fix credential set system

Author: icecrasher321

apps/sim/app/api/auth/oauth/token/route.ts

@@ -71,17 +71,23 @@ export async function POST(request: NextRequest) {
         providerId,
       })
 
-      const accessToken = await getOAuthToken(credentialAccountUserId, providerId)
-      if (!accessToken) {
-        return NextResponse.json(
-          {
-            error: `No credential found for user ${credentialAccountUserId} and provider ${providerId}`,
-          },
-          { status: 404 }
-        )
-      }
+      try {
+        const accessToken = await getOAuthToken(credentialAccountUserId, providerId)
+        if (!accessToken) {
+          return NextResponse.json(
+            {
+              error: `No credential found for user ${credentialAccountUserId} and provider ${providerId}`,
+            },
+            { status: 404 }
+          )
+        }
 
-      return NextResponse.json({ accessToken }, { status: 200 })
+        return NextResponse.json({ accessToken }, { status: 200 })
+      } catch (error) {
+        const message = error instanceof Error ? error.message : 'Failed to get OAuth token'
+        logger.warn(`[${requestId}] OAuth token error: ${message}`)
+        return NextResponse.json({ error: message }, { status: 403 })
+      }
     }
 
     if (!credentialId) {
@@ -170,7 +176,6 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
     }
 
-    // Get the credential from the database
     const credential = await getCredential(requestId, credentialId, auth.userId)
 
     if (!credential) {

apps/sim/app/api/auth/oauth/utils.ts

@@ -105,10 +105,10 @@ export async function getOAuthToken(userId: string, providerId: string): Promise
       refreshToken: account.refreshToken,
       accessTokenExpiresAt: account.accessTokenExpiresAt,
       idToken: account.idToken,
+      scope: account.scope,
     })
     .from(account)
     .where(and(eq(account.userId, userId), eq(account.providerId, providerId)))
-    // Always use the most recently updated credential for this provider
     .orderBy(desc(account.updatedAt))
     .limit(1)
 
@@ -347,6 +347,8 @@ export async function getCredentialsForCredentialSet(
   credentialSetId: string,
   providerId: string
 ): Promise<CredentialSetCredential[]> {
+  logger.info(`Getting credentials for credential set ${credentialSetId}, provider ${providerId}`)
+
   const members = await db
     .select({ userId: credentialSetMember.userId })
     .from(credentialSetMember)
@@ -357,12 +359,15 @@ export async function getCredentialsForCredentialSet(
       )
     )
 
+  logger.info(`Found ${members.length} active members in credential set ${credentialSetId}`)
+
   if (members.length === 0) {
     logger.warn(`No active members found for credential set ${credentialSetId}`)
     return []
   }
 
   const userIds = members.map((m) => m.userId)
+  logger.debug(`Member user IDs: ${userIds.join(', ')}`)
 
   const credentials = await db
     .select({
@@ -376,6 +381,10 @@ export async function getCredentialsForCredentialSet(
     .from(account)
     .where(and(inArray(account.userId, userIds), eq(account.providerId, providerId)))
 
+  logger.info(
+    `Found ${credentials.length} credentials with provider ${providerId} for ${members.length} members`
+  )
+
   const results: CredentialSetCredential[] = []
 
   for (const cred of credentials) {

apps/sim/app/api/credential-sets/[id]/members/route.ts

@@ -1,9 +1,10 @@
 import { db } from '@sim/db'
-import { credentialSet, credentialSetMember, member, user } from '@sim/db/schema'
+import { account, credentialSet, credentialSetMember, member, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
 const logger = createLogger('CredentialSetMembers')
 
@@ -12,6 +13,8 @@ async function getCredentialSetWithAccess(credentialSetId: string, userId: strin
     .select({
       id: credentialSet.id,
       organizationId: credentialSet.organizationId,
+      type: credentialSet.type,
+      providerId: credentialSet.providerId,
     })
     .from(credentialSet)
     .where(eq(credentialSet.id, credentialSetId))
@@ -59,7 +62,58 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
     .leftJoin(user, eq(credentialSetMember.userId, user.id))
     .where(eq(credentialSetMember.credentialSetId, id))
 
-  return NextResponse.json({ members })
+  // Get credentials for all active members
+  const activeMembers = members.filter((m) => m.status === 'active')
+  const memberUserIds = activeMembers.map((m) => m.userId)
+
+  let credentials: { userId: string; providerId: string; accountId: string }[] = []
+  if (memberUserIds.length > 0) {
+    // If credential set is for a specific provider, filter by that provider
+    if (result.set.type === 'specific' && result.set.providerId) {
+      credentials = await db
+        .select({
+          userId: account.userId,
+          providerId: account.providerId,
+          accountId: account.accountId,
+        })
+        .from(account)
+        .where(
+          and(inArray(account.userId, memberUserIds), eq(account.providerId, result.set.providerId))
+        )
+    } else {
+      credentials = await db
+        .select({
+          userId: account.userId,
+          providerId: account.providerId,
+          accountId: account.accountId,
+        })
+        .from(account)
+        .where(inArray(account.userId, memberUserIds))
+    }
+  }
+
+  // Group credentials by userId
+  const credentialsByUser = credentials.reduce(
+    (acc, cred) => {
+      if (!acc[cred.userId]) {
+        acc[cred.userId] = []
+      }
+      acc[cred.userId].push({
+        providerId: cred.providerId,
+        accountId: cred.accountId,
+      })
+      return acc
+    },
+    {} as Record<string, { providerId: string; accountId: string }[]>
+  )
+
+  // Attach credentials to members
+  const membersWithCredentials = members.map((m) => ({
+    ...m,
+    credentials: credentialsByUser[m.userId] || [],
+  }))
+
+  return NextResponse.json({ members: membersWithCredentials })
 }
 
 export async function DELETE(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
@@ -106,6 +160,17 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
       userId: session.user.id,
     })
 
