make trigger creds collab supported

icecrasher321 · icecrasher321 · commit f0f31d87b74a · 2025-08-19T15:15:13.000-07:00
diff --git a/apps/sim/app/api/webhooks/route.ts b/apps/sim/app/api/webhooks/route.ts
@@ -329,8 +329,8 @@ export async function POST(request: NextRequest) {
       logger.info(`[${requestId}] Gmail provider detected. Setting up Gmail webhook configuration.`)
       try {
         const { configureGmailPolling } = await import('@/lib/webhooks/utils')
-        // Use workflow owner for OAuth lookups to support collaborator-saved credentials
-        const success = await configureGmailPolling(workflowRecord.userId, savedWebhook, requestId)
+        // Strict: utils will resolve credential ownership; do not fall back to workflow owner
+        const success = await configureGmailPolling('', savedWebhook, requestId)
 
         if (!success) {
           logger.error(`[${requestId}] Failed to configure Gmail polling`)
@@ -364,12 +364,8 @@ export async function POST(request: NextRequest) {
       )
       try {
         const { configureOutlookPolling } = await import('@/lib/webhooks/utils')
-        // Use workflow owner for OAuth lookups to support collaborator-saved credentials
-        const success = await configureOutlookPolling(
-          workflowRecord.userId,
-          savedWebhook,
-          requestId
-        )
+        // Strict: utils will resolve credential ownership; do not fall back to workflow owner
+        const success = await configureOutlookPolling('', savedWebhook, requestId)
 
         if (!success) {
           logger.error(`[${requestId}] Failed to configure Outlook polling`)
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/components/sub-block/components/trigger-config/trigger-config.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/components/sub-block/components/trigger-config/trigger-config.tsx
@@ -172,6 +172,11 @@ export function TriggerConfig({
       // Map trigger ID to webhook provider name
       const webhookProvider = effectiveTriggerId.replace(/_webhook|_poller$/, '') // e.g., 'slack_webhook' -> 'slack', 'gmail_poller' -> 'gmail'
 
+      // Include selected credential from the modal (if any)
+      const selectedCredentialId =
+        (useSubBlockStore.getState().getValue(blockId, 'triggerCredentials') as string | null) ||
+        null
+
       // For credential-based triggers (like Gmail), create webhook entry for polling service but no webhook URL
       if (triggerDef.requiresCredentials && !triggerDef.webhook) {
         // Gmail polling service requires a webhook database entry to find the configuration
@@ -185,7 +190,10 @@ export function TriggerConfig({
             blockId,
             path: '', // Empty path - API will generate dummy path for Gmail
             provider: webhookProvider,
-            providerConfig: config,
+            providerConfig: {
+              ...config,
+              ...(selectedCredentialId ? { credentialId: selectedCredentialId } : {}),
+            },
           }),
         })
 
@@ -225,7 +233,10 @@ export function TriggerConfig({
           blockId,
           path,
           provider: webhookProvider,
-          providerConfig: config,
+          providerConfig: {
+            ...config,
+            ...(selectedCredentialId ? { credentialId: selectedCredentialId } : {}),
+          },
         }),
       })
 
diff --git a/apps/sim/lib/webhooks/gmail-polling-service.ts b/apps/sim/lib/webhooks/gmail-polling-service.ts
@@ -3,9 +3,9 @@ import { nanoid } from 'nanoid'
 import { Logger } from '@/lib/logs/console/logger'
 import { hasProcessedMessage, markMessageAsProcessed } from '@/lib/redis'
 import { getBaseUrl } from '@/lib/urls/utils'
-import { getOAuthToken } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { db } from '@/db'
-import { webhook } from '@/db/schema'
+import { account, webhook } from '@/db/schema'
 
 const logger = new Logger('GmailPollingService')
 
@@ -81,20 +81,30 @@ export async function pollGmailWebhooks() {
       const requestId = nanoid()
 
       try {
-        // Extract user ID from webhook metadata if available
+        // Extract metadata
         const metadata = webhookData.providerConfig as any
-        const userId = metadata?.userId
+        const credentialId: string | undefined = metadata?.credentialId
 
-        if (!userId) {
-          logger.error(`[${requestId}] No user ID found for webhook ${webhookId}`)
-          return { success: false, webhookId, error: 'No user ID' }
+        if (!credentialId) {
+          logger.error(`[${requestId}] Missing credentialId for webhook ${webhookId}`)
+          return { success: false, webhookId, error: 'Missing credentialId' }
         }
 
-        // Get OAuth token for Gmail API
-        const accessToken = await getOAuthToken(userId, 'google-email')
+        // Resolve owner and token strictly via credentialId
+        const rows = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+        if (rows.length === 0) {
+          logger.error(
+            `[${requestId}] Credential ${credentialId} not found for webhook ${webhookId}`
+          )
+          return { success: false, webhookId, error: 'Credential not found' }
+        }
+        const ownerUserId = rows[0].userId
 
