feat: introduce app configs with shared auth clients (#1213)

packages/backend/src/apps/gitlab/auth/verify-credentials.ts

@@ -25,6 +25,12 @@ const verifyCredentials = async ($: IGlobalVariable) => {
   $.auth.data.accessToken = data.access_token;
 
   const currentUser = await getCurrentUser($);
+  const screenName = [
+    currentUser.username,
+    $.auth.data.instanceUrl,
+  ]
+    .filter(Boolean)
+    .join(' @ ');
 
   await $.auth.set({
     clientId: $.auth.data.clientId,
@@ -34,7 +40,7 @@ const verifyCredentials = async ($: IGlobalVariable) => {
     scope: data.scope,
     tokenType: data.token_type,
     userId: currentUser.id,
-    screenName: `${currentUser.username} @ ${$.auth.data.instanceUrl}`,
+    screenName,
   });
 };
 

packages/backend/src/db/migrations/20230812132005_create_app_configs.ts

@@ -0,0 +1,17 @@
+import { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  return knex.schema.createTable('app_configs', (table) => {
+    table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
+    table.string('key').unique().notNullable();
+    table.boolean('allow_custom_connection').notNullable().defaultTo(false);
+    table.boolean('shared').notNullable().defaultTo(false);
+    table.boolean('disabled').notNullable().defaultTo(false);
+
+    table.timestamps(true, true);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  return knex.schema.dropTable('app_configs');
+}

packages/backend/src/db/migrations/20230813172729_create_app_auth_clients.ts

@@ -0,0 +1,17 @@
+import { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  return knex.schema.createTable('app_auth_clients', (table) => {
+    table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
+    table.string('name').unique().notNullable();
+    table.uuid('app_config_id').notNullable().references('id').inTable('app_configs');
+    table.text('auth_defaults').notNullable();
+    table.boolean('active').notNullable().defaultTo(false);
+
+    table.timestamps(true, true);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  return knex.schema.dropTable('app_auth_clients');
+}

packages/backend/src/db/migrations/20230815161102_add_app_auth_client_id_in_connections.ts

@@ -0,0 +1,13 @@
+import { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.table('connections', async (table) => {
+    table.uuid('app_auth_client_id').references('id').inTable('app_auth_clients');
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  return await knex.schema.table('connections', (table) => {
+    table.dropColumn('app_auth_client_id');
+  });
+}

packages/backend/src/db/migrations/20230816121044_seed_update_app_permissions_to_admin.ts

@@ -0,0 +1,33 @@
+import { Knex } from 'knex';
+
+const getPermissionForRole = (
+  roleId: string,
+  subject: string,
+  actions: string[]
+) =>
+  actions.map((action) => ({
+    role_id: roleId,
+    subject,
+    action,
+    conditions: [],
+  }));
+
+export async function up(knex: Knex): Promise<void> {
+  const role = (await knex('roles')
+    .first(['id', 'key'])
+    .where({ key: 'admin' })
+    .limit(1)) as { id: string; key: string };
+
+  await knex('permissions').insert(
+    getPermissionForRole(role.id, 'App', [
+      'create',
+      'read',
+      'delete',
+      'update',
+    ])
+  );
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex('permissions').where({ subject: 'App' }).delete();
+}

packages/backend/src/graphql/mutation-resolvers.ts

@@ -1,3 +1,5 @@
+import createAppAuthClient from './mutations/create-app-auth-client.ee';
+import createAppConfig from './mutations/create-app-config.ee';
 import createConnection from './mutations/create-connection';
 import createFlow from './mutations/create-flow';
 import createRole from './mutations/create-role.ee';
@@ -17,6 +19,8 @@ import login from './mutations/login';
 import registerUser from './mutations/register-user.ee';
 import resetConnection from './mutations/reset-connection';
 import resetPassword from './mutations/reset-password.ee';
+import updateAppAuthClient from './mutations/update-app-auth-client.ee';
+import updateAppConfig from './mutations/update-app-config.ee';
 import updateConfig from './mutations/update-config.ee';
 import updateConnection from './mutations/update-connection';
 import updateCurrentUser from './mutations/update-current-user';
@@ -30,6 +34,8 @@ import upsertSamlAuthProvidersRoleMappings from './mutations/upsert-saml-auth-pr
 import verifyConnection from './mutations/verify-connection';
 
