fix(credentials): scope inner duplicate re-check to service_account

TheodoreSpeaks · TheodoreSpeaks · commit 0fa4f211c92d · 2026-05-05T15:24:52.000-07:00
OAuth dedupes by accountId, env_* by envKey — both have DB-level partial
unique indexes that surface as 23505. The previous inner re-check fired
for all types and always threw DuplicateCredentialError, which mapped to
'duplicate_display_name' in the UI even when the real conflict was a
duplicate OAuth account or env key. Restrict the in-tx re-check to
service_account (the only type without a DB-level index) and let the
23505 handler emit a generic message for everything else.
diff --git a/apps/sim/app/api/credentials/route.ts b/apps/sim/app/api/credentials/route.ts
@@ -505,21 +505,18 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       .limit(1)
 
     await db.transaction(async (tx) => {
-      // Race-safety re-check: the outer findExistingCredentialBySource ran outside
-      // the transaction. Service_account rows have no DB-level unique index on
-      // (workspaceId, providerId, displayName), so a concurrent request could
-      // have inserted a duplicate after our outer check but before this insert.
-      // Re-check here and abort the tx if so. The catch maps this to a 409.
-      const innerExisting = await findExistingCredentialBySourceTx(tx, {
-        workspaceId,
-        type,
-        accountId: resolvedAccountId,
-        envKey: resolvedEnvKey,
-        envOwnerUserId: resolvedEnvOwnerUserId,
-        displayName: resolvedDisplayName,
-        providerId: resolvedProviderId,
-      })
-      if (innerExisting) throw new DuplicateCredentialError()
+      // service_account has no DB-level unique index on (workspaceId, providerId,
+      // displayName), so we re-check inside the tx. OAuth/env_* are guarded by
+      // partial unique indexes and fall through to the 23505 handler below.
+      if (type === 'service_account') {
+        const innerExisting = await findExistingCredentialBySourceTx(tx, {
+          workspaceId,
+          type,
+          displayName: resolvedDisplayName,
+          providerId: resolvedProviderId,
+        })
+        if (innerExisting) throw new DuplicateCredentialError()
+      }
 
       await tx.insert(credential).values({
         id: credentialId,