+        const accessToken = await refreshAccessTokenIfNeeded(credentialId, ownerUserId, requestId)
         if (!accessToken) {
-          logger.error(`[${requestId}] Failed to get Gmail access token for webhook ${webhookId}`)
+          logger.error(
+            `[${requestId}] Failed to get Gmail access token for webhook ${webhookId} via credential ${credentialId}`
+          )
           return { success: false, webhookId, error: 'No access token' }
         }
 
diff --git a/apps/sim/lib/webhooks/outlook-polling-service.ts b/apps/sim/lib/webhooks/outlook-polling-service.ts
@@ -3,9 +3,9 @@ import { nanoid } from 'nanoid'
 import { Logger } from '@/lib/logs/console/logger'
 import { hasProcessedMessage, markMessageAsProcessed } from '@/lib/redis'
 import { getBaseUrl } from '@/lib/urls/utils'
-import { getOAuthToken } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { db } from '@/db'
-import { webhook } from '@/db/schema'
+import { account, webhook } from '@/db/schema'
 
 const logger = new Logger('OutlookPollingService')
 
@@ -108,28 +108,30 @@ export async function pollOutlookWebhooks() {
       try {
         logger.info(`[${requestId}] Processing Outlook webhook: ${webhookId}`)
 
-        // Extract user ID from webhook metadata if available
+        // Extract credentialId from providerConfig (strict)
         const metadata = webhookData.providerConfig as any
-        const userId = metadata?.userId
+        const credentialId: string | undefined = metadata?.credentialId
 
-        // Debug: Webhook metadata extraction
-        logger.debug(
-          `[${requestId}] Webhook ${webhookId} providerConfig:`,
-          JSON.stringify(metadata, null, 2)
-        )
-        logger.debug(`[${requestId}] Extracted userId:`, userId)
-
-        if (!userId) {
-          logger.error(`[${requestId}] No user ID found for webhook ${webhookId}`)
-          logger.debug(`[${requestId}] No userId found in providerConfig for webhook ${webhookId}`)
-          return { success: false, webhookId, error: 'No user ID' }
+        if (!credentialId) {
+          logger.error(`[${requestId}] Missing credentialId for webhook ${webhookId}`)
+          return { success: false, webhookId, error: 'Missing credentialId' }
         }
 
-        // Get OAuth token for Outlook API
-        const accessToken = await getOAuthToken(userId, 'outlook')
+        // Resolve owner and token via credentialId
+        const rows = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+        if (!rows.length) {
+          logger.error(
+            `[${requestId}] Credential ${credentialId} not found for webhook ${webhookId}`
+          )
+          return { success: false, webhookId, error: 'Credential not found' }
+        }
+        const ownerUserId = rows[0].userId
 
+        const accessToken = await refreshAccessTokenIfNeeded(credentialId, ownerUserId, requestId)
         if (!accessToken) {
-          logger.error(`[${requestId}] Failed to get Outlook access token for webhook ${webhookId}`)
+          logger.error(
+            `[${requestId}] Failed to get Outlook access token for webhook ${webhookId} via credential ${credentialId}`
+          )
           return { success: false, webhookId, error: 'No access token' }
         }
 
diff --git a/apps/sim/lib/webhooks/utils.ts b/apps/sim/lib/webhooks/utils.ts
@@ -1,9 +1,9 @@
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { createLogger } from '@/lib/logs/console/logger'
-import { getOAuthToken } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { db } from '@/db'
-import { webhook } from '@/db/schema'
+import { account, webhook } from '@/db/schema'
 
 const logger = createLogger('WebhookUtils')
 
@@ -860,6 +860,31 @@ export async function fetchAndProcessAirtablePayloads(
       return // Exit early
     }
 
+    // Require credentialId
+    const credentialId: string | undefined = localProviderConfig.credentialId
+    if (!credentialId) {
+      logger.error(
+        `[${requestId}] Missing credentialId in providerConfig for Airtable webhook ${webhookData.id}.`
+      )
+      return
+    }
+
+    // Resolve owner and access token strictly via credentialId (no fallback)
+    let ownerUserId: string | null = null
+    try {
+      const rows = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+      ownerUserId = rows.length ? rows[0].userId : null
+    } catch (_e) {
+      ownerUserId = null
+    }
+
+    if (!ownerUserId) {
+      logger.error(
+        `[${requestId}] Could not resolve owner for Airtable credential ${credentialId} on webhook ${webhookData.id}`
+      )
+      return
+    }
+
     // --- Retrieve Stored Cursor from localProviderConfig ---
     const storedCursor = localProviderConfig.externalWebhookCursor
 
@@ -908,26 +933,25 @@ export async function fetchAndProcessAirtablePayloads(
       )
     }
 
