Skip to content

fix(creds): glitch allowing multiple credentials in an integration#2282

Merged
icecrasher321 merged 1 commit intostagingfrom
fix/prevent-multiple-cred-glitch
Dec 10, 2025
Merged

fix(creds): glitch allowing multiple credentials in an integration#2282
icecrasher321 merged 1 commit intostagingfrom
fix/prevent-multiple-cred-glitch

Conversation

@icecrasher321
Copy link
Collaborator

@icecrasher321 icecrasher321 commented Dec 10, 2025

Summary

Glitch allowing multiple credentials in an integration

Type of Change

  • Bug fix

Testing

Tested manually.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Dec 10, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
docs Skipped Skipped Dec 10, 2025 5:00am

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 10, 2025

Greptile Overview

Greptile Summary

Fixed a critical race condition that allowed multiple credentials for the same user-provider-account combination to be stored in the database.

Key Changes:

  • Added unique database constraint on (user_id, provider_id, account_id) to enforce one credential per integration at the database level
  • Migration removes existing duplicate credentials, keeping the most recently updated one
  • Implemented safeAccountInsert helper to gracefully handle constraint violations during race conditions
  • Added database hook in better-auth to check for duplicates before creation and update existing accounts instead
  • Updated Shopify and Trello OAuth routes to use the new safe insert pattern

Impact:
The fix prevents data integrity issues by ensuring users cannot have multiple credentials for the same provider account, which could cause unpredictable behavior when retrieving tokens.

Confidence Score: 4/5

  • This PR is safe to merge with one minor improvement suggested
  • The fix addresses a real data integrity issue with a multi-layered approach (database constraint + application logic). The migration safely removes duplicates, and the code changes are well-implemented. One style suggestion about logging level.
  • No files require special attention - all changes are straightforward and well-implemented

Important Files Changed

File Analysis

Filename Score Overview
packages/db/migrations/0120_illegal_moon_knight.sql 5/5 Added database migration to remove duplicate credentials and enforce unique constraint on (user_id, provider_id, account_id)
packages/db/schema.ts 5/5 Added unique index account_user_provider_account_unique to prevent duplicate credentials per user-provider-account combination
apps/sim/app/api/auth/oauth/utils.ts 4/5 Added safeAccountInsert helper that catches unique constraint violations (error code 23505) to prevent insertion failures during race conditions
apps/sim/lib/auth/auth.ts 5/5 Added database hook to check for duplicate accounts before creation, updates existing account instead of creating duplicate
apps/sim/app/api/auth/oauth2/shopify/store/route.ts 5/5 Replaced direct insert with safeAccountInsert to handle duplicate credentials gracefully during Shopify OAuth flow
apps/sim/app/api/auth/trello/store/route.ts 5/5 Replaced direct insert with safeAccountInsert to handle duplicate credentials gracefully during Trello OAuth flow

Sequence Diagram

sequenceDiagram
    participant User
    participant OAuthRoute as OAuth Route<br/>(Shopify/Trello)
    participant safeAccountInsert
    participant Database
    participant AuthHook as Auth Database Hook

    User->>OAuthRoute: Complete OAuth flow
    OAuthRoute->>Database: Check for existing account
    alt Account exists
        OAuthRoute->>Database: Update existing account
        Database-->>OAuthRoute: Success
    else No existing account
        OAuthRoute->>safeAccountInsert: Insert new account
        safeAccountInsert->>Database: INSERT account
        alt No duplicate (normal case)
            Database-->>safeAccountInsert: Success
            safeAccountInsert-->>OAuthRoute: Success
        else Duplicate constraint violation (23505)
            Database-->>safeAccountInsert: Error 23505
            safeAccountInsert->>safeAccountInsert: Log warning
            safeAccountInsert-->>OAuthRoute: Success (silent)
        end
    end
    
