sim
sim copied to clipboard
Published
1 month ago
•
simstudioai
simstudioai
feat(service-now): added service now block
Summary
Add OAuth 2.0 authentication support for ServiceNow integration, enabling users to connect their ServiceNow accounts via OAuth instead of just Basic Auth.
Key changes:
- Implement 3-step OAuth flow with instance-specific endpoints (authorize → callback → store)
- Update all ServiceNow tools (read, create, update, delete, import_set) to support both OAuth and Basic Auth
- Add ServiceNow to the OAuth providers configuration
- Handle ServiceNow's empty scope response by defaulting to 'useraccount'
- Store instance URL in idToken field for API calls and token refresh
Type of Change
- [ ] Bug fix
- [x] New feature
- [ ] Breaking change
- [ ] Documentation
- [ ] Other: ___________
Testing
- Connect ServiceNow account via OAuth in Integrations settings
- Verify "Additional permissions required" message does not appear after connecting
- Test ServiceNow read/create/update/delete operations with OAuth credentials
- Verify token refresh works correctly with instance-specific endpoints
- Test fallback to Basic Auth when OAuth is not used
Checklist
- [x] Code follows project style guidelines
- [x] Self-reviewed my changes
- [ ] Tests added/updated and passing
- [x] No new warnings introduced
- [ ] I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)
Screenshots/Videos
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Greptile Overview
Greptile Summary
This PR adds OAuth 2.0 authentication support for ServiceNow integration alongside existing Basic Auth. The implementation includes a 3-step OAuth flow with instance-specific endpoints and CRUD tools for ServiceNow records.
Key Changes
- Implemented instance-specific OAuth flow: authorize → callback → store endpoints
- Added 5 ServiceNow tools (read, create, update, delete, import_set) supporting both OAuth and Basic Auth
- Integrated ServiceNow into OAuth provider configuration with refresh token support
- Store instance URL in
idTokenfield for API calls and token refresh - Handle ServiceNow's empty scope response by defaulting to 'useraccount'
Issues Found
-
Critical:
create.tsandimport_set.tsuse 'hidden' visibility forusernameandpasswordfields. These user-provided credentials should use 'user-only' visibility. The custom style guide specifies that only framework-injected tokens (like OAuth) should use 'hidden' visibility. - The other tools (
read.ts,update.ts,delete.ts) correctly use 'user-only' visibility for these fields.
Confidence Score: 3/5
- Safe to merge after fixing credential visibility issues in create.ts and import_set.ts
- The OAuth implementation is solid with proper security (state validation, cookie handling). However, critical credential visibility violations in 2 files need fixing before merge. The issue is straightforward to fix but violates established security patterns.
- apps/sim/tools/servicenow/create.ts and apps/sim/tools/servicenow/import_set.ts require credential visibility fixes
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| apps/sim/tools/servicenow/create.ts | 3/5 | Added ServiceNow create tool with OAuth/Basic Auth support. Critical issue: username/password use 'hidden' visibility instead of 'user-only'. |
| apps/sim/tools/servicenow/import_set.ts | 3/5 | Added import_set tool for bulk operations. Critical issue: username/password use 'hidden' visibility instead of 'user-only'. |
| apps/sim/app/api/auth/servicenow/authorize/route.ts | 5/5 | Implemented ServiceNow OAuth authorization with instance URL collection. Good security with state validation and URL sanitization. |
| apps/sim/app/api/auth/oauth2/callback/servicenow/route.ts | 5/5 | Handles OAuth callback with proper state validation and token exchange. Correctly handles ServiceNow's empty scope response. |
| apps/sim/app/api/auth/oauth2/servicenow/store/route.ts | 4/5 | Stores OAuth tokens with instance URL in idToken field. Uses /api/now/ui/user/current_user endpoint correctly. |
| apps/sim/lib/oauth/oauth.ts | 5/5 | Added ServiceNow provider config with instance-specific token refresh. Clean integration with existing OAuth infrastructure. |
Sequence Diagram
sequenceDiagram
participant User
participant Browser
participant AuthorizeAPI as /api/auth/servicenow/authorize
participant ServiceNow as ServiceNow OAuth
participant CallbackAPI as /api/auth/oauth2/callback/servicenow
participant StoreAPI as /api/auth/oauth2/servicenow/store
participant DB as Database
User->>Browser: Click "Connect ServiceNow"
Browser->>AuthorizeAPI: GET (no instanceUrl)
AuthorizeAPI->>Browser: HTML form to collect instance URL
User->>Browser: Enter instance URL
Browser->>AuthorizeAPI: GET ?instanceUrl=https://...
AuthorizeAPI->>AuthorizeAPI: Validate instance URL format
AuthorizeAPI->>AuthorizeAPI: Generate state (UUID)
AuthorizeAPI->>Browser: Set cookies (state, instanceUrl, returnUrl)
Browser->>ServiceNow: Redirect to /oauth_auth.do
User->>ServiceNow: Authorize application
ServiceNow->>Browser: Redirect to callback with code & state
Browser->>CallbackAPI: GET ?code=...&state=...
CallbackAPI->>CallbackAPI: Validate state matches cookie
CallbackAPI->>ServiceNow: POST /oauth_token.do (exchange code)
ServiceNow->>CallbackAPI: Return access_token, refresh_token
CallbackAPI->>CallbackAPI: Handle empty scope (default to 'useraccount')
CallbackAPI->>Browser: Set pending token cookies, redirect to store
Browser->>StoreAPI: GET
StoreAPI->>StoreAPI: Retrieve tokens from cookies
StoreAPI->>ServiceNow: GET /api/now/ui/user/current_user
ServiceNow->>StoreAPI: Return user info
StoreAPI->>DB: Insert/update account record (store instanceUrl in idToken)
StoreAPI->>Browser: Redirect to workspace with success flag
Browser->>User: Show "Connected" status
![greptile-apps[bot] avatar](https://avatars.githubusercontent.com/in/867647?v=4 "Published by a pub.dev verified publisher"){kind=small}