Skip to content

Commit ec06db5

Browse files
fix(slack): resolve credential owner for deploy-time team_id lookup
A teammate deploying a trigger wired to a shared Slack credential isn't the credential owner; refreshAccessTokenIfNeeded only loads tokens for the owning user. Resolve the account owner first, mirroring the runtime formatInput path.
1 parent d0ed86d commit ec06db5

1 file changed

Lines changed: 20 additions & 3 deletions

File tree

apps/sim/lib/webhooks/deploy.ts

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
import { db } from '@sim/db'
2-
import { webhook, workflowDeploymentVersion } from '@sim/db/schema'
2+
import { account, webhook, workflowDeploymentVersion } from '@sim/db/schema'
33
import { createLogger } from '@sim/logger'
44
import { generateShortId } from '@sim/utils/id'
55
import { and, eq, inArray, isNull } from 'drizzle-orm'
@@ -19,7 +19,11 @@ import {
1919
isCanonicalPair,
2020
resolveActiveCanonicalValue,
2121
} from '@/lib/workflows/subblocks/visibility'
22-
import { getSlackBotCredential, refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
22+
import {
23+
getSlackBotCredential,
24+
refreshAccessTokenIfNeeded,
25+
resolveOAuthAccountId,
26+
} from '@/app/api/auth/oauth/utils'
2327
import { getBlock } from '@/blocks'
2428
import type { SubBlockConfig } from '@/blocks/types'
2529
import type { BlockState } from '@/stores/workflows/workflow/types'
@@ -453,7 +457,20 @@ export async function saveTriggerWebhooksForDeploy({
453457
error: { message: 'Select a Slack account for the trigger.', status: 400 },
454458
}
455459
}
456-
const botToken = await refreshAccessTokenIfNeeded(credentialId, userId, requestId)
460+
// Resolve the credential OWNER's token (not the deploying actor's) —
461+
// in a shared workspace a teammate can deploy a trigger wired to
462+
// someone else's Slack credential. Mirrors the runtime formatInput path.
463+
let tokenOwnerUserId = userId
464+
const resolvedAccount = await resolveOAuthAccountId(credentialId)
465+
if (resolvedAccount?.accountId) {
466+
const [owner] = await db
467+
.select({ userId: account.userId })
468+
.from(account)
469+
.where(eq(account.id, resolvedAccount.accountId))
470+
.limit(1)
471+
if (owner?.userId) tokenOwnerUserId = owner.userId
472+
}
473+
const botToken = await refreshAccessTokenIfNeeded(credentialId, tokenOwnerUserId, requestId)
457474
if (!botToken) {
458475
return {
459476
success: false,

0 commit comments

Comments
 (0)