 const mutationResolvers = {
+  createAppAuthClient,
+  createAppConfig,
   createConnection,
   createFlow,
   createRole,
@@ -49,6 +55,8 @@ const mutationResolvers = {
   registerUser,
   resetConnection,
   resetPassword,
+  updateAppAuthClient,
+  updateAppConfig,
   updateConfig,
   updateConnection,
   updateCurrentUser,

packages/backend/src/graphql/mutations/create-app-auth-client.ee.ts

@@ -0,0 +1,35 @@
+import { IJSONObject } from '@automatisch/types';
+import AppConfig from '../../models/app-config';
+import Context from '../../types/express/context';
+
+type Params = {
+  input: {
+    appConfigId: string;
+    name: string;
+    formattedAuthDefaults?: IJSONObject;
+    active?: boolean;
+  };
+};
+
+const createAppAuthClient = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  context.currentUser.can('update', 'App');
+
+  const appConfig = await AppConfig
+    .query()
+    .findById(params.input.appConfigId)
+    .throwIfNotFound();
+
+  const appAuthClient = await appConfig
+    .$relatedQuery('appAuthClients')
+    .insert(
+      params.input
+    );
+
+  return appAuthClient;
+};
+
+export default createAppAuthClient;

packages/backend/src/graphql/mutations/create-app-config.ee.ts

@@ -0,0 +1,36 @@
+import App from '../../models/app';
+import AppConfig from '../../models/app-config';
+import Context from '../../types/express/context';
+
+type Params = {
+  input: {
+    key: string;
+    allowCustomConnection?: boolean;
+    shared?: boolean;
+    disabled?: boolean;
+  };
+};
+
+const createAppConfig = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  context.currentUser.can('update', 'App');
+
+  const key = params.input.key;
+
+  const app = await App.findOneByKey(key);
+
+  if (!app) throw new Error('The app cannot be found!');
+
+  const appConfig = await AppConfig
+    .query()
+    .insert(
+      params.input
+    );
+
+  return appConfig;
+};
+
+export default createAppConfig;

packages/backend/src/graphql/mutations/create-connection.ts

@@ -1,13 +1,16 @@
-import App from '../../models/app';
-import Context from '../../types/express/context';
 import { IJSONObject } from '@automatisch/types';
+import App from '../../models/app';
+import AppConfig from '../../models/app-config';
+import Context from '../../types/express/context';
 
 type Params = {
   input: {
     key: string;
+    appAuthClientId: string;
     formattedData: IJSONObject;
   };
 };
+
 const createConnection = async (
   _parent: unknown,
   params: Params,
@@ -15,13 +18,42 @@ const createConnection = async (
 ) => {
   context.currentUser.can('create', 'Connection');
 
-  await App.findOneByKey(params.input.key);
+  const { key, appAuthClientId } = params.input;
 
-  return await context.currentUser.$relatedQuery('connections').insert({
-    key: params.input.key,
-    formattedData: params.input.formattedData,
-    verified: false,
-  });
+  const app = await App.findOneByKey(key);
+
+  const appConfig = await AppConfig.query().findOne({ key });
+
+  let formattedData = params.input.formattedData;
+  if (appConfig) {
+    if (appConfig.disabled) throw new Error('This application has been disabled for new connections!');
+
+    if (!appConfig.allowCustomConnection && formattedData) throw new Error(`Custom connections cannot be created for ${app.name}!`);
+
+    if (appConfig.shared && !formattedData) {
+      const authClient = await appConfig
+        .$relatedQuery('appAuthClients')
+        .findById(appAuthClientId)
+        .where({
+          active: true
+        })
+        .throwIfNotFound();
+
+      formattedData = authClient.formattedAuthDefaults;
+    }
+  }
+
+  const createdConnection = await context
+    .currentUser
+    .$relatedQuery('connections')
+    .insert({
+      key,
+      appAuthClientId,
+      formattedData,
+      verified: false,
+    });
+
+  return createdConnection;
 };
 
 export default createConnection;

packages/backend/src/graphql/mutations/delete-app-auth-client.ee.ts

@@ -0,0 +1,28 @@
+import Context from '../../types/express/context';
+import AppAuthClient from '../../models/app-auth-client';
+
+type Params = {
+  input: {
+    id: string;
+  };
+};
+
+const deleteAppAuthClient = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  context.currentUser.can('delete', 'App');
+
+  await AppAuthClient
+    .query()
+    .delete()
+    .findOne({
+      id: params.input.id,
+    })
+    .throwIfNotFound();
+
+  return;
+};
+
+export default deleteAppAuthClient;

