feat(integrations): add support for salesforce cdp (#3363)

## Describe the problem and your solution 
Add support for Saleforce Data Cloud

<!-- Issue ticket number and link (if applicable) -->

## Testing instructions (skip if just adding/editing providers)
Here’s a more grammatically polished version:

This provider supports the `TWO_STEP` authentication mode but requires
some changes to fully implement it. Specifically, a second request is
needed after obtaining the initial `access_token` from Salesforce to
generate the Salesforce Data Cloud (CDP) `access_token`. Since I
couldn't test this locally with Data Cloud, I created a mock server to
simulate responses from both Salesforce and Data Cloud, similar to the
approach with Perimeter81. The process of generating the encoded JWT
(assertion) is somewhat technical for users, so I also included a script
to enable offline generation, as we did with SharePoint Online v1.

---------

Co-authored-by: Samuel Bodin <1637651+bodinsamuel@users.noreply.github.com>

docs-v2/integrations/all/salesforce-cdp.mdx

@@ -0,0 +1,58 @@
+---
+title: Salesforce (Data Cloud)
+sidebarTitle: Salesforce (Data Cloud)
+provider: salesforce-cdp
+---
+
+import Overview from "/snippets/overview.mdx";
+import PreBuiltTooling from "/snippets/generated/salesforce-cdp/PreBuiltTooling.mdx";
+
+import PreBuiltUseCases from "/snippets/generated/salesforce-cdp/PreBuiltUseCases.mdx"
+
+<Overview />
+<PreBuiltTooling />
+<PreBuiltUseCases />
+
+## Access requirements
+| Pre-Requisites | Status | Comment|
+| - | - | - |
+| Paid dev account | ❓ |  |
+| Paid test account | ✅ | Requires an active Salesforce Data Cloud subscription. |
+| Partnership | ❓ | |
+| App review | ❓ |  |
+| Security audit | ❓ | |
+
+
+## Setup guide
+
+_No setup guide yet._
+
+<Tip>Need help getting started? Get help in the [community](https://nango.dev/slack).</Tip>
+
+<Note>Contribute improvements to the setup guide by [editing this page](https://github.com/nangohq/nango/tree/master/docs-v2/integrations/all/salesforce.mdx)</Note>
+
+
+## Useful links
+-   [Salesforce Data Cloud OAuth documentation](https://developer.salesforce.com/docs/marketing/marketing-cloud-growth/guide/mc-connect-apis-data-cloud.html)
+-   [Web API docs (their REST API)](https://developer.salesforce.com/docs/marketing/marketing-cloud-growth/references/mc-summary/mc-summary.html)
+
+<Note>Contribute useful links by [editing this page](https://github.com/nangohq/nango/tree/master/docs-v2/integrations/all/salesforce-cdp.mdx)</Note>
+
+## Connection Configuration in Nango
+
+-   Salesforce (Data Cloud) uses a different API base URL, called the `instance_url`, for each customer.
+
+-   Nango automatically retrieves the `instance_url` (e.g. `https://yourInstance.salesforce.com/`) from Salesforce and stores it in the [Connection config](/guides/api-authorization/authorize-in-your-app-default-ui#apis-requiring-connection-specific-configuration-for-authorization) for you.
+
+-   If you use the Nango Proxy, it is automatically using the correct API base URL. But, if needed, you can retrieve the `instance_url` with the [backend SDK](/reference/sdks/node#get-a-connection-with-credentials) or [Connections API](/reference/api/connection/get).
+
+## API gotchas
+
+<Note>Contribute API gotchas by [editing this page](https://github.com/nangohq/nango/tree/master/docs-v2/integrations/all/salesforce-cdp.mdx)</Note>
+
+## Going further
+
+<Card title="Connect to Salesforce (Data Cloud)" icon="link" href="/integrations/all/salesforce-cdp/connect" horizontal>
+  Guide to connect to Salesforce (Data Cloud) using Connect UI
+</Card>
+

