feat(permissions): extend hook to detect missing scopes to return those scopes for upgrade, update credential selector subblock (#1869)

Author: waleedlatif1

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -18,7 +18,11 @@ const credentialsQuerySchema = z
   .object({
     provider: z.string().nullish(),
     workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
-    credentialId: z.string().uuid('Credential ID must be a valid UUID').nullish(),
+    credentialId: z
+      .string()
+      .min(1, 'Credential ID must not be empty')
+      .max(255, 'Credential ID is too long')
+      .nullish(),
   })
   .refine((data) => data.provider || data.credentialId, {
     message: 'Provider or credentialId is required',
@@ -206,7 +210,7 @@ export async function GET(request: NextRequest) {
           displayName = `${acc.accountId} (${baseProvider})`
         }
 
-        const grantedScopes = acc.scope ? acc.scope.split(/\s+/).filter(Boolean) : []
+        const grantedScopes = acc.scope ? acc.scope.split(/[\s,]+/).filter(Boolean) : []
         const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
 
         return {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx

@@ -1,7 +1,7 @@
 'use client'
 
 import { Check } from 'lucide-react'
-import { Button } from '@/components/ui/button'
+import { Button } from '@/components/emcn/components/button/button'
 import {
   Dialog,
   DialogContent,
@@ -29,13 +29,13 @@ export interface OAuthRequiredModalProps {
   toolName: string
   requiredScopes?: string[]
   serviceId?: string
+  newScopes?: string[]
 }
 
 const SCOPE_DESCRIPTIONS: Record<string, string> = {
   'https://www.googleapis.com/auth/gmail.send': 'Send emails on your behalf',
   'https://www.googleapis.com/auth/gmail.labels': 'View and manage your email labels',
   'https://www.googleapis.com/auth/gmail.modify': 'View and manage your email messages',
-  'https://www.googleapis.com/auth/gmail.readonly': 'View and read your email messages',
   'https://www.googleapis.com/auth/drive.readonly': 'View and read your Google Drive files',
   'https://www.googleapis.com/auth/drive.file': 'View and manage your Google Drive files',
   'https://www.googleapis.com/auth/calendar': 'View and manage your calendar',
@@ -202,6 +202,7 @@ export function OAuthRequiredModal({
   toolName,
   requiredScopes = [],
   serviceId,
+  newScopes = [],
 }: OAuthRequiredModalProps) {
   const effectiveServiceId = serviceId || getServiceIdFromScopes(provider, requiredScopes)
   const { baseProvider } = parseProvider(provider)
@@ -223,6 +224,11 @@ export function OAuthRequiredModal({
   const displayScopes = requiredScopes.filter(
     (scope) => !scope.includes('userinfo.email') && !scope.includes('userinfo.profile')
   )
+  const newScopesSet = new Set(
+    (newScopes || []).filter(
+      (scope) => !scope.includes('userinfo.email') && !scope.includes('userinfo.profile')
+    )
+  )
 
   const handleConnectDirectly = async () => {
     try {
@@ -278,7 +284,14 @@ export function OAuthRequiredModal({
                     <div className='mt-1 rounded-full bg-muted p-0.5'>
                       <Check className='h-3 w-3' />
                     </div>
-                    <span className='text-muted-foreground'>{getScopeDescription(scope)}</span>
+                    <div className='text-muted-foreground'>
+                      <span>{getScopeDescription(scope)}</span>
+                      {newScopesSet.has(scope) && (
+                        <span className='ml-2 rounded-[4px] border border-amber-500/30 bg-amber-500/10 px-1.5 py-0.5 text-[10px] text-amber-300'>
+                          New
+                        </span>
+                      )}
+                    </div>
                   </li>
                 ))}
               </ul>
@@ -289,7 +302,12 @@ export function OAuthRequiredModal({
           <Button variant='outline' onClick={onClose} className='sm:order-1'>
             Cancel
           </Button>
-          <Button type='button' onClick={handleConnectDirectly} className='sm:order-3'>
+          <Button
+            variant='primary'
+            type='button'
+            onClick={handleConnectDirectly}
+            className='sm:order-3'
+          >
             Connect Now
           </Button>
         </DialogFooter>

