
+  const AZURE_REGION_RE = /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/
+  if (!AZURE_REGION_RE.test(region)) {
+    throw new Error(
+      'Invalid Azure region: must match /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/ (e.g. eastus, westeurope)'
+    )
+  }
+
   let ssml = `<speak version='1.0' xml:lang='en-US' xmlns="http://www.w3.org/2001/10/synthesis" xmlns:mstts="https://www.w3.org/2001/mstts"><voice name='${voiceId}'>`
 
   if (style) {

apps/sim/lib/api/contracts/tools/media/tts.ts

@@ -54,7 +54,13 @@ export const ttsUnifiedToolBodySchema = z
     volumeGainDb: z.coerce.number().optional(),
     sampleRateHertz: z.coerce.number().optional(),
     effectsProfileId: z.array(z.string()).optional(),
-    region: z.string().optional(),
+    region: z
+      .string()
+      .regex(
+        /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/,
+        'region must be a valid Azure region identifier (e.g. eastus, westeurope)'
+      )
+      .optional(),
     rate: z.string().optional(),
     styleDegree: z.coerce.number().optional(),
     role: z.string().optional(),

apps/sim/lib/auth/auth.ts

@@ -1,3 +1,4 @@
+import { createHash } from 'crypto'
 import { cache } from 'react'
 import { sso } from '@better-auth/sso'
 import { stripe } from '@better-auth/stripe'
@@ -1611,27 +1612,71 @@ export const auth = betterAuth({
           clientSecret: env.WEALTHBOX_CLIENT_SECRET as string,
           authorizationUrl: 'https://app.crmworkspace.com/oauth/authorize',
           tokenUrl: 'https://app.crmworkspace.com/oauth/token',
-          userInfoUrl: 'https://dummy-not-used.wealthbox.com', // Dummy URL since no user info endpoint exists
+          userInfoUrl: 'https://api.crmworkspace.com/v1/me',
           scopes: getCanonicalScopesForProvider('wealthbox'),
           responseType: 'code',
           redirectURI: `${getBaseUrl()}/api/auth/oauth2/callback/wealthbox`,
-          getUserInfo: async (_tokens) => {
+          getUserInfo: async (tokens) => {
             try {
-              logger.info('Creating Wealthbox user profile from token data')
+              logger.info('Fetching Wealthbox user profile')
+
+              const response = await fetch('https://api.crmworkspace.com/v1/me', {
+                headers: {
+                  Authorization: `Bearer ${tokens.accessToken}`,
+                },
+              })
 
-              const uniqueId = 'wealthbox-user'
               const now = new Date()
 
+              if (response.ok) {
+                const data = await response.json()
+                const userId = data.id?.toString()
+                if (!userId) {
+                  return null
+                }
+                const email =
+                  data.email && typeof data.email === 'string'
+                    ? data.email
+                    : `wealthbox-${userId}@wealthbox.user`
+                const name = data.name || data.full_name || data.username || 'Wealthbox User'
+
+                return {
+                  id: `wealthbox-${userId}-${generateId()}`,
+                  name,
+                  email,
+                  emailVerified: false,
+                  createdAt: now,
+                  updatedAt: now,
+                }
+              }
+
+              // Fallback: derive a stable identifier from the refresh token (long-lived)
+              // rather than the access token (rotates every ~2 hours) to avoid creating
+              // duplicate accounts on token refresh.
+              logger.warn(
+                'Wealthbox user info fetch failed, falling back to token-derived identity',
+                {
+                  status: response.status,
+                }
+              )
+              const stableToken = tokens.refreshToken ?? tokens.accessToken
+              if (!stableToken) {
+                logger.error('Wealthbox fallback identity: no refresh or access token available')
+                return null
+              }
+              const tokenHash = createHash('sha256').update(stableToken).digest('hex').slice(0, 24)
               return {
-                id: `${uniqueId}-${generateId()}`,
+                id: `wealthbox-${tokenHash}-${generateId()}`,
                 name: 'Wealthbox User',
-                email: `${uniqueId}@wealthbox.user`,
+                email: `wealthbox-${tokenHash}@wealthbox.user`,
                 emailVerified: false,
                 createdAt: now,
                 updatedAt: now,
               }
             } catch (error) {
-              logger.error('Error creating Wealthbox user profile:', { error })
+              logger.error('Error creating Wealthbox user profile:', {
+                error: toError(error).message,
+              })
               return null
             }
           },
@@ -1730,11 +1775,12 @@ export const auth = betterAuth({
               }
 
               logger.info('HubSpot token metadata response:', {
+                hubId: data.hub_id,
+                hubDomain: data.hub_domain,
+                userId: data.user_id,
                 hasScopes: !!data.scopes,
                 scopesType: typeof data.scopes,
                 scopesIsArray: Array.isArray(data.scopes),
-                scopesValue: data.scopes,
-                fullResponse: data,
               })
 
               return {