feat: add API key support for SPCS authentication

NEWS.md

@@ -1,5 +1,12 @@
 # rsconnect (development version)
 
+* SPCS/Snowflake authentication now properly supports API keys for user
+  identification. The `connectSPCSUser()` function now requires an `apiKey`
+  parameter, and the API key is included in the `X-RSC-Authorization` header
+  alongside Snowflake token authentication. This aligns with updated Connect
+  server requirements where Snowflake tokens provide proxied authentication
+  while API keys identify users to the Connect server itself.
+
 * `rsconnect` now sets the `rsconnect.max.bundle.size` and
   `rsconnect.max.bundle.files` options to their default values on startup
   if they have not yet been set. (#1204)

R/accounts.R

@@ -95,6 +95,11 @@ connectApiUser <- function(
 #' [`connections.toml` file](https://docs.snowflake.com/en/developer-guide/snowflake-cli/connecting/configure-cli#location-of-the-toml-configuration-fil)
 #' in the appropriate location.
 #'
+#' SPCS deployments require both Snowflake authentication (via the connection
+#' name) and a Posit Connect API key. The Snowflake token provides proxied
+#' authentication to reach the Connect server, while the API key identifies
+#' the user to Connect itself.
+#'
 #' Supported servers: Posit Connect servers
 #'
 #' @inheritParams connectApiUser
@@ -104,18 +109,20 @@ connectApiUser <- function(
 connectSPCSUser <- function(
   account = NULL,
   server = NULL,
+  apiKey,
   snowflakeConnectionName,
   quiet = FALSE
 ) {
   server <- findServer(server)
   checkConnectServer(server)
 
-  user <- getSPCSAuthedUser(server, snowflakeConnectionName)
+  user <- getSPCSAuthedUser(server, apiKey, snowflakeConnectionName)
 
   registerAccount(
     serverName = server,
     accountName = account %||% user$username,
     accountId = user$id,
+    apiKey = apiKey,
     snowflakeConnectionName = snowflakeConnectionName
   )
 
@@ -127,10 +134,11 @@ connectSPCSUser <- function(
   invisible()
 }
 
-getSPCSAuthedUser <- function(server, snowflakeConnectionName) {
+getSPCSAuthedUser <- function(server, apiKey, snowflakeConnectionName) {
   serverAddress <- serverInfo(server)
   account <- list(
     server = server,
+    apiKey = apiKey,
     snowflakeConnectionName = snowflakeConnectionName
   )
 

R/http.R

@@ -549,7 +549,13 @@ authHeaders <- function(authInfo, method, path, file = NULL) {
     list(`Authorization` = paste("Bearer", authInfo$accessToken))
   } else if (!is.null(authInfo$snowflakeToken)) {
     # snowflakeauth returns a list of named header values
-    authInfo$snowflakeToken
+    headers <- authInfo$snowflakeToken
+    # SPCS/Snowflake authentication requires the API key to be passed
+    # in the X-RSC-Authorization header in addition to the Snowflake token
+    if (!is.null(authInfo$apiKey)) {
+      headers$`X-RSC-Authorization` <- authInfo$apiKey
+    }
+    headers
   } else {
     # The value doesn't actually matter here, but the header needs to be set.
     list(`X-Auth-Token` = "anonymous-access")

tests/testthat/test-spcs.R

@@ -37,6 +37,25 @@ test_that("authHeaders handles snowflakeToken", {
   expect_equal(headers$`X-Custom-Header`, "custom-value")
 })
 
+test_that("authHeaders includes X-RSC-Authorization when both snowflakeToken and apiKey are present", {
+  # mock authInfo with both snowflakeToken and apiKey
+  authInfo <- list(
+    snowflakeToken = list(
+      Authorization = "Snowflake Token=\"mock_token\"",
+      `X-Custom-Header` = "custom-value"
+    ),
+    apiKey = "test-api-key-12345"
+  )
+
+  headers <- authHeaders(authInfo, "GET", "/path")
+
+  # Verify snowflakeToken headers were used
+  expect_equal(headers$Authorization, "Snowflake Token=\"mock_token\"")
+  expect_equal(headers$`X-Custom-Header`, "custom-value")
+  # Verify API key was added to X-RSC-Authorization header
+  expect_equal(headers$`X-RSC-Authorization`, "test-api-key-12345")
+})
+
 test_that("registerAccount stores snowflakeConnectionName", {
   local_temp_config()
 
@@ -52,3 +71,21 @@ test_that("registerAccount stores snowflakeConnectionName", {
   info <- accountInfo("testuser", "example.com")
   expect_equal(info$snowflakeConnectionName, "test_connection")
 })
+
+test_that("registerAccount stores both apiKey and snowflakeConnectionName for SPCS accounts", {
+  local_temp_config()
+
+  # Register an SPCS account with both apiKey and snowflakeConnectionName
+  registerAccount(
+    serverName = "spcs.example.com",
+    accountName = "spcsuser",
+    accountId = "user456",
+    apiKey = "test-api-key-789",
+    snowflakeConnectionName = "spcs_connection"
+  )
+
+  # Check the account info has both fields
+  info <- accountInfo("spcsuser", "spcs.example.com")
+  expect_equal(info$snowflakeConnectionName, "spcs_connection")
+  expect_equal(info$apiKey, "test-api-key-789")
+})