fix(mcp): tolerate decrypt failure when comparing stored oauth secret

Treat decryption failure (corrupted ciphertext, rotated key) as a secret
change so admins can overwrite an unusable stored secret instead of the
PATCH/POST failing with a 500.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/servers/[id]/route.ts

@@ -135,9 +135,13 @@ export const PATCH = withRouteHandler(
           } else if (!currentServer?.oauthClientSecret) {
             clientSecretChanged = true
           } else {
-            const currentPlaintext = (await decryptSecret(currentServer.oauthClientSecret))
-              .decrypted
-            clientSecretChanged = currentPlaintext !== oauthClientSecret
+            try {
+              const currentPlaintext = (await decryptSecret(currentServer.oauthClientSecret))
+                .decrypted
+              clientSecretChanged = currentPlaintext !== oauthClientSecret
+            } catch {
+              clientSecretChanged = true
+            }
           }
         }
         const oauthCredsChanged = clientIdChanged || clientSecretChanged

apps/sim/app/api/mcp/servers/route.ts

@@ -173,9 +173,13 @@ export const POST = withRouteHandler(
             } else if (!existingServer.oauthClientSecret) {
               clientSecretChanged = true
             } else {
-              const currentPlaintext = (await decryptSecret(existingServer.oauthClientSecret))
-                .decrypted
-              clientSecretChanged = currentPlaintext !== body.oauthClientSecret
+              try {
+                const currentPlaintext = (await decryptSecret(existingServer.oauthClientSecret))
+                  .decrypted
+                clientSecretChanged = currentPlaintext !== body.oauthClientSecret
+              } catch {
+                clientSecretChanged = true
+              }
             }
           }
           const oauthCredsChanged = clientIdChanged || clientSecretChanged