docs-v2/integrations/all/salesforce-cdp/connect.mdx

@@ -0,0 +1,118 @@
+---
+title: Salesforce (Data Cloud) - How do I link my account?
+sidebarTitle: Salesforce (Data Cloud)
+---
+
+# Overview
+
+To authenticate with Salesforce (Data Cloud), you need:
+1. **Encoded JWT** -  A unique string that enables client applications to access Salesforce (Data Cloud) resources without requiring users to provide their credentials.
+
+This guide will walk you through generating your encoded JWT within Salesforce.
+
+### Prerequisites:
+
+- You must have a Salesforce account with an active Data Cloud subscription.
+
+### Instructions:
+
+#### Step 1: Generating your Encoded JWT
+- Interacting with the Data Cloud API requires a signed digital certificate. You can use a private key and certificate issued by a certification authority. Alternatively, you can use OpenSSL to create a key and a self-signed digital certificate. Here's how to create a self-signed certificate with OpenSSL.
+1. Run the following command to generate a 2048-bit RSA private key:
+
+```
+openssl genrsa 2048 > host.key && chmod 400 host.key
+```
+2. Use the private key to sign a certificate. Enter details about the certificate, or press Enter at each prompt to accept the default value:
+```
+openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.crt
+```
+- Now that you have created the above signed certificate, you will now need to create an app in Salesforce and upload the above signed certificate.  
+3. Login to your salesforce account and In the Setup, in the Quick Find box, enter apps, and then select **App Manager**.
+<img src="/integrations/all/salesforce-cdp/app_manager.png" />
+4. Click **New Connected App**.
+5. For Connected App Name, enter an app name and your email address.
+6. Select **Enable OAuth Settings**.
+7. For **Callback URL**, enter `http://localhost:1717/OauthRedirect`.
+8. Select Use **digital signatures**, and then click **Browse**.
+9. Select your above self-signed certificate **(host.crt)**.
+10. Add the OAuth scopes that are necessary for your use case. For example, if your use case requires you to ingest content, add the **Manage Data Cloud Ingestion API data (cdp_ingest_api)** scope.
+11. Click **Save**.
+<img src="/integrations/all/salesforce-cdp/creating_app.png" />
+12. Click **Manage Consumer Details**.
+<img src="/integrations/all/salesforce-cdp/consumer_keys.png" />
+13. Copy the **Consumer Key** value. This value is also referred to as the **client ID**. You will use the client ID value when you are generaying your encoded (JWT) in the step below.
+8. Now that your certificate is registered with Salesforce, you need to generate an encoded JWT. You can use the code from the following script to generate your encoded JWT offline.
+```
+import { readFileSync } from 'fs';
+import jwt from 'jsonwebtoken';
+import readlineSync from 'readline-sync';
+
+const getUserInput = () => {
+  const clientId = readlineSync.question('Please enter your Salesforce client ID: ');
+  const username = readlineSync.question('Please enter your Salesforce username: ');
+  return { clientId, username };
+};
+
+const readPrivateKey = (path) => {
+  try {
+    return readFileSync(path, 'utf8');
+  } catch (error) {
+    console.error(`Error reading private key from ${path}:`, error);
+    throw error;
+  }
+};
+
+const createJwtClaims = (clientId, username) => {
+  const currentTime = Math.floor(Date.now() / 1000);
+  const expiry = currentTime + (10 * 365 * 24 * 60 * 60);
+
+  return {
+    iss: clientId,
+    sub: username,
+    aud: 'https://#.salesforce.com',
+    exp: expiry,
+  };
+};
+
+const generateJwtToken = (claims, privateKey) => {
+  try {
+    return jwt.sign(claims, privateKey, { algorithm: 'RS256' })
+  } catch (error) {
+    console.error('Error signing assertion:', error);
+    throw error;
+  }
+};
+
+const generateJwtAssertion = () => {
+  const { clientId, username } = getUserInput();
+  const privateKeyPath = 'host.key';
+
+  const privateKey = readPrivateKey(privateKeyPath);
+
+  const claims = createJwtClaims(clientId, username);
+
+  const token = generateJwtToken(claims, privateKey);
+
+  console.log('Generated Salesforce assertion:', token);
+};
+
+generateJwtAssertion();
+
+
+```
+- Run the script above in the same directory where your certificates were generated. It will prompt you for your **Client ID** obtained when creating a connected app and your **Username**, used when signing in to Salesforce. An encoded JWT will then be generated.
+
+**Note**: The generated **Encoded JWT** is valid for ten years. After this period, you will need to regenerate your encoded JWT and reauthenticate.
+
+#### Step 2: Enter credentials in the Connect UI
+
+Once you have your **Encoded JWT**:
+1. Open the form where you need to authenticate with Salesforce (Data Cloud).
+2. Enter your **Encoded JWT** in the designated field.
+3. Submit the form, and you should be successfully authenticated.
+
+<img src="/integrations/all/salesforce-cdp/form.png" style={{maxWidth: "450px" }}/>
+
+You are now connected to Salesforce (Data Cloud).
+

