simstudioai
diff --git a/‎apps/sim/app/api/auth/oauth/disconnect/route.ts‎
Lines changed: 46 additions & 1 deletion b/‎apps/sim/app/api/auth/oauth/disconnect/route.ts‎
Lines changed: 46 additions & 1 deletion
diff --git a/‎apps/sim/app/api/credential-sets/[id]/invite/route.ts‎
Lines changed: 52 additions & 2 deletions b/‎apps/sim/app/api/credential-sets/[id]/invite/route.ts‎
Lines changed: 52 additions & 2 deletions
diff --git a/‎apps/sim/app/api/credential-sets/[id]/members/route.ts‎
Lines changed: 12 additions & 12 deletions b/‎apps/sim/app/api/credential-sets/[id]/members/route.ts‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎apps/sim/app/api/credential-sets/invite/[token]/route.ts‎
Lines changed: 42 additions & 44 deletions b/‎apps/sim/app/api/credential-sets/invite/[token]/route.ts‎
Lines changed: 42 additions & 44 deletions
diff --git a/‎apps/sim/app/api/credential-sets/memberships/route.ts‎
Lines changed: 77 additions & 2 deletions b/‎apps/sim/app/api/credential-sets/memberships/route.ts‎
Lines changed: 77 additions & 2 deletions
@@ -1,11 +1,12 @@
 import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
+import { account, credentialSet, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, like, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
 export const dynamic = 'force-dynamic'
 
@@ -74,6 +75,50 @@ export async function POST(request: NextRequest) {
         )
     }
 
+    // Sync webhooks for all credential sets the user is a member of
+    // This removes webhooks that were using the disconnected credential
+    const userMemberships = await db
+      .select({
+        id: credentialSetMember.id,
+        credentialSetId: credentialSetMember.credentialSetId,
+        providerId: credentialSet.providerId,
+        type: credentialSet.type,
+      })
+      .from(credentialSetMember)
+      .innerJoin(credentialSet, eq(credentialSetMember.credentialSetId, credentialSet.id))
+      .where(
+        and(
+          eq(credentialSetMember.userId, session.user.id),
+          eq(credentialSetMember.status, 'active')
+        )
+      )
+
+    for (const membership of userMemberships) {
+      // Only sync if the credential set matches this provider or is 'all' type
+      const matchesProvider =
+        membership.type === 'all' ||
+        membership.providerId === provider ||
+        membership.providerId === providerId ||
+        (membership.providerId && provider.startsWith(membership.providerId))
+
+      if (matchesProvider) {
+        try {
+          await syncAllWebhooksForCredentialSet(membership.credentialSetId, requestId)
+          logger.info(`[${requestId}] Synced webhooks after credential disconnect`, {
+            credentialSetId: membership.credentialSetId,
+            provider,
+          })
+        } catch (error) {
+          // Log but don't fail the disconnect - credential is already removed
+          logger.error(`[${requestId}] Failed to sync webhooks after credential disconnect`, {
+            credentialSetId: membership.credentialSetId,
+            provider,
+            error,
+          })
+        }
+      }
+    }
+
     return NextResponse.json({ success: true }, { status: 200 })
   } catch (error) {
     logger.error(`[${requestId}] Error disconnecting OAuth provider`, error)
 
@@ -1,10 +1,13 @@
 import { db } from '@sim/db'
-import { credentialSet, credentialSetInvitation, member } from '@sim/db/schema'
+import { credentialSet, credentialSetInvitation, member, organization, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { getEmailSubject, renderPollingGroupInvitationEmail } from '@/components/emails'
 import { getSession } from '@/lib/auth'
+import { getBaseUrl } from '@/lib/core/utils/urls'
+import { sendEmail } from '@/lib/messaging/email/mailer'
 
 const logger = createLogger('CredentialSetInvite')
 
@@ -18,6 +21,7 @@ async function getCredentialSetWithAccess(credentialSetId: string, userId: strin
       id: credentialSet.id,
       organizationId: credentialSet.organizationId,
       name: credentialSet.name,
+      providerId: credentialSet.providerId,
     })
     .from(credentialSet)
     .where(eq(credentialSet.id, credentialSetId))
@@ -98,12 +102,58 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
     await db.insert(credentialSetInvitation).values(invitation)
 
