Address comments

Author: Theodore Li

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -164,11 +164,14 @@ export async function GET(request: NextRequest) {
 
       if (platformCredential) {
         if (platformCredential.type === 'service_account') {
-          if (workflowId) {
-            if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
-              return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-            }
-          } else {
+          if (
+            workflowId &&
+            (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId)
+          ) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+
+          if (!workflowId) {
             const [membership] = await db
               .select({ id: credentialMember.id })
               .from(credentialMember)

apps/sim/app/api/auth/oauth/token/route.test.ts

@@ -11,6 +11,8 @@ const {
   mockGetCredential,
   mockRefreshTokenIfNeeded,
   mockGetOAuthToken,
+  mockResolveOAuthAccountId,
+  mockGetServiceAccountToken,
   mockAuthorizeCredentialUse,
   mockCheckSessionOrInternalAuth,
   mockLogger,
@@ -29,6 +31,8 @@ const {
     mockGetCredential: vi.fn(),
     mockRefreshTokenIfNeeded: vi.fn(),
     mockGetOAuthToken: vi.fn(),
+    mockResolveOAuthAccountId: vi.fn(),
+    mockGetServiceAccountToken: vi.fn(),
     mockAuthorizeCredentialUse: vi.fn(),
     mockCheckSessionOrInternalAuth: vi.fn(),
     mockLogger: logger,
@@ -40,6 +44,8 @@ vi.mock('@/app/api/auth/oauth/utils', () => ({
   getCredential: mockGetCredential,
   refreshTokenIfNeeded: mockRefreshTokenIfNeeded,
   getOAuthToken: mockGetOAuthToken,
+  resolveOAuthAccountId: mockResolveOAuthAccountId,
+  getServiceAccountToken: mockGetServiceAccountToken,
 }))
 
 vi.mock('@sim/logger', () => ({
@@ -50,6 +56,10 @@ vi.mock('@/lib/auth/credential-access', () => ({
   authorizeCredentialUse: mockAuthorizeCredentialUse,
 }))
 
+vi.mock('@/lib/core/utils/request', () => ({
+  generateRequestId: vi.fn().mockReturnValue('test-request-id'),
+}))
+
 vi.mock('@/lib/auth/hybrid', () => ({
   AuthType: { SESSION: 'session', API_KEY: 'api_key', INTERNAL_JWT: 'internal_jwt' },
   checkHybridAuth: vi.fn(),
@@ -62,6 +72,7 @@ import { GET, POST } from '@/app/api/auth/oauth/token/route'
 describe('OAuth Token API Routes', () => {
   beforeEach(() => {
     vi.clearAllMocks()
+    mockResolveOAuthAccountId.mockResolvedValue(null)
   })
 
   /**

apps/sim/app/api/auth/oauth/token/route.ts

@@ -140,10 +140,9 @@ export async function POST(request: NextRequest) {
       }
 
       try {
-        const defaultScopes = ['https://www.googleapis.com/auth/cloud-platform']
         const accessToken = await getServiceAccountToken(
           resolved.credentialId,
-          scopes && scopes.length > 0 ? scopes : defaultScopes,
+          scopes ?? [],
           impersonateEmail
         )
         return NextResponse.json({ accessToken }, { status: 200 })

apps/sim/app/api/auth/oauth/utils.test.ts

@@ -160,6 +160,12 @@ describe('OAuth Utils', () => {
 
   describe('refreshAccessTokenIfNeeded', () => {
     it('should return valid access token without refresh if not expired', async () => {
+      const mockResolvedCredential = {
+        id: 'credential-id',
+        type: 'oauth',
+        accountId: 'account-id',
+        workspaceId: 'workspace-id',
+      }
       const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
       const mockAccountRow = {
         id: 'account-id',
@@ -169,6 +175,7 @@ describe('OAuth Utils', () => {
         providerId: 'google',
         userId: 'test-user-id',
       }
+      mockSelectChain([mockResolvedCredential])
       mockSelectChain([mockCredentialRow])
       mockSelectChain([mockAccountRow])
 
@@ -179,6 +186,12 @@ describe('OAuth Utils', () => {
     })
 
     it('should refresh token when expired', async () => {
+      const mockResolvedCredential = {
+        id: 'credential-id',
+        type: 'oauth',
+        accountId: 'account-id',
+        workspaceId: 'workspace-id',
+      }
       const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
       const mockAccountRow = {
         id: 'account-id',
@@ -188,6 +201,7 @@ describe('OAuth Utils', () => {
         providerId: 'google',
         userId: 'test-user-id',
       }
+      mockSelectChain([mockResolvedCredential])
       mockSelectChain([mockCredentialRow])
       mockSelectChain([mockAccountRow])
       mockUpdateChain()
@@ -215,6 +229,12 @@ describe('OAuth Utils', () => {
     })
 
     it('should return null if refresh fails', async () => {
+      const mockResolvedCredential = {
+        id: 'credential-id',
+        type: 'oauth',
+        accountId: 'account-id',
+        workspaceId: 'workspace-id',
+      }
       const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
       const mockAccountRow = {
         id: 'account-id',
@@ -224,6 +244,7 @@ describe('OAuth Utils', () => {
         providerId: 'google',
         userId: 'test-user-id',
       }
+      mockSelectChain([mockResolvedCredential])
       mockSelectChain([mockCredentialRow])
       mockSelectChain([mockAccountRow])
 