packages/backend/src/graphql/mutations/update-app-auth-client.ee.ts

@@ -0,0 +1,38 @@
+import { IJSONObject } from '@automatisch/types';
+import AppAuthClient from '../../models/app-auth-client';
+import Context from '../../types/express/context';
+
+type Params = {
+  input: {
+    id: string;
+    name: string;
+    formattedAuthDefaults?: IJSONObject;
+    active?: boolean;
+  };
+};
+
+const updateAppAuthClient = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  context.currentUser.can('update', 'App');
+
+  const {
+    id,
+    ...appAuthClientData
+  } = params.input;
+
+  const appAuthClient = await AppAuthClient
+    .query()
+    .findById(id)
+    .throwIfNotFound();
+
+  await appAuthClient
+    .$query()
+    .patch(appAuthClientData);
+
+  return appAuthClient;
+};
+
+export default updateAppAuthClient;

packages/backend/src/graphql/mutations/update-app-config.ee.ts

@@ -0,0 +1,39 @@
+import AppConfig from '../../models/app-config';
+import Context from '../../types/express/context';
+
+type Params = {
+  input: {
+    id: string;
+    allowCustomConnection?: boolean;
+    shared?: boolean;
+    disabled?: boolean;
+  };
+};
+
+const updateAppConfig = async (
+  _parent: unknown,
+  params: Params,
+  context: Context
+) => {
+  context.currentUser.can('update', 'App');
+
+  const {
+    id,
+    ...appConfigToUpdate
+  } = params.input;
+
+  const appConfig = await AppConfig
+    .query()
+    .findById(id)
+    .throwIfNotFound();
+
+  await appConfig
+    .$query()
+    .patch(
+      appConfigToUpdate
+    );
+
+  return appConfig;
+};
+
+export default updateAppConfig;

packages/backend/src/graphql/mutations/update-connection.ts

@@ -1,10 +1,12 @@
-import Context from '../../types/express/context';
 import { IJSONObject } from '@automatisch/types';
+import Context from '../../types/express/context';
+import AppAuthClient from '../../models/app-auth-client';
 
 type Params = {
   input: {
     id: string;
-    formattedData: IJSONObject;
+    formattedData?: IJSONObject;
+    appAuthClientId?: string;
   };
 };
 
@@ -22,10 +24,21 @@ const updateConnection = async (
     })
     .throwIfNotFound();
 
+  let formattedData = params.input.formattedData;
+
+  if (params.input.appAuthClientId) {
+    const appAuthClient = await AppAuthClient
+      .query()
+      .findById(params.input.appAuthClientId)
+      .throwIfNotFound();
+
+    formattedData = appAuthClient.formattedAuthDefaults;
+  }
+
   connection = await connection.$query().patchAndFetch({
     formattedData: {
       ...connection.formattedData,
-      ...params.input.formattedData,
+      ...formattedData,
     },
   });
 

packages/backend/src/graphql/queries/get-app-auth-client.ee.ts

@@ -0,0 +1,30 @@
+import AppAuthClient from '../../models/app-auth-client';
+import Context from '../../types/express/context';
+
+type Params = {
+  id: string;
+};
+
+const getAppAuthClient = async (_parent: unknown, params: Params, context: Context) => {
+  let canSeeAllClients = false;
+  try {
+    context.currentUser.can('read', 'App');
+
+    canSeeAllClients = true;
+  } catch {
+    // void
+  }
+
+  const appAuthClient = AppAuthClient
+    .query()
+    .findById(params.id)
+    .throwIfNotFound();
+
+  if (!canSeeAllClients) {
+    appAuthClient.where({ active: true });
+  }
+
+  return await appAuthClient;
+};
+
+export default getAppAuthClient;

packages/backend/src/graphql/queries/get-app-auth-clients.ee.ts

@@ -0,0 +1,40 @@
+import AppConfig from '../../models/app-config';
+import Context from '../../types/express/context';
+
+type Params = {
+  appKey: string;
+  active: boolean;
+};
+
+const getAppAuthClients = async (_parent: unknown, params: Params, context: Context) => {
+  let canSeeAllClients = false;
+  try {
+    context.currentUser.can('read', 'App');
+
+    canSeeAllClients = true;
+  } catch {
+    // void
+  }
+
+  const appConfig = await AppConfig
+    .query()
+    .findOne({
+      key: params.appKey,
+    })
+    .throwIfNotFound();
+
+  const appAuthClients = appConfig
+    .$relatedQuery('appAuthClients')
+    .where({ active: params.active })
+    .skipUndefined();
+
+  if (!canSeeAllClients) {
+    appAuthClients.where({
+      active: true
+    })
+  }
+
+  return await appAuthClients;
+};
+
+export default getAppAuthClients;

