fix: handle delegation errors in loadAccountData, isApiClient, and UI listing

andris9 · andris9 · commit c306618a3742 · 2026-01-14T14:29:37.000+02:00
The previous fix (8651bcc) only protected listAccounts() from throwing when encountering invalid delegation configs. This extends error handling to loadAccountData(), isApiClient(), and the UI account listing loop to prevent 500 errors when viewing, deleting, or operating on accounts with broken delegation references.
diff --git a/lib/account.js b/lib/account.js
@@ -697,20 +697,30 @@ class Account {
                 accountData._app = app;
             }
         } else if (accountData.oauth2 && accountData.oauth2.auth && accountData.oauth2.auth.delegatedAccount) {
-            let delegatedAccount = await resolveDelegatedAccount(this.redis, accountData.account);
-            if (delegatedAccount) {
-                accountData.delegatedAccount = delegatedAccount;
-                let delegatedAccountRow = await this.redis.hgetall(`${REDIS_PREFIX}iad:${delegatedAccount}`);
-                let delegatedAccountData = this.unserializeAccountData(delegatedAccountRow);
-                if (delegatedAccountData.oauth2 && delegatedAccountData.oauth2.provider) {
-                    let app = await oauth2Apps.get(delegatedAccountData.oauth2.provider);
-                    if (app) {
-                        accountData._app = app;
-                        if (app.baseScopes === 'api') {
-                            accountData.isApi = true;
+            try {
+                let delegatedAccount = await resolveDelegatedAccount(this.redis, accountData.account);
+                if (delegatedAccount) {
+                    accountData.delegatedAccount = delegatedAccount;
+                    let delegatedAccountRow = await this.redis.hgetall(`${REDIS_PREFIX}iad:${delegatedAccount}`);
+                    let delegatedAccountData = this.unserializeAccountData(delegatedAccountRow);
+                    if (delegatedAccountData.oauth2 && delegatedAccountData.oauth2.provider) {
+                        let app = await oauth2Apps.get(delegatedAccountData.oauth2.provider);
+                        if (app) {
+                            accountData._app = app;
+                            if (app.baseScopes === 'api') {
+                                accountData.isApi = true;
+                            }
                         }
                     }
                 }
+            } catch (err) {
+                this.logger.warn({
+                    msg: 'Failed to resolve delegated account',
+                    account: accountData.account,
+                    delegatedAccount: accountData.oauth2.auth.delegatedAccount,
+                    err
+                });
+                accountData.delegationError = err.message;
             }
         }
 
@@ -2545,17 +2555,22 @@ class Account {
 
     async isApiClient(accountData) {
         if (accountData.oauth2?.auth?.delegatedAccount) {
-            let delegatedAccount = await resolveDelegatedAccount(this.redis, accountData.account);
-            if (delegatedAccount) {
-                accountData.delegatedAccount = delegatedAccount;
-                let delegatedAccountRow = await this.redis.hgetall(`${REDIS_PREFIX}iad:${delegatedAccount}`);
-                let delegatedAccountData = this.unserializeAccountData(delegatedAccountRow);
-                if (delegatedAccountData?.oauth2?.provider) {
-                    let app = await oauth2Apps.get(delegatedAccountData.oauth2.provider);
-                    return app?.baseScopes === 'api';
-                } else {
-                    return false;
+            try {
+                let delegatedAccount = await resolveDelegatedAccount(this.redis, accountData.account);
+                if (delegatedAccount) {
+                    accountData.delegatedAccount = delegatedAccount;
+                    let delegatedAccountRow = await this.redis.hgetall(`${REDIS_PREFIX}iad:${delegatedAccount}`);
+                    let delegatedAccountData = this.unserializeAccountData(delegatedAccountRow);
+                    if (delegatedAccountData?.oauth2?.provider) {
+                        let app = await oauth2Apps.get(delegatedAccountData.oauth2.provider);
+                        return app?.baseScopes === 'api';
+                    } else {
+                        return false;
+                    }
                 }
+            } catch (err) {
+                // Invalid delegation config - treat as non-API client
+                return false;
             }
         }
 
diff --git a/lib/routes-ui.js b/lib/routes-ui.js
@@ -4166,13 +4166,20 @@ ${Buffer.from(data.content, 'base64url').toString('base64')}
 
             for (let account of accounts.accounts) {
                 let accountObject = new Account({ redis, account: account.account });
-                account.data = await accountObject.loadAccountData(null, null, runIndex);
+                try {
+                    account.data = await accountObject.loadAccountData(null, null, runIndex);
 
-                if (account.data && account.data.oauth2 && account.data.oauth2.provider) {
-                    let oauth2App = await oauth2Apps.get(account.data.oauth2.provider);
-                    if (oauth2App) {
-                        account.data.oauth2.app = oauth2App;
+                    if (account.data && account.data.oauth2 && account.data.oauth2.provider) {
+                        let oauth2App = await oauth2Apps.get(account.data.oauth2.provider);
+                        if (oauth2App) {
+                            account.data.oauth2.app = oauth2App;
+                        }
                     }
+                } catch (err) {
+                    // Account has invalid config (e.g., broken delegation)
+                    account.data = {
+                        delegationError: err.message
+                    };
                 }
             }
 