apps/sim/app/api/auth/oauth/utils.ts

@@ -90,14 +90,24 @@ export async function resolveOAuthAccountId(
 }
 
 /**
- * Generates a short-lived access token for a Google service account credential
- * using the two-legged OAuth JWT flow (RFC 7523).
+ * Userinfo scopes are excluded because service accounts don't represent a user
+ * and cannot request user identity information. Google rejects token requests
+ * that include these scopes for service account credentials.
  */
 const SA_EXCLUDED_SCOPES = new Set([
   'https://www.googleapis.com/auth/userinfo.email',
   'https://www.googleapis.com/auth/userinfo.profile',
 ])
 
+/**
+ * Generates a short-lived access token for a Google service account credential
+ * using the two-legged OAuth JWT flow (RFC 7523).
+ *
+ * @param impersonateEmail - Optional. Required for Google Workspace APIs (Gmail, Drive, Calendar, etc.)
+ *   where the service account must impersonate a domain user via domain-wide delegation.
+ *   Not needed for project-scoped APIs like BigQuery or Vertex AI where the service account
+ *   authenticates directly with its own IAM permissions.
+ */
 export async function getServiceAccountToken(
   credentialId: string,
   scopes: string[],
@@ -348,11 +358,11 @@ export async function refreshAccessTokenIfNeeded(
   }
 
   if (resolved.credentialType === 'service_account' && resolved.credentialId) {
-    const effectiveScopes = scopes?.length
-      ? scopes
-      : ['https://www.googleapis.com/auth/cloud-platform']
+    if (!scopes?.length) {
+      throw new Error('Scopes are required for service account credentials')
+    }
     logger.info(`[${requestId}] Using service account token for credential`)
-    return getServiceAccountToken(resolved.credentialId, effectiveScopes, impersonateEmail)
+    return getServiceAccountToken(resolved.credentialId, scopes, impersonateEmail)
   }
 
   // Get the credential directly using the getCredential helper

apps/sim/app/api/credentials/[id]/route.ts

@@ -129,9 +129,9 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         const parsed = JSON.parse(parseResult.data.serviceAccountJson)
         if (
           parsed.type !== 'service_account' ||
-          !parsed.client_email ||
-          !parsed.private_key ||
-          !parsed.project_id
+          typeof parsed.client_email !== 'string' ||
+          typeof parsed.private_key !== 'string' ||
+          typeof parsed.project_id !== 'string'
         ) {
           return NextResponse.json({ error: 'Invalid service account JSON key' }, { status: 400 })
         }
@@ -166,6 +166,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
     const row = await getCredentialResponse(id, session.user.id)
     return NextResponse.json({ credential: row }, { status: 200 })
   } catch (error) {
+    if (error instanceof Error && error.message.includes('unique')) {
+      return NextResponse.json(
+        { error: 'A service account credential with this name already exists in the workspace' },
+        { status: 409 }
+      )
+    }
     logger.error('Failed to update credential', error)
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }

apps/sim/app/api/tools/gmail/label/route.ts

@@ -6,6 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { getScopesForService } from '@/lib/oauth/utils'
 import {
   getServiceAccountToken,
   refreshAccessTokenIfNeeded,
@@ -69,7 +70,7 @@ export async function GET(request: NextRequest) {
     if (resolved.credentialType === 'service_account' && resolved.credentialId) {
       accessToken = await getServiceAccountToken(
         resolved.credentialId,
-        ['https://www.googleapis.com/auth/gmail.labels'],
+        getScopesForService('gmail'),
         impersonateEmail
       )
     } else {

apps/sim/app/api/tools/gmail/labels/route.ts

@@ -6,6 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { getScopesForService } from '@/lib/oauth/utils'
 import {
   getServiceAccountToken,
   refreshAccessTokenIfNeeded,
@@ -73,7 +74,7 @@ export async function GET(request: NextRequest) {
     if (resolved.credentialType === 'service_account' && resolved.credentialId) {
       accessToken = await getServiceAccountToken(
         resolved.credentialId,
-        ['https://www.googleapis.com/auth/gmail.labels'],
+        getScopesForService('gmail'),
         impersonateEmail
       )
     } else {

apps/sim/app/workspace/[workspaceId]/settings/components/integrations/integrations-manager.tsx

@@ -1149,7 +1149,9 @@ export function IntegrationsManager() {
             onClick={handleConfirmDelete}
             disabled={disconnectOAuthService.isPending || deleteCredential.isPending}
           >
-            {disconnectOAuthService.isPending ? 'Disconnecting...' : 'Disconnect'}
+            {disconnectOAuthService.isPending || deleteCredential.isPending
+              ? 'Disconnecting...'
+              : 'Disconnect'}
           </Button>
         </ModalFooter>
       </ModalContent>

apps/sim/lib/auth/credential-access.ts

@@ -99,6 +99,8 @@ export async function authorizeCredentialUse(
         if (requesterPerm === null) {
           return { ok: false, error: 'You do not have access to this workspace.' }
         }
+      } else if (!workflowContext) {
+        return { ok: false, error: 'workflowId is required' }
       }
 
       return {