fix(oauth): fall back to configured scopes when DB scope is empty

[waleedlatif1]

Summary

• When an OAuth provider (e.g. Box) doesn't return a scope field in its token response, the account.scope DB column stays empty
• The credentials API now falls back to the provider's configured scopes via getCanonicalScopesForProvider() instead of returning an empty array
• This prevents false "Additional permissions required" banners in the credential selector

Test plan

• Connect a Box credential and verify no "Additional permissions required" banner appears
• Verify existing credentials with stored scopes still work correctly (no regression)
• Verify providers that return scopes in token response (e.g. Google) are unaffected

[cursor]

PR Summary

Low Risk
Low risk: small change to GET /api/auth/oauth/credentials response shaping, only affecting how scopes are derived when the DB account.scope field is blank.

Overview
Updates the OAuth credentials API so returned credentials no longer report an empty scopes list when the stored DB scope column is missing/blank.

When no stored scope is present, the API now falls back to getCanonicalScopesForProvider(providerId) (configured scopes for that provider), preventing false UI warnings about missing permissions while leaving existing stored-scope behavior unchanged.

^{Written by Cursor Bugbot for commit c6db5c5. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 19, 2026 6:54pm

[greptile-apps]

Greptile Summary

This PR fixes a false "Additional permissions required" banner caused by OAuth providers (e.g. Box) that don't include a scope field in their token response, leaving account.scope empty in the database. The fix adds a single-line fallback in toCredentialResponse — when the stored scope is empty, getCanonicalScopesForProvider(providerId) returns the app's configured scopes for that provider instead of an empty array.

Key points:

• The fallback is safe: getCanonicalScopesForProvider returns [] for unknown providers, preserving the old behavior for any unrecognized providerId.
• Providers that do return scopes (e.g. Google) are completely unaffected — the truthy storedScope check ensures they continue to use their DB-stored value.
• Potential scope-drift concern: The fallback silently treats a Box credential as having exactly the currently-configured scopes. If the Box service config in OAUTH_PROVIDERS is updated to add a new scope after a user has already connected, that user's existing credential will appear to grant the new scope (since no stored value can contradict it). This is an inherent limitation of providers that omit scope from their token response — there is no better source of truth — but it's worth being aware of when changing Box's configured scopes in the future.

Confidence Score: 4/5

• Safe to merge; the change is minimal, well-scoped, and has no impact on providers that already return scopes.
• The fix is a single conditional change in one function. getCanonicalScopesForProvider is already well-tested and handles unknown providers gracefully by returning []. Existing providers with stored scopes are unaffected. The only nuance (scope-drift for empty-scope providers) is an unavoidable trade-off, not a regression.
• No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/app/api/auth/oauth/credentials/route.ts	Adds a scope fallback in toCredentialResponse: when account.scope is empty/null, returns getCanonicalScopesForProvider(providerId) instead of [] to prevent false "Additional permissions required" banners for providers like Box that never include scope in their token response.

Sequence Diagram

sequenceDiagram
    participant Client
    participant CredentialsAPI as GET /api/auth/oauth/credentials
    participant DB as Database (account table)
    participant OAuthUtils as getCanonicalScopesForProvider

    Client->>CredentialsAPI: GET ?provider=box&workspaceId=...
    CredentialsAPI->>DB: SELECT account.scope FROM credential JOIN account
    DB-->>CredentialsAPI: scope = null (Box never returns scope in token response)

    CredentialsAPI->>CredentialsAPI: toCredentialResponse(id, name, "box", updatedAt, null)
    Note over CredentialsAPI: storedScope = null?.trim() = undefined (falsy)

    CredentialsAPI->>OAuthUtils: getCanonicalScopesForProvider("box")
    OAuthUtils-->>CredentialsAPI: ["root_readwrite", "sign_requests.readwrite", ...]

    CredentialsAPI-->>Client: { credentials: [{ scopes: ["root_readwrite", ...] }] }
    Note over Client: No "Additional permissions required" banner shown

Loading

_{Last reviewed commit: "fix(oauth): fall bac..."}