docs-v2/mint.json

@@ -535,6 +535,7 @@
                 "integrations/all/sage-intacct",
                 "integrations/all/salesforce",
                 "integrations/all/salesforce-experience-cloud",
+                "integrations/all/salesforce-cdp",
                 "integrations/all/salesforce-sandbox",
                 "integrations/all/salesloft",
                 "integrations/all/sap-concur",

docs-v2/snippets/generated/salesforce-cdp/PreBuiltTooling.mdx

@@ -0,0 +1,40 @@
+## Pre-built tooling
+<AccordionGroup>
+<Accordion title="✅ Authorization">
+| Tools | Status |
+| - | - |
+| Pre-built authorization (Two Step) | ✅ |
+| Pre-built authorization UI | ✅ |
+| Custom authorization UI | ✅ |
+| End-user authorization guide | ✅ |
+| Expired credentials detection | ✅ |
+</Accordion>
+<Accordion title="✅ Read & write data">
+| Tools | Status |
+| - | - |
+| Pre-built integrations | 🚫 (time to contribute: &lt;48h) |
+| API unification | ✅ |
+| 2-way sync | ✅ |
+| Webhooks from Nango on data modifications | ✅ |
+| Real-time webhooks from 3rd-party API | 🚫 (time to contribute: &lt;48h) |
+| Proxy requests | ✅ |
+</Accordion>
+<Accordion title="✅ Observability & data quality">
+| Tools | Status |
+| - | - |
+| HTTP request logging | ✅ |
+| End-to-type type safety | ✅ |
+| Data runtime validation | ✅ |
+| OpenTelemetry export | ✅ |
+| Slack alerts on errors | ✅ |
+| Integration status API | ✅ |
+</Accordion>
+<Accordion title="✅ Customization">
+| Tools | Status |
+| - | - |
+| Create or customize use-cases | ✅ |
+| Pre-configured pagination | 🚫 (time to contribute: &lt;48h) |
+| Pre-configured rate-limit handling | 🚫 (time to contribute: &lt;48h) |
+| Per-customer configurations | ✅ |
+</Accordion>
+</AccordionGroup>

docs-v2/snippets/generated/salesforce-cdp/PreBuiltUseCases.mdx

@@ -0,0 +1,5 @@
+## Pre-built integrations
+
+_No pre-built integration yet (time to contribute: <48h)_
+
+<Tip>Not seeing the integration you need? [Build your own](https://docs.nango.dev/guides/custom-integration-builder/overview) independently.</Tip>

packages/providers/providers.yaml

@@ -6610,7 +6610,44 @@ salesforce-experience-cloud:
             format: uri
             pattern: '^https?://.*$'
             automated: true
-
+salesforce-cdp:
+    display_name: Salesforce (Data Cloud)
+    categories:
+        - storage
+    auth_mode: TWO_STEP
+    token_url: https://#.salesforce.com/services/oauth2/token
+    body_format: form
+    token_params:
+        grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
+        assertion: ${credential.jwt}
+    token_headers:
+        content-type: application/x-www-form-urlencoded
+    additional_steps:
+        - body_format: form
+          token_params:
+              grant_type: urn:salesforce:grant-type:external:cdp
+              subject_token: ${step1.access_token}
+              subject_token_type: urn:ietf:params:oauth:token-type:access_token
+          token_headers:
+              content-type: application/x-www-form-urlencoded
+          token_url: ${step1.instance_url}/services/a360/token
+    token_response_metadata:
+        - instance_url
+    proxy:
+        base_url: ${connectionConfig.instance_url}
+    token_response:
+        token: access_token
+        token_expiration: expires_in
+        token_expiration_strategy: expireIn
+    docs: https://docs.nango.dev/integrations/all/salesforce-cdp
+    docs_connect: https://docs.nango.dev/integrations/all/salesforce-cdp/connect
+    credentials:
+        jwt:
+            type: string
+            title: Encoded JWT
+            description: This is your pre-generated, encoded JSON Web Token (JWT)
+            secret: true
+            doc_section: '#step-1-generating-your-encoded-jwt'
 sap-concur:
     display_name: SAP Concur
     categories:

packages/server/lib/controllers/auth/postTwoStep.ts

@@ -12,7 +12,8 @@ import {
     ErrorSourceEnum,
     LogActionEnum,
     getProvider,
-    linkConnection
+    linkConnection,
+    getConnectionMetadataFromTokenResponse
 } from '@nangohq/shared';
 import type { PostPublicTwoStepAuthorization, ProviderTwoStep } from '@nangohq/types';
 import type { LogContext } from '@nangohq/logs';
@@ -68,7 +69,7 @@ export const postPublicTwoStepAuthorization = asyncWrapper<PostPublicTwoStepAuth
     const bodyData: PostPublicTwoStepAuthorization['Body'] = val.data;
     const queryString: PostPublicTwoStepAuthorization['Querystring'] = queryStringVal.data;
     const { providerConfigKey }: PostPublicTwoStepAuthorization['Params'] = paramsVal.data;
-    const connectionConfig = queryString.params ? getConnectionConfig(queryString.params) : {};
+    let connectionConfig = queryString.params ? getConnectionConfig(queryString.params) : {};
     let connectionId = queryString.connection_id || connectionService.generateConnectionId();
     const hmac = 'hmac' in queryString ? queryString.hmac : undefined;
     const isConnectSession = res.locals['authType'] === 'connectSession';
@@ -154,6 +155,13 @@ export const postPublicTwoStepAuthorization = asyncWrapper<PostPublicTwoStepAuth
             return;
         }
 
+        const tokenMetadata = getConnectionMetadataFromTokenResponse(credentials.raw, provider);
+
+        connectionConfig = {
+            ...connectionConfig,
+            ...tokenMetadata
+        };
+
         const [updatedConnection] = await connectionService.upsertAuthConnection({
             connectionId,
             providerConfigKey,

packages/server/lib/controllers/oauth.controller.ts

@@ -7,7 +7,6 @@ import {
     getAdditionalAuthorizationParams,
     getConnectionMetadataFromCallbackRequest,
     missesInterpolationParam,
-    getConnectionMetadataFromTokenResponse,
     missesInterpolationParamInObject
 } from '../utils/utils.js';
 import type { ConnectionConfig, DBEnvironment, DBTeam, Provider, ProviderOAuth2 } from '@nangohq/types';
@@ -30,7 +29,8 @@ import {
     ErrorSourceEnum,
     interpolateObjectValues,
     getProvider,
-    linkConnection
+    linkConnection,
+    getConnectionMetadataFromTokenResponse
 } from '@nangohq/shared';
 import publisher from '../clients/publisher.client.js';
 import * as WSErrBuilder from '../utils/web-socket-error.js';

packages/server/lib/utils/utils.ts

@@ -81,46 +81,6 @@ export function getConnectionMetadataFromCallbackRequest(queryParams: any, provi
     return arr != null && arr.length > 0 ? (Object.fromEntries(arr) as Record<string, string>) : {};
 }
 
-/**
- * A helper function to extract the additional connection metadata returned from the Provider in the token response.
- * It can parse booleans or strings only
- */
-export function getConnectionMetadataFromTokenResponse(params: any, provider: Provider): Record<string, any> {
-    if (!params || !provider.token_response_metadata) {
-        return {};
-    }
-
-    const whitelistedKeys = provider.token_response_metadata;
-
-    const getValueFromDotNotation = (obj: any, key: string): any => {
-        return key.split('.').reduce((o, k) => (o && o[k] !== undefined ? o[k] : undefined), obj);
-    };
-
-    // Filter out non-strings, non-booleans & non-whitelisted keys.
-    const arr = Object.entries(params).filter(([k, v]) => {
-        const isStringValueOrBoolean = typeof v === 'string' || typeof v === 'boolean';
-        if (isStringValueOrBoolean && whitelistedKeys.includes(k)) {
-            return true;
-        }
-        // Check for dot notation keys
-        const dotNotationValue = getValueFromDotNotation(params, k);
-        return isStringValueOrBoolean && whitelistedKeys.includes(dotNotationValue);
-    });
-
-    // Add support for dot notation keys
-    const dotNotationArr = whitelistedKeys
-        .map((key) => {
-            const value = getValueFromDotNotation(params, key);
-            const isStringValueOrBoolean = typeof value === 'string' || typeof value === 'boolean';
-            return isStringValueOrBoolean ? [key, value] : null;
-        })
-        .filter(Boolean);
-
-    const combinedArr: [string, any][] = [...arr, ...dotNotationArr].filter((item) => item !== null) as [string, any][];
-
-    return combinedArr.length > 0 ? (Object.fromEntries(combinedArr) as Record<string, any>) : {};
-}
-
 export function parseConnectionConfigParamsFromTemplate(provider: Provider): string[] {
     if (
         provider.token_url ||