packages/backend/src/graphql/queries/get-app-config.ee.ts

@@ -0,0 +1,23 @@
+import AppConfig from '../../models/app-config';
+import Context from '../../types/express/context';
+
+type Params = {
+  key: string;
+};
+
+const getAppConfig = async (_parent: unknown, params: Params, context: Context) => {
+  context.currentUser.can('create', 'Connection');
+
+  const appConfig = await AppConfig
+    .query()
+    .withGraphFetched({
+      appAuthClients: true
+    })
+    .findOne({
+      key: params.key
+    });
+
+  return appConfig;
+};
+
+export default getAppConfig;

packages/backend/src/graphql/queries/get-app.ts

@@ -19,6 +19,10 @@ const getApp = async (_parent: unknown, params: Params, context: Context) => {
     const connections = await connectionBaseQuery
       .clone()
       .select('connections.*')
+      .withGraphFetched({
+        appConfig: true,
+        appAuthClient: true
+      })
       .fullOuterJoinRelated('steps')
       .where({
         'connections.key': params.key,

packages/backend/src/graphql/query-resolvers.ts

@@ -1,9 +1,12 @@
 import getApp from './queries/get-app';
+import getAppAuthClient from './queries/get-app-auth-client.ee';
+import getAppAuthClients from './queries/get-app-auth-clients.ee';
+import getAppConfig from './queries/get-app-config.ee';
 import getApps from './queries/get-apps';
 import getAutomatischInfo from './queries/get-automatisch-info';
 import getBillingAndUsage from './queries/get-billing-and-usage.ee';
-import getConnectedApps from './queries/get-connected-apps';
 import getConfig from './queries/get-config.ee';
+import getConnectedApps from './queries/get-connected-apps';
 import getCurrentUser from './queries/get-current-user';
 import getDynamicData from './queries/get-dynamic-data';
 import getDynamicFields from './queries/get-dynamic-fields';
@@ -30,6 +33,9 @@ import testConnection from './queries/test-connection';
 
 const queryResolvers = {
   getApp,
+  getAppAuthClient,
+  getAppAuthClients,
+  getAppConfig,
   getApps,
   getAutomatischInfo,
   getBillingAndUsage,

packages/backend/src/graphql/schema.graphql

@@ -5,6 +5,9 @@ type Query {
     onlyWithActions: Boolean
   ): [App]
   getApp(key: String!): App
+  getAppConfig(key: String!): AppConfig
+  getAppAuthClient(id: String!): AppAuthClient
+  getAppAuthClients(appKey: String!, active: Boolean): [AppAuthClient]
   getConnectedApps(name: String): [App]
   testConnection(id: String!): Connection
   getFlow(id: String!): Flow
@@ -49,10 +52,12 @@ type Query {
   getUser(id: String!): User
   getUsers(limit: Int!, offset: Int!): UserConnection
   healthcheck: AppHealth
-  listSamlAuthProviders: [ListSamlAuthProviders]
+  listSamlAuthProviders: [ListSamlAuthProvider]
 }
 
 type Mutation {
+  createAppConfig(input: CreateAppConfigInput): AppConfig
+  createAppAuthClient(input: CreateAppAuthClientInput): AppAuthClient
   createConnection(input: CreateConnectionInput): Connection
   createFlow(input: CreateFlowInput): Flow
   createRole(input: CreateRoleInput): Role
@@ -72,6 +77,8 @@ type Mutation {
   registerUser(input: RegisterUserInput): User
   resetConnection(input: ResetConnectionInput): Connection
   resetPassword(input: ResetPasswordInput): Boolean
+  updateAppAuthClient(input: UpdateAppAuthClientInput): AppAuthClient
+  updateAppConfig(input: UpdateAppConfigInput): AppConfig
   updateConfig(input: JSONObject): JSONObject
   updateConnection(input: UpdateConnectionInput): Connection
   updateCurrentUser(input: UpdateCurrentUserInput): User
@@ -162,6 +169,16 @@ type SubstepArgumentAdditionalFieldsArgument {
   value: String
 }
 