-    const inviteUrl = `${process.env.NEXTAUTH_URL || 'http://localhost:3000'}/credential-account/${token}`
+    const inviteUrl = `${getBaseUrl()}/credential-account/${token}`
+
+    // Send email if email address was provided
+    if (email) {
+      try {
+        // Get inviter name
+        const [inviter] = await db
+          .select({ name: user.name })
+          .from(user)
+          .where(eq(user.id, session.user.id))
+          .limit(1)
+
+        // Get organization name
+        const [org] = await db
+          .select({ name: organization.name })
+          .from(organization)
+          .where(eq(organization.id, result.set.organizationId))
+          .limit(1)
+
+        const provider = (result.set.providerId as 'gmail' | 'outlook') || 'gmail'
+        const emailHtml = await renderPollingGroupInvitationEmail({
+          inviterName: inviter?.name || 'A team member',
+          organizationName: org?.name || 'your organization',
+          pollingGroupName: result.set.name,
+          provider,
+          inviteLink: inviteUrl,
+        })
+
+        const emailResult = await sendEmail({
+          to: email,
+          subject: getEmailSubject('polling-group-invitation'),
+          html: emailHtml,
+          emailType: 'transactional',
+        })
+
+        if (!emailResult.success) {
+          logger.warn('Failed to send invitation email', {
+            email,
+            error: emailResult.message,
+          })
+        }
+      } catch (emailError) {
+        logger.error('Error sending invitation email', emailError)
+        // Don't fail the invitation creation if email fails
+      }
+    }
 
     logger.info('Created credential set invitation', {
       credentialSetId: id,
       invitationId: invitation.id,
       userId: session.user.id,
+      emailSent: !!email,
     })
 
     return NextResponse.json({
 
@@ -152,24 +152,24 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
       return NextResponse.json({ error: 'Member not found' }, { status: 404 })
     }
 
-    await db.delete(credentialSetMember).where(eq(credentialSetMember.id, memberId))
+    const requestId = crypto.randomUUID().slice(0, 8)
 
-    logger.info('Removed member from credential set', {
-      credentialSetId: id,
-      memberId,
-      userId: session.user.id,
-    })
+    // Use transaction to ensure member deletion + webhook sync are atomic
+    await db.transaction(async (tx) => {
+      await tx.delete(credentialSetMember).where(eq(credentialSetMember.id, memberId))
 
-    try {
-      const requestId = crypto.randomUUID().slice(0, 8)
-      const syncResult = await syncAllWebhooksForCredentialSet(id, requestId)
+      const syncResult = await syncAllWebhooksForCredentialSet(id, requestId, tx)
       logger.info('Synced webhooks after member removed', {
         credentialSetId: id,
         ...syncResult,
       })
-    } catch (syncError) {
-      logger.error('Error syncing webhooks after member removed', syncError)
-    }
+    })
+
+    logger.info('Removed member from credential set', {
+      credentialSetId: id,
+      memberId,
+      userId: session.user.id,
+    })
 
     return NextResponse.json({ success: true })
   } catch (error) {
 
@@ -91,10 +91,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
       return NextResponse.json({ error: 'Invitation has expired' }, { status: 410 })
     }
 
-    if (invitation.email && invitation.email !== session.user.email) {
-      return NextResponse.json({ error: 'Email does not match invitation' }, { status: 400 })
-    }
-
     const existingMember = await db
       .select()
       .from(credentialSetMember)
@@ -114,64 +110,66 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
     }
 
     const now = new Date()
-    await db.insert(credentialSetMember).values({
-      id: crypto.randomUUID(),
-      credentialSetId: invitation.credentialSetId,
-      userId: session.user.id,
-      status: 'active',
-      joinedAt: now,
-      invitedBy: invitation.invitedBy,
-      createdAt: now,
-      updatedAt: now,
-    })
+    const requestId = crypto.randomUUID().slice(0, 8)
 
-    await db
-      .update(credentialSetInvitation)
-      .set({
-        status: 'accepted',
-        acceptedAt: now,
-        acceptedByUserId: session.user.id,
+    // Use transaction to ensure membership + invitation update + webhook sync are atomic
+    await db.transaction(async (tx) => {
+      await tx.insert(credentialSetMember).values({
+        id: crypto.randomUUID(),
+        credentialSetId: invitation.credentialSetId,
+        userId: session.user.id,
+        status: 'active',
+        joinedAt: now,
+        invitedBy: invitation.invitedBy,
+        createdAt: now,
+        updatedAt: now,
       })
-      .where(eq(credentialSetInvitation.id, invitation.id))
 
