fix(box): populate OAuth scopes for Box since token response omits them

Box's OAuth2 token endpoint does not return a scope field in the response, so Better Auth stores nothing in the DB. This causes the credential selector to always show "Additional permissions required". Fix by populating the scope from the requested scopes in the account.create.before hook. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-06 03:00:16 -04:00 · 2026-03-18 22:52:47 -07:00
parent 17723bb44c
commit 1e16fa975d
1 changed files with 10 additions and 0 deletions
--- a/apps/sim/lib/auth/auth.ts
+++ b/apps/sim/lib/auth/auth.ts
@@ -211,6 +211,16 @@ export const auth = betterAuth({
            modifiedAccount.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
          }

+          // Box token response does not include a scope field, so Better Auth
+          // stores nothing. Populate it from the requested scopes so the
+          // credential-selector can verify permissions.
+          if (account.providerId === 'box' && !account.scope) {
+            const requestedScopes = getCanonicalScopesForProvider('box')
+            if (requestedScopes.length > 0) {
+              modifiedAccount.scope = requestedScopes.join(' ')
+            }
+          }
+
          return { data: modifiedAccount }
        },
        after: async (account) => {