+type AppConfig {
+  id: String
+  key: String
+  allowCustomConnection: Boolean
+  canConnect: Boolean
+  canCustomConnect: Boolean
+  shared: Boolean
+  disabled: Boolean
+}
+
 type App {
   name: String
   key: String
@@ -181,7 +198,9 @@ type App {
 type AppAuth {
   fields: [Field]
   authenticationSteps: [AuthenticationStep]
+  sharedAuthenticationSteps: [AuthenticationStep]
   reconnectionSteps: [ReconnectionStep]
+  sharedReconnectionSteps: [ReconnectionStep]
 }
 
 enum ArgumentEnumType {
@@ -219,6 +238,8 @@ type AuthLink {
 type Connection {
   id: String
   key: String
+  reconnectable: Boolean
+  appAuthClientId: String
   formattedData: ConnectionData
   verified: Boolean
   app: App
@@ -328,7 +349,8 @@ type UserEdge {
 
 input CreateConnectionInput {
   key: String!
-  formattedData: JSONObject!
+  appAuthClientId: String
+  formattedData: JSONObject
 }
 
 input GenerateAuthUrlInput {
@@ -337,7 +359,8 @@ input GenerateAuthUrlInput {
 
 input UpdateConnectionInput {
   id: String!
-  formattedData: JSONObject!
+  formattedData: JSONObject
+  appAuthClientId: String
 }
 
 input ResetConnectionInput {
@@ -690,7 +713,7 @@ type PaymentPlan {
   productId: String
 }
 
-type ListSamlAuthProviders {
+type ListSamlAuthProvider {
   id: String
   name: String
   issuer: String
@@ -725,6 +748,41 @@ type Subject {
   key: String
 }
 
+input CreateAppConfigInput {
+  key: String
+  allowCustomConnection: Boolean
+  shared: Boolean
+  disabled: Boolean
+}
+
+input UpdateAppConfigInput {
+  id: String
+  allowCustomConnection: Boolean
+  shared: Boolean
+  disabled: Boolean
+}
+
+type AppAuthClient {
+  id: String
+  appConfigId: String
+  name: String
+  active: Boolean
+}
+
+input CreateAppAuthClientInput {
+  appConfigId: String
+  name: String
+  formattedAuthDefaults: JSONObject
+  active: Boolean
+}
+
+input UpdateAppAuthClientInput {
+  id: String
+  name: String
+  formattedAuthDefaults: JSONObject
+  active: Boolean
+}
+
 schema {
   query: Query
   mutation: Mutation

packages/backend/src/helpers/add-authentication-steps.ts

@@ -3,6 +3,7 @@ import { IApp } from '@automatisch/types';
 function addAuthenticationSteps(app: IApp): IApp {
   if (app.auth.generateAuthUrl) {
     app.auth.authenticationSteps = authenticationStepsWithAuthUrl;
+    app.auth.sharedAuthenticationSteps = sharedAuthenticationStepsWithAuthUrl;
   } else {
     app.auth.authenticationSteps = authenticationStepsWithoutAuthUrl;
   }
@@ -98,4 +99,65 @@ const authenticationStepsWithAuthUrl = [
   },
 ];
 
+const sharedAuthenticationStepsWithAuthUrl = [
+  {
+    type: 'mutation' as const,
+    name: 'createConnection',
+    arguments: [
+      {
+        name: 'key',
+        value: '{key}',
+      },
+      {
+        name: 'appAuthClientId',
+        value: '{appAuthClientId}',
+      },
+    ],
+  },
+  {
+    type: 'mutation' as const,
+    name: 'generateAuthUrl',
+    arguments: [
+      {
+        name: 'id',
+        value: '{createConnection.id}',
+      },
+    ],
+  },
+  {
+    type: 'openWithPopup' as const,
+    name: 'openAuthPopup',
+    arguments: [
+      {
+        name: 'url',
+        value: '{generateAuthUrl.url}',
+      },
+    ],
+  },
+  {
+    type: 'mutation' as const,
+    name: 'updateConnection',
+    arguments: [
+      {
+        name: 'id',
+        value: '{createConnection.id}',
+      },
+      {
+        name: 'formattedData',
+        value: '{openAuthPopup.all}',
+      },
+    ],
+  },
+  {
+    type: 'mutation' as const,
+    name: 'verifyConnection',
+    arguments: [
+      {
+        name: 'id',
+        value: '{createConnection.id}',
+      },
+    ],
+  },
+];
+
 export default addAuthenticationSteps;

packages/backend/src/helpers/add-reconnection-steps.ts

@@ -67,11 +67,21 @@ function addReconnectionSteps(app: IApp): IApp {
 
   if (hasReconnectionSteps) return app;
 