-    // --- Get OAuth Token ---
+    // --- Get OAuth Token (strict via credentialId) ---
     let accessToken: string | null = null
     try {
-      accessToken = await getOAuthToken(workflowData.userId, 'airtable')
+      accessToken = await refreshAccessTokenIfNeeded(credentialId, ownerUserId, requestId)
       if (!accessToken) {
         logger.error(
-          `[${requestId}] Failed to obtain valid Airtable access token. Cannot proceed.`,
-          { userId: workflowData.userId }
+          `[${requestId}] Failed to obtain valid Airtable access token via credential ${credentialId}.`
         )
         throw new Error('Airtable access token not found.')
       }
 
       logger.info(`[${requestId}] Successfully obtained Airtable access token`)
     } catch (tokenError: any) {
       logger.error(
-        `[${requestId}] Failed to get Airtable OAuth token for user ${workflowData.userId}`,
+        `[${requestId}] Failed to get Airtable OAuth token for credential ${credentialId}`,
         {
           error: tokenError.message,
           stack: tokenError.stack,
-          userId: workflowData.userId,
+          credentialId,
         }
       )
       // Error logging handled by logging session
@@ -1102,7 +1126,7 @@ export async function fetchAndProcessAirtablePayloads(
 
           // DEBUG: Log totals for this batch
           logger.debug(
-            `[${requestId}] TRACE: Processed ${changeCount} changes in API call ${apiCallCount}`,
+            `[${requestId}] TRACE: Processed ${changeCount} changes in API call ${apiCallCount})`,
             {
               currentMapSize: consolidatedChangesMap.size,
             }
@@ -1257,13 +1281,33 @@ export async function configureGmailPolling(
   logger.info(`[${requestId}] Setting up Gmail polling for webhook ${webhookData.id}`)
 
   try {
-    const accessToken = await getOAuthToken(userId, 'google-email')
-    if (!accessToken) {
-      logger.error(`[${requestId}] Failed to retrieve Gmail access token for user ${userId}`)
+    const providerConfig = (webhookData.providerConfig as Record<string, any>) || {}
+
+    const credentialId: string | undefined = providerConfig.credentialId
+    if (!credentialId) {
+      logger.error(
+        `[${requestId}] Missing credentialId for Gmail webhook ${webhookData.id}. Refusing to proceed.`
+      )
       return false
     }
 
-    const providerConfig = (webhookData.providerConfig as Record<string, any>) || {}
+    // Resolve owner user ID from the credential and refresh token if needed
+    const rows = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    if (rows.length === 0) {
+      logger.error(
+        `[${requestId}] Credential ${credentialId} not found for Gmail webhook ${webhookData.id}`
+      )
+      return false
+    }
+    const ownerUserId = rows[0].userId
+
+    const accessToken = await refreshAccessTokenIfNeeded(credentialId, ownerUserId, requestId)
+    if (!accessToken) {
+      logger.error(
+        `[${requestId}] Failed to refresh/access Gmail token for credential ${credentialId}`
+      )
+      return false
+    }
 
     const maxEmailsPerPoll =
       typeof providerConfig.maxEmailsPerPoll === 'string'
@@ -1282,7 +1326,8 @@ export async function configureGmailPolling(
       .set({
         providerConfig: {
           ...providerConfig,
-          userId, // Store user ID for OAuth access during polling
+          userId: ownerUserId,
+          credentialId,
           maxEmailsPerPoll,
           pollingInterval,
           markAsRead: providerConfig.markAsRead || false,
@@ -1323,13 +1368,33 @@ export async function configureOutlookPolling(
   logger.info(`[${requestId}] Setting up Outlook polling for webhook ${webhookData.id}`)
 
   try {
-    const accessToken = await getOAuthToken(userId, 'outlook')
-    if (!accessToken) {
-      logger.error(`[${requestId}] Failed to retrieve Outlook access token for user ${userId}`)
+    const providerConfig = (webhookData.providerConfig as Record<string, any>) || {}
+
+    const credentialId: string | undefined = providerConfig.credentialId
+    if (!credentialId) {
+      logger.error(
+        `[${requestId}] Missing credentialId for Outlook webhook ${webhookData.id}. Refusing to proceed.`
+      )
       return false
     }
 
-    const providerConfig = (webhookData.providerConfig as Record<string, any>) || {}
+    // Resolve owner user ID from the credential and refresh token if needed
+    const rows = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    if (rows.length === 0) {
+      logger.error(
+        `[${requestId}] Credential ${credentialId} not found for Outlook webhook ${webhookData.id}`
+      )
+      return false
+    }
+    const ownerUserId = rows[0].userId
+
+    const accessToken = await refreshAccessTokenIfNeeded(credentialId, ownerUserId, requestId)
+    if (!accessToken) {
+      logger.error(
+        `[${requestId}] Failed to refresh/access Outlook token for credential ${credentialId}`
+      )
+      return false
+    }
 
     const maxEmailsPerPoll =
       typeof providerConfig.maxEmailsPerPoll === 'string'
@@ -1348,7 +1413,8 @@ export async function configureOutlookPolling(
       .set({
         providerConfig: {
           ...providerConfig,
-          userId, // Store user ID for OAuth access during polling
+          userId: ownerUserId,
+          credentialId,
           maxEmailsPerPoll,
           pollingInterval,
           markAsRead: providerConfig.markAsRead || false,
