perf(credentials): single-resolve in confluence spaces selector

TheodoreSpeaks · TheodoreSpeaks · commit 02a993ad072b · 2026-05-05T10:16:54.000-07:00
Atlassian SAs were hitting resolveOAuthAccountId twice (once via
refreshAccessTokenIfNeeded, once directly to read cloudId) and
decrypting the secret twice (via getAtlassianServiceAccountToken
inside refresh, then again via getAtlassianServiceAccountSecret).

Resolve once up front and branch the whole flow on the result —
SA path skips refresh entirely and pulls token+cloudId from a
single secret read.
diff --git a/apps/sim/app/api/tools/confluence/selector-spaces/route.ts b/apps/sim/app/api/tools/confluence/selector-spaces/route.ts
@@ -44,30 +44,40 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const accessToken = await refreshAccessTokenIfNeeded(
-      credential,
-      authz.credentialOwnerUserId,
-      requestId
-    )
-    if (!accessToken) {
-      logger.error('Failed to get access token', {
-        credentialId: credential,
-        userId: authz.credentialOwnerUserId,
-      })
-      return NextResponse.json(
-        { error: 'Could not retrieve access token', authRequired: true },
-        { status: 401 }
+    // Resolve once so we know whether this is an Atlassian SA credential before
+    // doing any token / cloudId work. Atlassian SAs short-circuit the entire path:
+    // the API token IS the access token, and cloudId lives in the encrypted secret —
+    // so we skip refreshAccessTokenIfNeeded (avoids a redundant resolve+decrypt) and
+    // skip getConfluenceCloudId (which 401s for scoped SA tokens).
+    const resolved = await resolveOAuthAccountId(credential)
+    const isAtlassianServiceAccount =
+      resolved?.providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID && !!resolved.credentialId
+
+    let accessToken: string | null
+    let cloudId: string
+    if (isAtlassianServiceAccount) {
+      const secret = await getAtlassianServiceAccountSecret(resolved.credentialId!)
+      accessToken = secret.apiToken
+      cloudId = secret.cloudId
+    } else {
+      accessToken = await refreshAccessTokenIfNeeded(
+        credential,
+        authz.credentialOwnerUserId,
+        requestId
       )
+      if (!accessToken) {
+        logger.error('Failed to get access token', {
+          credentialId: credential,
+          userId: authz.credentialOwnerUserId,
+        })
+        return NextResponse.json(
+          { error: 'Could not retrieve access token', authRequired: true },
+          { status: 401 }
+        )
+      }
+      cloudId = await getConfluenceCloudId(domain, accessToken)
     }
 
-    // Atlassian service-account scoped tokens cannot call accessible-resources, so we
-    // pull cloudId from the encrypted secret instead of discovering it at runtime.
-    const resolved = await resolveOAuthAccountId(credential)
-    const cloudId =
-      resolved?.providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID && resolved.credentialId
-        ? (await getAtlassianServiceAccountSecret(resolved.credentialId)).cloudId
-        : await getConfluenceCloudId(domain, accessToken)
-
     const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
     if (!cloudIdValidation.isValid) {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