-  const updatedSteps = replaceCreateConnectionsWithUpdate(
-    app.auth.authenticationSteps
-  );
+  if (app.auth.authenticationSteps) {
+    const updatedSteps = replaceCreateConnectionsWithUpdate(
+      app.auth.authenticationSteps
+    );
 
-  app.auth.reconnectionSteps = [resetConnectionStep, ...updatedSteps];
+    app.auth.reconnectionSteps = [resetConnectionStep, ...updatedSteps];
+  }
+
+  if (app.auth.sharedAuthenticationSteps) {
+    const updatedStepsWithEmbeddedDefaults = replaceCreateConnectionsWithUpdate(
+      app.auth.sharedAuthenticationSteps
+    );
+
+    app.auth.sharedReconnectionSteps = [resetConnectionStep, ...updatedStepsWithEmbeddedDefaults];
+  }
 
   return app;
 }

packages/backend/src/models/app-auth-client.ts

@@ -0,0 +1,91 @@
+import { IJSONObject } from '@automatisch/types';
+import { AES, enc } from 'crypto-js';
+import { ModelOptions, QueryContext } from 'objection';
+import appConfig from '../config/app';
+import AppConfig from './app-config';
+import Base from './base';
+
+class AppAuthClient extends Base {
+  id!: string;
+  name: string;
+  active: boolean;
+  appConfigId!: string;
+  authDefaults: string;
+  formattedAuthDefaults?: IJSONObject;
+  appConfig?: AppConfig;
+
+  static tableName = 'app_auth_clients';
+
+  static jsonSchema = {
+    type: 'object',
+    required: ['name', 'appConfigId', 'formattedAuthDefaults'],
+
+    properties: {
+      id: { type: 'string', format: 'uuid' },
+      appConfigId: { type: 'string', format: 'uuid' },
+      active: { type: 'boolean' },
+      authDefaults: { type: ['string', 'null'] },
+      formattedAuthDefaults: { type: 'object' },
+      createdAt: { type: 'string' },
+      updatedAt: { type: 'string' },
+    },
+  };
+
+  static relationMappings = () => ({
+    appConfig: {
+      relation: Base.BelongsToOneRelation,
+      modelClass: AppConfig,
+      join: {
+        from: 'app_auth_clients.app_config_id',
+        to: 'app_configs.id',
+      },
+    },
+  });
+
+  encryptData(): void {
+    if (!this.eligibleForEncryption()) return;
+
+    this.authDefaults = AES.encrypt(
+      JSON.stringify(this.formattedAuthDefaults),
+      appConfig.encryptionKey
+    ).toString();
+
+    delete this.formattedAuthDefaults;
+  }
+  decryptData(): void {
+    if (!this.eligibleForDecryption()) return;
+
+    this.formattedAuthDefaults = JSON.parse(
+      AES.decrypt(this.authDefaults, appConfig.encryptionKey).toString(enc.Utf8)
+    );
+  }
+
+  eligibleForEncryption(): boolean {
+    return this.formattedAuthDefaults ? true : false;
+  }
+
+  eligibleForDecryption(): boolean {
+    return this.authDefaults ? true : false;
+  }
+
+  // TODO: Make another abstraction like beforeSave instead of using
+  // beforeInsert and beforeUpdate separately for the same operation.
+  async $beforeInsert(queryContext: QueryContext): Promise<void> {
+    await super.$beforeInsert(queryContext);
+    this.encryptData();
+  }
+
+  async $beforeUpdate(
+    opt: ModelOptions,
+    queryContext: QueryContext
+  ): Promise<void> {
+    await super.$beforeUpdate(opt, queryContext);
+    this.encryptData();
+  }
+
+  async $afterFind(): Promise<void> {
+    this.decryptData();
+  }
+}
+
+export default AppAuthClient;