    Note over AuthHook,Database: Separate flow via better-auth
    User->>AuthHook: OAuth via better-auth
    AuthHook->>Database: Check for duplicate
    alt Duplicate found
        AuthHook->>Database: Update existing account
        AuthHook-->>User: Return false (skip create)
    else No duplicate
        AuthHook->>Database: Create new account
        AuthHook-->>User: Success
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

8 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@icecrasher321 icecrasher321 merged commit f421f27 into staging Dec 10, 2025
9 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/prevent-multiple-cred-glitch branch December 10, 2025 05:59
@waleedlatif1 waleedlatif1 mentioned this pull request Dec 10, 2025
Merged
waleedlatif1 added a commit that referenced this pull request Dec 10, 2025
@waleedlatif1 @icecrasher321
@Sg312 @mosaxiv @emir-karabeg @aadamgough
v0.5.23: kb, logs, general ui improvements, token bucket rate limits,…
b7bbef8 
… docs, mcp, autolayout improvements (#2286)

* fix(mcp): prevent redundant MCP server discovery calls at runtime, use cached tool schema instead (#2273)

* fix(mcp): prevent redundant MCP server discovery calls at runtime, use cached tool schema instead

* added backfill, added loading state for tools in settings > mcp

* fix tool inp

* feat(rate-limiter): token bucket algorithm  (#2270)

* fix(ratelimit): make deployed chat rate limited

* improvement(rate-limiter): use token bucket algo

* update docs

* fix

* fix type

* fix db rate limiter

* address greptile comments

* feat(i18n): update translations (#2275)

Co-authored-by: icecrasher321 <icecrasher321@users.noreply.github.com>

* fix(tools): updated kalshi and polymarket tools to accurately reflect outputs (#2274)

* feat(i18n): update translations (#2276)

Co-authored-by: waleedlatif1 <waleedlatif1@users.noreply.github.com>

* fix(autolayout): align by handle (#2277)

* fix(autolayout): align by handle

* use shared constants everywhere

* cleanup

* fix(copilot): fix custom tools (#2278)

* Fix title custom tool

* Checkpoitn (broken)

* Fix custom tool flash

* Edit workflow returns null fix

* Works

* Fix lint

* fix(ime): prevent form submission during IME composition steps (#2279)

* fix(ui): prevent form submission during IME composition steps

* chore(gitignore): add IntelliJ IDE files to .gitignore

---------

Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Co-authored-by: Waleed <walif6@gmail.com>
Co-authored-by: waleedlatif1 <waleedlatif1@users.noreply.github.com>

* feat(ui): logs, kb, emcn (#2207)

* feat(kb): emcn alignment; sidebar: popover primary; settings-modal: expand

* feat: EMCN breadcrumb; improvement(KB): UI

* fix: hydration error

* improvement(KB): UI

* feat: emcn modal sizing, KB tags; refactor: deleted old sidebar

* feat(logs): UI

* fix: add documents modal name

* feat: logs, emcn, cursorrules; refactor: logs

* feat: dashboard

* feat: notifications; improvement: logs details

* fixed random rectangle on canvas

* fixed the name of the file to align

* fix build

---------

Co-authored-by: waleed <walif6@gmail.com>

* fix(creds): glitch allowing multiple credentials in an integration (#2282)

* improvement: custom tools modal, logs-details (#2283)

* fix(docs): fix copy page button and header hook (#2284)

* improvement(chat): add the ability to download files from the deployed chat (#2280)

* added teams download and chat download file

* Removed comments

* removed comments

* component structure and download all

* removed comments

* cleanup code

* fix empty files case

* small fix

* fix(container): resize heuristic improvement (#2285)

* estimate block height for resize based on subblocks

* fix hydration error

* make more conservative

---------

Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Co-authored-by: icecrasher321 <icecrasher321@users.noreply.github.com>
Co-authored-by: waleedlatif1 <waleedlatif1@users.noreply.github.com>
Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com>
Co-authored-by: mosa <mosaxiv@gmail.com>
Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com>
Co-authored-by: Adam Gough <77861281+aadamgough@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@icecrasher321