fix(sap_s4hana): ignore tokenUrl on cloud_public to prevent UAA redirection

Why: resolveTokenUrl previously honored caller-supplied tokenUrl
regardless of deploymentType, mirroring the same redirection class as
the prior baseUrl bug. A cloud_public caller could send tokenUrl to an
attacker host, causing the proxy to POST clientId:clientSecret as Basic
auth to it. superRefine for cloud_public did not validate tokenUrl.

Fix: derive UAA URL from subdomain+region for cloud_public; only honor
tokenUrl for cloud_private/on_premise (already SSRF-checked).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/tools/sap_s4hana/proxy/route.ts

@@ -281,8 +281,13 @@ function assertSafeExternalUrl(rawUrl: string, label: string): URL {
 }
 
 function resolveTokenUrl(req: ProxyRequest): string {
-  if (req.tokenUrl) return req.tokenUrl
-  return `https://${req.subdomain}.authentication.${req.region}.hana.ondemand.com/oauth/token`
+  if (req.deploymentType === 'cloud_public') {
+    return `https://${req.subdomain}.authentication.${req.region}.hana.ondemand.com/oauth/token`
+  }
+  if (!req.tokenUrl) {
+    throw new Error('tokenUrl is required for OAuth on cloud_private/on_premise')
+  }
+  return req.tokenUrl
 }
 
 function tokenCacheKey(req: ProxyRequest): string {