-    // Clean up all other pending invitations for the same credential set and email
-    // This prevents duplicate invites from showing up after accepting one
-    if (invitation.email) {
-      await db
+      await tx
         .update(credentialSetInvitation)
         .set({
           status: 'accepted',
           acceptedAt: now,
           acceptedByUserId: session.user.id,
         })
-        .where(
-          and(
-            eq(credentialSetInvitation.credentialSetId, invitation.credentialSetId),
-            eq(credentialSetInvitation.email, invitation.email),
-            eq(credentialSetInvitation.status, 'pending')
-          )
-        )
-    }
+        .where(eq(credentialSetInvitation.id, invitation.id))
 
-    logger.info('Accepted credential set invitation', {
-      invitationId: invitation.id,
-      credentialSetId: invitation.credentialSetId,
-      userId: session.user.id,
-    })
+      // Clean up all other pending invitations for the same credential set and email
+      // This prevents duplicate invites from showing up after accepting one
+      if (invitation.email) {
+        await tx
+          .update(credentialSetInvitation)
+          .set({
+            status: 'accepted',
+            acceptedAt: now,
+            acceptedByUserId: session.user.id,
+          })
+          .where(
+            and(
+              eq(credentialSetInvitation.credentialSetId, invitation.credentialSetId),
+              eq(credentialSetInvitation.email, invitation.email),
+              eq(credentialSetInvitation.status, 'pending')
+            )
+          )
+      }
 
-    try {
-      const requestId = crypto.randomUUID().slice(0, 8)
+      // Sync webhooks within the transaction
       const syncResult = await syncAllWebhooksForCredentialSet(
         invitation.credentialSetId,
-        requestId
+        requestId,
+        tx
       )
       logger.info('Synced webhooks after member joined', {
         credentialSetId: invitation.credentialSetId,
         ...syncResult,
       })
-    } catch (syncError) {
-      logger.error('Error syncing webhooks after member joined', syncError)
-    }
+    })
+
+    logger.info('Accepted credential set invitation', {
+      invitationId: invitation.id,
+      credentialSetId: invitation.credentialSetId,
+      userId: session.user.id,
+    })
 
     return NextResponse.json({
       success: true,
 
@@ -1,9 +1,10 @@
 import { db } from '@sim/db'
 import { credentialSet, credentialSetMember, organization } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { NextResponse } from 'next/server'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
 const logger = createLogger('CredentialSetMemberships')
 
@@ -37,3 +38,77 @@ export async function GET() {
     return NextResponse.json({ error: 'Failed to fetch memberships' }, { status: 500 })
   }
 }
+
+/**
+ * Leave a credential set (self-revocation).
+ * Sets status to 'revoked' immediately (blocks execution), then syncs webhooks to clean up.
+ */
+export async function DELETE(req: NextRequest) {
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { searchParams } = new URL(req.url)
+  const credentialSetId = searchParams.get('credentialSetId')
+
+  if (!credentialSetId) {
+    return NextResponse.json({ error: 'credentialSetId is required' }, { status: 400 })
+  }
+
+  try {
+    const requestId = crypto.randomUUID().slice(0, 8)
+
+    // Use transaction to ensure revocation + webhook sync are atomic
+    await db.transaction(async (tx) => {
+      // Find and verify membership
+      const [membership] = await tx
+        .select()
+        .from(credentialSetMember)
+        .where(
+          and(
+            eq(credentialSetMember.credentialSetId, credentialSetId),
+            eq(credentialSetMember.userId, session.user.id)
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        throw new Error('Not a member of this credential set')
+      }
+
+      if (membership.status === 'revoked') {
+        throw new Error('Already left this credential set')
+      }
+
+      // Set status to 'revoked' - this immediately blocks credential from being used
+      await tx
+        .update(credentialSetMember)
+        .set({
+          status: 'revoked',
+          updatedAt: new Date(),
+        })
+        .where(eq(credentialSetMember.id, membership.id))
+
+      // Sync webhooks to remove this user's credential webhooks
+      const syncResult = await syncAllWebhooksForCredentialSet(credentialSetId, requestId, tx)
+      logger.info('Synced webhooks after member left', {
+        credentialSetId,
+        userId: session.user.id,
+        ...syncResult,
+      })
+    })
+
+    logger.info('User left credential set', {
+      credentialSetId,
+      userId: session.user.id,
+    })
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to leave credential set'
+    logger.error('Error leaving credential set', error)
+    return NextResponse.json({ error: message }, { status: 500 })
+  }
+}