+    try {
+      const requestId = crypto.randomUUID().slice(0, 8)
+      const syncResult = await syncAllWebhooksForCredentialSet(id, requestId)
+      logger.info('Synced webhooks after member removed', {
+        credentialSetId: id,
+        ...syncResult,
+      })
+    } catch (syncError) {
+      logger.error('Error syncing webhooks after member removed', syncError)
+    }
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error removing member from credential set', error)

apps/sim/app/api/credential-sets/[id]/route.ts

@@ -20,6 +20,8 @@ async function getCredentialSetWithAccess(credentialSetId: string, userId: strin
       organizationId: credentialSet.organizationId,
       name: credentialSet.name,
       description: credentialSet.description,
+      type: credentialSet.type,
+      providerId: credentialSet.providerId,
       createdBy: credentialSet.createdBy,
       createdAt: credentialSet.createdAt,
       updatedAt: credentialSet.updatedAt,

apps/sim/app/api/credential-sets/invitations/route.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { credentialSet, credentialSetInvitation, organization, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, gt, or } from 'drizzle-orm'
+import { and, eq, gt, isNull, or } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 
@@ -37,7 +37,7 @@ export async function GET() {
         and(
           or(
             eq(credentialSetInvitation.email, session.user.email),
-            eq(credentialSetInvitation.email, null)
+            isNull(credentialSetInvitation.email)
           ),
           eq(credentialSetInvitation.status, 'pending'),
           gt(credentialSetInvitation.expiresAt, new Date())

apps/sim/app/api/credential-sets/invite/[token]/route.ts

@@ -9,6 +9,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
 const logger = createLogger('CredentialSetInviteToken')
 
@@ -133,12 +134,45 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
       })
       .where(eq(credentialSetInvitation.id, invitation.id))
 
+    // Clean up all other pending invitations for the same credential set and email
+    // This prevents duplicate invites from showing up after accepting one
+    if (invitation.email) {
+      await db
+        .update(credentialSetInvitation)
+        .set({
+          status: 'accepted',
+          acceptedAt: now,
+          acceptedByUserId: session.user.id,
+        })
+        .where(
+          and(
+            eq(credentialSetInvitation.credentialSetId, invitation.credentialSetId),
+            eq(credentialSetInvitation.email, invitation.email),
+            eq(credentialSetInvitation.status, 'pending')
+          )
+        )
+    }
+
     logger.info('Accepted credential set invitation', {
       invitationId: invitation.id,
       credentialSetId: invitation.credentialSetId,
       userId: session.user.id,
     })
 
+    try {
+      const requestId = crypto.randomUUID().slice(0, 8)
+      const syncResult = await syncAllWebhooksForCredentialSet(
+        invitation.credentialSetId,
+        requestId
+      )
+      logger.info('Synced webhooks after member joined', {
+        credentialSetId: invitation.credentialSetId,
+        ...syncResult,
+      })
+    } catch (syncError) {
+      logger.error('Error syncing webhooks after member joined', syncError)
+    }
+
     return NextResponse.json({
       success: true,
       credentialSetId: invitation.credentialSetId,

apps/sim/app/api/credential-sets/route.ts

@@ -8,11 +8,18 @@ import { getSession } from '@/lib/auth'
 
 const logger = createLogger('CredentialSets')
 
-const createCredentialSetSchema = z.object({
-  organizationId: z.string().min(1),
-  name: z.string().trim().min(1).max(100),
-  description: z.string().max(500).optional(),
-})
+const createCredentialSetSchema = z
+  .object({
+    organizationId: z.string().min(1),
+    name: z.string().trim().min(1).max(100),
+    description: z.string().max(500).optional(),
+    type: z.enum(['all', 'specific']).default('all'),
+    providerId: z.string().min(1).optional(),
+  })
+  .refine((data) => data.type !== 'specific' || data.providerId, {
+    message: 'providerId is required when type is specific',
+    path: ['providerId'],
+  })
 
 export async function GET(req: Request) {
   const session = await getSession()
@@ -43,6 +50,8 @@ export async function GET(req: Request) {
       id: credentialSet.id,
       name: credentialSet.name,
       description: credentialSet.description,
+      type: credentialSet.type,
+      providerId: credentialSet.providerId,
       createdBy: credentialSet.createdBy,
       createdAt: credentialSet.createdAt,
       updatedAt: credentialSet.updatedAt,
@@ -85,7 +94,8 @@ export async function POST(req: Request) {
 
   try {
     const body = await req.json()
-    const { organizationId, name, description } = createCredentialSetSchema.parse(body)
+    const { organizationId, name, description, type, providerId } =
+      createCredentialSetSchema.parse(body)
 
     const membership = await db
       .select({ id: member.id, role: member.role })
@@ -129,6 +139,8 @@ export async function POST(req: Request) {
       organizationId,
       name,
       description: description || null,
+      type,
+      providerId: type === 'specific' ? providerId : null,
       createdBy: session.user.id,
       createdAt: now,
       updatedAt: now,