fix(mcp): compare decrypted plaintext for OAuth client secret change

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/servers/[id]/route.ts

@@ -6,7 +6,7 @@ import { toError } from '@sim/utils/errors'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { updateMcpServerBodySchema } from '@/lib/api/contracts/mcp'
-import { encryptSecret } from '@/lib/core/security/encryption'
+import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import {
   McpDnsResolutionError,
@@ -140,11 +140,18 @@ export const PATCH = withRouteHandler(
         const urlChanged = body.url !== undefined && currentServer?.url !== body.url
         const clientIdChanged =
           body.oauthClientId !== undefined && currentServer?.oauthClientId !== body.oauthClientId
-        const clientSecretChanged =
-          oauthClientSecret !== undefined &&
-          (oauthClientSecret
-            ? finalUpdateData.oauthClientSecret !== currentServer?.oauthClientSecret
-            : currentServer?.oauthClientSecret !== null)
+        let clientSecretChanged = false
+        if (oauthClientSecret !== undefined) {
+          if (!oauthClientSecret) {
+            clientSecretChanged = currentServer?.oauthClientSecret != null
+          } else if (!currentServer?.oauthClientSecret) {
+            clientSecretChanged = true
+          } else {
+            const currentPlaintext = (await decryptSecret(currentServer.oauthClientSecret))
+              .decrypted
+            clientSecretChanged = currentPlaintext !== oauthClientSecret
+          }
+        }
         const oauthCredsChanged = clientIdChanged || clientSecretChanged
 
         if (urlChanged || oauthCredsChanged) {