feat: SPCS authentication includes API key (#1248)

* Add API key support for SPCS authentication

SPCS (Snowpark Container Services) deployments require a dual
authentication model:
- Snowflake tokens provide proxied authentication to reach the server
- API keys identify the user to the Connect server itself

Changes:
- Updated authHeaders() to include X-RSC-Authorization header when both
  snowflakeToken and apiKey are present
- Added apiKey parameter to connectSPCSUser() function
- Updated getSPCSAuthedUser() to accept and use apiKey
- Store apiKey in account registration alongside snowflakeConnectionName
- Updated function documentation to explain the dual authentication model
- Added comprehensive test coverage for API key handling

This aligns with updated Connect server requirements for Snowflake SPCS
deployments and mirrors the authentication pattern in rsconnect-python.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update NEWS.md for SPCS API key support

Document the addition of API key support for SPCS authentication,
including the breaking change to connectSPCSUser() which now requires
an apiKey parameter.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* api keys are secrets and not directly comparable

* spcs uses double auth; handle prior to api key handling

---------

Co-authored-by: Chris Ostrouchov <chris.ostrouchov@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

NEWS.md

@@ -1,5 +1,12 @@
 # rsconnect (development version)
 
+* SPCS/Snowflake authentication supports Connect API keys for user
+  identification. The `connectSPCSUser()` function now requires an `apiKey`
+  parameter, and the API key is included in the `X-RSC-Authorization` header
+  alongside Snowflake token authentication. This aligns with updated Connect
+  server requirements where Snowflake tokens provide proxied authentication
+  while API keys identify users to the Connect server itself.
+
 # rsconnect 1.6.0
 
 * Support deploying to Posit Connect Cloud. Use `connectCloudUser()` to add

R/accounts.R

@@ -95,6 +95,11 @@ connectApiUser <- function(
 #' [`connections.toml` file](https://docs.snowflake.com/en/developer-guide/snowflake-cli/connecting/configure-cli#location-of-the-toml-configuration-fil)
 #' in the appropriate location.
 #'
+#' SPCS deployments require both Snowflake authentication (via the connection
+#' name) and a Posit Connect API key. The Snowflake token provides proxied
+#' authentication to reach the Connect server, while the API key identifies
+#' the user to Connect itself.
+#'
 #' Supported servers: Posit Connect servers
 #'
 #' @inheritParams connectApiUser
@@ -104,18 +109,20 @@ connectApiUser <- function(
 connectSPCSUser <- function(
   account = NULL,
   server = NULL,
+  apiKey,
   snowflakeConnectionName,
   quiet = FALSE
 ) {
   server <- findServer(server)
   checkConnectServer(server)
 
-  user <- getSPCSAuthedUser(server, snowflakeConnectionName)
+  user <- getSPCSAuthedUser(server, apiKey, snowflakeConnectionName)
 
   registerAccount(
     serverName = server,
     accountName = account %||% user$username,
     accountId = user$id,
+    apiKey = apiKey,
     snowflakeConnectionName = snowflakeConnectionName
   )
 
@@ -127,10 +134,11 @@ connectSPCSUser <- function(
   invisible()
 }
 
-getSPCSAuthedUser <- function(server, snowflakeConnectionName) {
+getSPCSAuthedUser <- function(server, apiKey, snowflakeConnectionName) {
   serverAddress <- serverInfo(server)
   account <- list(
     server = server,
+    apiKey = apiKey,
     snowflakeConnectionName = snowflakeConnectionName
   )
 