packages/backend/src/models/app-config.ts

@@ -0,0 +1,70 @@
+import App from './app';
+import Base from './base';
+import AppAuthClient from './app-auth-client';
+
+class AppConfig extends Base {
+  id!: string;
+  key!: string;
+  allowCustomConnection: boolean;
+  shared: boolean;
+  disabled: boolean;
+  app?: App;
+  appAuthClients?: AppAuthClient[];
+
+  static tableName = 'app_configs';
+
+  static jsonSchema = {
+    type: 'object',
+    required: ['key'],
+
+    properties: {
+      id: { type: 'string', format: 'uuid' },
+      key: { type: 'string' },
+      allowCustomConnection: { type: 'boolean', default: false },
+      shared: { type: 'boolean', default: false },
+      disabled: { type: 'boolean', default: false },
+    },
+  };
+
+  static get virtualAttributes() {
+    return ['canConnect', 'canCustomConnect'];
+  }
+
+  static relationMappings = () => ({
+    appAuthClients: {
+      relation: Base.HasManyRelation,
+      modelClass: AppAuthClient,
+      join: {
+        from: 'app_configs.id',
+        to: 'app_auth_clients.app_config_id',
+      },
+    },
+  });
+
+  get canCustomConnect() {
+    return !this.disabled && this.allowCustomConnection;
+  }
+
+  get canConnect() {
+    const hasSomeActiveAppAuthClients = !!this.appAuthClients
+      ?.some(appAuthClient => appAuthClient.active);
+    const shared = this.shared;
+    const active = this.disabled === false;
+
+    const conditions = [
+      hasSomeActiveAppAuthClients,
+      shared,
+      active
+    ];
+
+    return conditions.every(Boolean);
+  }
+
+  async getApp() {
+    if (!this.key) return null;
+
+    return await App.findOneByKey(this.key);
+  }
+}
+
+export default AppConfig;

packages/backend/src/models/connection.ts

@@ -3,6 +3,8 @@ import type { RelationMappings } from 'objection';
 import { AES, enc } from 'crypto-js';
 import { IRequest } from '@automatisch/types';
 import App from './app';
+import AppConfig from './app-config';
+import AppAuthClient from './app-auth-client';
 import Base from './base';
 import User from './user';
 import Step from './step';
@@ -25,6 +27,9 @@ class Connection extends Base {
   user?: User;
   steps?: Step[];
   triggerSteps?: Step[];
+  appAuthClientId?: string;
+  appAuthClient?: AppAuthClient;
+  appConfig?: AppConfig;
 
   static tableName = 'connections';
 
@@ -38,6 +43,7 @@ class Connection extends Base {
       data: { type: 'string' },
       formattedData: { type: 'object' },
       userId: { type: 'string', format: 'uuid' },
+      appAuthClientId: { type: 'string', format: 'uuid' },
       verified: { type: 'boolean', default: false },
       draft: { type: 'boolean' },
       deletedAt: { type: 'string' },
@@ -46,6 +52,10 @@ class Connection extends Base {
     },
   };
 
+  static get virtualAttributes() {
+    return ['reconnectable'];
+  }
+
   static relationMappings = (): RelationMappings => ({
     user: {
       relation: Base.BelongsToOneRelation,
@@ -74,8 +84,36 @@ class Connection extends Base {
         builder.where('type', '=', 'trigger');
       },
     },
+    appConfig: {
+      relation: Base.BelongsToOneRelation,
+      modelClass: AppConfig,
+      join: {
+        from: 'connections.key',
+        to: 'app_configs.key',
+      },
+    },
+    appAuthClient: {
+      relation: Base.BelongsToOneRelation,
+      modelClass: AppAuthClient,
+      join: {
+        from: 'connections.app_auth_client_id',
+        to: 'app_auth_clients.id',
+      },
+    },
   });
 
+  get reconnectable() {
+    if (this.appAuthClientId) {
+      return this.appAuthClient.active;
+    }
+
+    if (this.appConfig) {
+      return !this.appConfig.disabled && this.appConfig.allowCustomConnection;
+    }
+
+    return true;
+  }
+
   encryptData(): void {
     if (!this.eligibleForEncryption()) return;
 

packages/backend/src/models/user.ts

@@ -294,6 +294,7 @@ class User extends Base {
     if (Array.isArray(this.permissions)) {
       this.permissions = this.permissions.filter((permission) => {
         const restrictedSubjects = [
+          'App',
           'Role',
           'SamlAuthProvider',
           'Config',