fix(credentials): address review feedback on Atlassian SA

- SSRF: only accept *.atlassian.net / *.jira-dev.com hosts before fetching
  tenant_info, blocking probes against localhost/internal IPs
- Confluence spaces selector: pull cloudId from the SA secret instead of
  calling accessible-resources, which 401s for scoped service-account tokens
- Case-insensitive https?:// strip so HTTPS://team.atlassian.net normalizes
  correctly

Author: TheodoreSpeaks

apps/sim/app/api/auth/atlassian-service-account/route.ts

@@ -51,8 +51,30 @@ class DuplicateDisplayNameError extends Error {
   }
 }
 
+/**
+ * Atlassian Cloud sites are always served from `*.atlassian.net` (production)
+ * or `*.jira-dev.com` (Atlassian's developer sandbox). Anything else is either
+ * a typo (`atlassian.com`, `jira.com`), a Data Center hostname (which our
+ * gateway URL doesn't support), or — worse — an attempt to point this
+ * server-side fetch at internal infrastructure (`localhost`, `169.254.169.254`,
+ * `*.corp`). Restricting to the public Atlassian Cloud suffixes blocks SSRF
+ * at the boundary before any outbound request.
+ */
+const ATLASSIAN_CLOUD_HOST_REGEX =
+  /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.(?:atlassian\.net|jira-dev\.com)$/i
+
 function normalizeDomain(rawDomain: string): string {
-  return rawDomain.replace(/^https?:\/\//, '').replace(/\/+$/, '')
+  return rawDomain.replace(/^https?:\/\//i, '').replace(/\/+$/, '')
+}
+
+function assertAtlassianCloudHost(domain: string): void {
+  if (!ATLASSIAN_CLOUD_HOST_REGEX.test(domain)) {
+    throw new AtlassianValidationError('site_not_found', 400, {
+      step: 'host_validation',
+      domain,
+      reason: 'host is not an Atlassian Cloud site (expected *.atlassian.net)',
+    })
+  }
 }
 
 /**
@@ -90,6 +112,8 @@ async function validateAtlassianServiceAccount(
   apiToken: string,
   domain: string
 ): Promise<{ accountId: string; displayName: string; cloudId: string }> {
+  assertAtlassianCloudHost(domain)
+
   const tenantInfoRes = await fetch(`https://${domain}/_edge/tenant_info`, {
     headers: { Accept: 'application/json' },
   })

apps/sim/app/api/tools/confluence/selector-spaces/route.ts

@@ -6,7 +6,12 @@ import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { validateJiraCloudId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID } from '@/lib/oauth/types'
+import {
+  getAtlassianServiceAccountSecret,
+  refreshAccessTokenIfNeeded,
+  resolveOAuthAccountId,
+} from '@/app/api/auth/oauth/utils'
 import { getConfluenceCloudId } from '@/tools/confluence/utils'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 
@@ -55,7 +60,13 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const cloudId = await getConfluenceCloudId(domain, accessToken)
+    // Atlassian service-account scoped tokens cannot call accessible-resources, so we
+    // pull cloudId from the encrypted secret instead of discovering it at runtime.
+    const resolved = await resolveOAuthAccountId(credential)
+    const cloudId =
+      resolved?.providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID && resolved.credentialId
+        ? (await getAtlassianServiceAccountSecret(resolved.credentialId)).cloudId
+        : await getConfluenceCloudId(domain, accessToken)
 
     const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
     if (!cloudIdValidation.isValid) {

apps/sim/app/workspace/[workspaceId]/settings/components/integrations/atlassian-service-account-form.tsx

@@ -47,7 +47,7 @@ const FALLBACK_ERROR_MESSAGE = "We couldn't add this service account. Try again
 function normalizeDomain(raw: string): string {
   return raw
     .trim()
-    .replace(/^https?:\/\//, '')
+    .replace(/^https?:\/\//i, '')
     .replace(/\/+$/, '')
 }