Address bugbot

apps/sim/app/api/auth/oauth/utils.ts

@@ -227,19 +227,13 @@ export async function safeAccountInsert(
 }
 
 /**
- * Get a credential by ID and verify it belongs to the user
+ * Get a credential by resolved account ID and verify it belongs to the user.
  */
-export async function getCredential(requestId: string, credentialId: string, userId: string) {
-  const resolved = await resolveOAuthAccountId(credentialId)
-  if (!resolved) {
-    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
-    return undefined
-  }
-
+async function getCredentialByAccountId(requestId: string, accountId: string, userId: string) {
   const credentials = await db
     .select()
     .from(account)
-    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
+    .where(and(eq(account.id, accountId), eq(account.userId, userId)))
     .limit(1)
 
   if (!credentials.length) {
@@ -249,10 +243,22 @@ export async function getCredential(requestId: string, credentialId: string, use
 
   return {
     ...credentials[0],
-    resolvedCredentialId: resolved.accountId,
+    resolvedCredentialId: accountId,
   }
 }
 
+/**
+ * Get a credential by ID and verify it belongs to the user.
+ */
+export async function getCredential(requestId: string, credentialId: string, userId: string) {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
+    return undefined
+  }
+  return getCredentialByAccountId(requestId, resolved.accountId, userId)
+}
+
 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
   const connections = await db
     .select({
@@ -370,8 +376,8 @@ export async function refreshAccessTokenIfNeeded(
     return getServiceAccountToken(resolved.credentialId, scopes, impersonateEmail)
   }
 
-  // Get the credential directly using the getCredential helper
-  const credential = await getCredential(requestId, credentialId, userId)
+  // Use the already-resolved account ID to avoid a redundant resolveOAuthAccountId query
+  const credential = await getCredentialByAccountId(requestId, resolved.accountId, userId)
 
   if (!credential) {
     return null

apps/sim/app/api/credentials/[id]/route.ts

@@ -125,21 +125,22 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
       parseResult.data.serviceAccountJson !== undefined &&
       access.credential.type === 'service_account'
     ) {
+      let parsed: Record<string, unknown>
       try {
-        const parsed = JSON.parse(parseResult.data.serviceAccountJson)
-        if (
-          parsed.type !== 'service_account' ||
-          typeof parsed.client_email !== 'string' ||
-          typeof parsed.private_key !== 'string' ||
-          typeof parsed.project_id !== 'string'
-        ) {
-          return NextResponse.json({ error: 'Invalid service account JSON key' }, { status: 400 })
-        }
-        const { encrypted } = await encryptSecret(parseResult.data.serviceAccountJson)
-        updates.encryptedServiceAccountKey = encrypted
+        parsed = JSON.parse(parseResult.data.serviceAccountJson)
       } catch {
         return NextResponse.json({ error: 'Invalid JSON format' }, { status: 400 })
       }
+      if (
+        parsed.type !== 'service_account' ||
+        typeof parsed.client_email !== 'string' ||
+        typeof parsed.private_key !== 'string' ||
+        typeof parsed.project_id !== 'string'
+      ) {
+        return NextResponse.json({ error: 'Invalid service account JSON key' }, { status: 400 })
+      }
+      const { encrypted } = await encryptSecret(parseResult.data.serviceAccountJson)
+      updates.encryptedServiceAccountKey = encrypted
     }
 
     if (Object.keys(updates).length === 0) {