fix: Trim Strava credentials from request body and environment variables, and improve token refresh logging.

Author: chadbeaudin

app/api/strava/activities/route.ts

@@ -7,6 +7,18 @@ export async function POST(req: Request) {
         const body = await req.json();
         const { stravaCredentials } = body;
 
+        if (stravaCredentials) {
+            console.log(`[API/Strava] Received credentials in request. Keys: ${Object.keys(stravaCredentials).join(', ')}`);
+            // Trim values if they exist
+            if (stravaCredentials.clientId) stravaCredentials.clientId = String(stravaCredentials.clientId).trim();
+            if (stravaCredentials.clientSecret) stravaCredentials.clientSecret = String(stravaCredentials.clientSecret).trim();
+            if (stravaCredentials.refreshToken) stravaCredentials.refreshToken = String(stravaCredentials.refreshToken).trim();
+
+            console.log(`[API/Strava] ClientID provided: ${stravaCredentials.clientId?.substring(0, 5)}...`);
+        } else {
+            console.log('[API/Strava] No credentials in request body, will fallback to server-side ENV.');
+        }
+
         const activities = await fetchAllStravaActivities(stravaCredentials);
 
         // Transform activities into simple coordinate arrays

lib/strava.ts

@@ -11,9 +11,10 @@ export async function getStravaAccessToken(creds?: { clientId?: string; clientSe
     // Check if we received any non-empty credentials in the UI object
     const hasUICreds = !!(creds && (creds.clientId || creds.clientSecret || creds.refreshToken));
 
-    const clientId = (creds?.clientId) || process.env.STRAVA_CLIENT_ID;
-    const clientSecret = (creds?.clientSecret) || process.env.STRAVA_CLIENT_SECRET;
-    const refreshToken = (creds?.refreshToken) || process.env.STRAVA_REFRESH_TOKEN;
+    // Use UI value if present (even if empty string, but we trim first), otherwise fallback to ENV
+    const clientId = (creds?.clientId?.trim() || process.env.STRAVA_CLIENT_ID?.trim());
+    const clientSecret = (creds?.clientSecret?.trim() || process.env.STRAVA_CLIENT_SECRET?.trim());
+    const refreshToken = (creds?.refreshToken?.trim() || process.env.STRAVA_REFRESH_TOKEN?.trim());
 
     const source = hasUICreds ? 'UI' : 'ENV';
     console.log(`[Strava] Attempting token refresh. Source: ${source}, ClientID: ${clientId?.substring(0, 5)}..., Token: ${refreshToken?.substring(0, 8)}...`);
@@ -50,16 +51,21 @@ export async function getStravaAccessToken(creds?: { clientId?: string; clientSe
     }
 
     const data = await response.json();
-    const scopes = data.scope || 'NOT_RETURNED';
-    console.log(`[Strava] Refresh successful. Scopes received: ${scopes}. Response keys: ${Object.keys(data).join(', ')}`);
+    const responseKeys = Object.keys(data);
+    const receivedScope = data.scope || 'NOT_RETURNED';
+
+    console.log(`[Strava] Refresh successful. Response Keys: ${responseKeys.join(', ')}`);
+    console.log(`[Strava] Scope in response: ${receivedScope}`);
 
     if (!data.access_token) {
         throw new Error('Strava token refresh response did not contain an access_token');
     }
 
     // Check for activity read permission in the scopes
-    if (scopes !== 'NOT_RETURNED' && !scopes.includes('activity:read')) {
-        console.warn(`[Strava] WARNING: Token refreshed but missing 'activity:read' scope. Current permitted scopes: ${scopes}`);
+    if (receivedScope !== 'NOT_RETURNED' && !receivedScope.includes('activity:read')) {
+        console.warn(`[Strava] WARNING: Token refreshed but missing 'activity:read' scope. Current permitted scopes: ${receivedScope}`);
+    } else if (receivedScope === 'NOT_RETURNED') {
+        console.log(`[Strava] Note: No scope returned in refresh response. This usually means scopes remain unchanged.`);
     }
 
     return data.access_token;