improvement(oauth): credentials sharing for workflows

[icecrasher321]

Summary

Auto-selection of credentials was overwriting what the other user had causing deselection of "credential dependent" subblocks -- document ids, file ids, etc.

This fixes that by having a owner credential vs foreign credential distinguishing check. And also having the UX clearly indicate to the user who's credentials the workflow is running on.

Type of Change

• Bug fix

Testing

Tested all webhooks + Oauth blocks with @aadamgough. E.g.

Screen.Recording.2025-08-11.at.11.02.09.PM.mov

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Deployment	Preview	Comments	Updated (UTC)
sim	✅ Ready	Preview	Comment	Aug 13, 2025 9:45pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	⬜️ Skipped			Aug 13, 2025 9:45pm

[greptile-apps]

Greptile Summary

This PR fixes a critical collaboration issue in OAuth credential management for shared workflows. The problem was that when workflows were shared between users, the system's auto-selection logic would automatically override the original user's credential selections with the current viewer's available credentials, causing dependent components (document IDs, file IDs, calendar selections, etc.) to become deselected and break the workflow.

The solution implements a comprehensive "owner vs foreign credential" distinction across the entire OAuth system:

Frontend Changes: Multiple file selector components (google-drive-picker.tsx, confluence-file-selector.tsx, teams-message-selector.tsx, etc.) now accept a credentialId prop and remove auto-selection logic. The credential selector (credential-selector.tsx) introduces an isForeign flag to detect when credentials belong to collaborators, displaying "Saved by collaborator" instead of resetting selections. The workflow block system (workflow-block.tsx) adds automatic clearing of dependent fields when credentials change to maintain consistency.

Backend Changes: OAuth API routes (/auth/oauth/token/route.ts, /tools/drive/file/route.ts, /tools/google_calendar/calendars/route.ts, etc.) now resolve credential ownership directly from the database and allow read-only access to foreign credentials when a workflowId is present. The tools index (tools/index.ts) removes server-side restrictions on including workflowId in token payloads.

Credential Resolution: The system now fetches the actual credential owner's userId from the database and uses that for token operations, rather than assuming the session user owns all credentials. This enables workflows to execute using any user's credentials while maintaining proper authorization boundaries.

The changes create a collaborative workflow system where users can share workflows that depend on OAuth credentials without breaking each other's configurations, while providing clear UX feedback about whose credentials are being used.

Confidence score: 4/5

• This PR addresses a real collaboration bug with a systematic solution that maintains existing functionality while adding collaborative features
• Score reflects the comprehensive nature of changes across multiple API endpoints and components, requiring careful coordination to avoid breaking existing workflows
• Pay close attention to the OAuth credential resolution logic in API routes and the foreign credential detection in frontend components

_{17 files reviewed, 7 comments}

_{Edit Code Review Bot Settings | Greptile}