R/http.R

@@ -541,15 +541,21 @@ requestCertificate <- function(protocol, certificate = NULL) {
 }
 
 authHeaders <- function(authInfo, method, path, file = NULL) {
-  if (!is.null(authInfo$secret) || !is.null(authInfo$private_key)) {
+  if (!is.null(authInfo$snowflakeToken)) {
+    # snowflakeauth returns a list of named header values
+    headers <- authInfo$snowflakeToken
+    # The SPCS/Snowflake token is in the Authorization header and the Connect API key is passed
+    # using X-RSC-Authorization.
+    if (!is.null(authInfo$apiKey)) {
+      headers$`X-RSC-Authorization` <- paste("Key", authInfo$apiKey)
+    }
+    headers
+  } else if (!is.null(authInfo$secret) || !is.null(authInfo$private_key)) {
     signatureHeaders(authInfo, method, path, file)
   } else if (!is.null(authInfo$apiKey)) {
     list(`Authorization` = paste("Key", authInfo$apiKey))
   } else if (!is.null(authInfo$accessToken)) {
     list(`Authorization` = paste("Bearer", authInfo$accessToken))
-  } else if (!is.null(authInfo$snowflakeToken)) {
-    # snowflakeauth returns a list of named header values
-    authInfo$snowflakeToken
   } else {
     # The value doesn't actually matter here, but the header needs to be set.
     list(`X-Auth-Token` = "anonymous-access")

man/connectSPCSUser.Rd

@@ -255,20 +255,3 @@ test_that("rcf2616 returns an ASCII date and undoes changes to the locale", {
   expect_equal(date, "Mon, 01 Jan 2024 06:02:03 GMT")
   expect_equal(Sys.getlocale("LC_TIME"), old)
 })
-
-test_that("authHeaders handles snowflakeToken", {
-  # Create mock authInfo with snowflakeToken
-  authInfo <- list(
-    snowflakeToken = list(
-      Authorization = "Snowflake Token=\"mock_token\"",
-      `X-Custom-Header` = "custom-value"
-    )
-  )
-
-  # Test authHeaders
-  headers <- authHeaders(authInfo, "GET", "/path")
-
-  # Verify snowflakeToken headers were used
-  expect_equal(headers$Authorization, "Snowflake Token=\"mock_token\"")
-  expect_equal(headers$`X-Custom-Header`, "custom-value")
-})

tests/testthat/test-http.R

@@ -22,7 +22,6 @@ test_that("isSPCSServer correctly identifies Snowpark Container Services servers
 })
 
 test_that("authHeaders handles snowflakeToken", {
-  # mock authInfo with snowflakeToken
   authInfo <- list(
     snowflakeToken = list(
       Authorization = "Snowflake Token=\"mock_token\"",
@@ -32,8 +31,25 @@ test_that("authHeaders handles snowflakeToken", {
 
   headers <- authHeaders(authInfo, "GET", "/path")
 
+  expect_equal(headers$Authorization, "Snowflake Token=\"mock_token\"")
+  expect_equal(headers$`X-Custom-Header`, "custom-value")
+})
+
+test_that("authHeaders handles snowflakeToken with API key", {
+  authInfo <- list(
+    apiKey = secret("the-api-key"),
+    snowflakeToken = list(
+      Authorization = "Snowflake Token=\"mock_token\"",
+      `X-Custom-Header` = "custom-value"
+    )
+  )
+
+  # Test authHeaders
+  headers <- authHeaders(authInfo, "GET", "/path")
+
   # Verify snowflakeToken headers were used
   expect_equal(headers$Authorization, "Snowflake Token=\"mock_token\"")
+  expect_equal(headers$`X-RSC-Authorization`, "Key the-api-key")
   expect_equal(headers$`X-Custom-Header`, "custom-value")
 })
 
@@ -52,3 +68,21 @@ test_that("registerAccount stores snowflakeConnectionName", {
   info <- accountInfo("testuser", "example.com")
   expect_equal(info$snowflakeConnectionName, "test_connection")
 })
+
+test_that("registerAccount stores both apiKey and snowflakeConnectionName for SPCS accounts", {
+  local_temp_config()
+
+  # Register an SPCS account with both apiKey and snowflakeConnectionName
+  registerAccount(
+    serverName = "spcs.example.com",
+    accountName = "spcsuser",
+    accountId = "user456",
+    apiKey = "test-api-key-789",
+    snowflakeConnectionName = "spcs_connection"
+  )
+
+  # Check the account info has both fields
+  info <- accountInfo("spcsuser", "spcs.example.com")
+  expect_equal(info$snowflakeConnectionName, "spcs_connection")
+  expect_equal(as.character(info$apiKey), "test-api-key-789")
+})