From c6db5c541c2aa9eaf364e9e9e4a9f8ed66033a91 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Thu, 19 Mar 2026 11:51:36 -0700 Subject: [PATCH] fix(oauth): fall back to configured scopes when DB scope is empty Providers like Box don't return a scope field in their token response, leaving the account.scope column empty. The credentials API now falls back to the provider's configured scopes when the stored scope is empty, preventing false "Additional permissions required" banners. Co-Authored-By: Claude Opus 4.6 --- apps/sim/app/api/auth/oauth/credentials/route.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/sim/app/api/auth/oauth/credentials/route.ts b/apps/sim/app/api/auth/oauth/credentials/route.ts index 6b096803b91..eab12f41f86 100644 --- a/apps/sim/app/api/auth/oauth/credentials/route.ts +++ b/apps/sim/app/api/auth/oauth/credentials/route.ts @@ -7,6 +7,7 @@ import { z } from 'zod' import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid' import { generateRequestId } from '@/lib/core/utils/request' import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth' +import { getCanonicalScopesForProvider } from '@/lib/oauth/utils' import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils' import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils' @@ -38,7 +39,13 @@ function toCredentialResponse( scope: string | null ) { const storedScope = scope?.trim() - const scopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : [] + // Some providers (e.g. Box) don't return scopes in their token response, + // so the DB column stays empty. Fall back to the configured scopes for + // the provider so the credential-selector doesn't show a false + // "Additional permissions required" banner. + const scopes = storedScope + ? storedScope.split(/[\s,]+/).filter(Boolean) + : getCanonicalScopesForProvider(providerId) const [_, featureType = 'default'] = providerId.split('-') return {