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx

@@ -2,7 +2,7 @@
 
 import { useCallback, useEffect, useMemo, useState } from 'react'
 import { Check, ChevronDown, ExternalLink, RefreshCw } from 'lucide-react'
-import { Button } from '@/components/ui/button'
+import { Button } from '@/components/emcn/components/button/button'
 import {
   Command,
   CommandEmpty,
@@ -15,6 +15,7 @@ import { Popover, PopoverContent, PopoverTrigger } from '@/components/ui/popover
 import { createLogger } from '@/lib/logs/console/logger'
 import {
   type Credential,
+  getCanonicalScopesForProvider,
   getProviderIdFromServiceId,
   getServiceIdFromScopes,
   OAUTH_PROVIDERS,
@@ -25,6 +26,7 @@ import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/hooks/use-sub-block-value'
 import type { SubBlockConfig } from '@/blocks/types'
 import { useCollaborativeWorkflow } from '@/hooks/use-collaborative-workflow'
+import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
 const logger = createLogger('CredentialSelector')
@@ -210,6 +212,14 @@ export function CredentialSelector({
       ? 'Saved by collaborator'
       : undefined
 
+  // Determine if additional permissions are required for the selected credential
+  const hasSelection = !!selectedCredential
+  const missingRequiredScopes = hasSelection
+    ? getMissingRequiredScopes(selectedCredential, requiredScopes || [])
+    : []
+  const needsUpdate =
+    hasSelection && missingRequiredScopes.length > 0 && !disabled && !isPreview && !isLoading
+
   // Handle selection
   const handleSelect = (credentialId: string) => {
     const previousId = selectedId || (effectiveValue as string) || ''
@@ -331,13 +341,21 @@ export function CredentialSelector({
         </PopoverContent>
       </Popover>
 
+      {needsUpdate && (
+        <div className='mt-2 flex items-center justify-between rounded-[6px] border border-amber-300/40 bg-amber-50/60 px-2 py-1 font-medium text-[12px] transition-colors dark:bg-amber-950/10'>
+          <span>Additional permissions required</span>
+          {!isForeign && <Button onClick={() => setShowOAuthModal(true)}>Update access</Button>}
+        </div>
+      )}
+
       {showOAuthModal && (
         <OAuthRequiredModal
           isOpen={showOAuthModal}
           onClose={() => setShowOAuthModal(false)}
           provider={provider}
           toolName={getProviderName(provider)}
-          requiredScopes={requiredScopes}
+          requiredScopes={getCanonicalScopesForProvider(effectiveProviderId)}
+          newScopes={missingRequiredScopes}
           serviceId={effectiveServiceId}
         />
       )}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx

@@ -1,6 +1,6 @@
 import { useCallback, useEffect, useState } from 'react'
 import { Check, ChevronDown, ExternalLink, Plus, RefreshCw } from 'lucide-react'
-import { Button } from '@/components/ui/button'
+import { Button } from '@/components/emcn/components/button/button'
 import {
   Command,
   CommandEmpty,
@@ -12,17 +12,19 @@ import { Popover, PopoverContent, PopoverTrigger } from '@/components/ui/popover
 import { createLogger } from '@/lib/logs/console/logger'
 import {
   type Credential,
+  getCanonicalScopesForProvider,
+  getProviderIdFromServiceId,
   OAUTH_PROVIDERS,
   type OAuthProvider,
   type OAuthService,
   parseProvider,
 } from '@/lib/oauth'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel-new/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
+import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
 const logger = createLogger('ToolCredentialSelector')
 
-// Helper functions for provider icons and names
 const getProviderIcon = (providerName: OAuthProvider) => {
   const { baseProvider } = parseProvider(providerName)
   const baseProviderConfig = OAUTH_PROVIDERS[baseProvider]
@@ -158,6 +160,13 @@ export function ToolCredentialSelector({
   const selectedCredential = credentials.find((cred) => cred.id === selectedId)
   const isForeign = !!(selectedId && !selectedCredential)
 
+  // Determine if additional permissions are required for the selected credential
+  const hasSelection = !!selectedCredential
+  const missingRequiredScopes = hasSelection
+    ? getMissingRequiredScopes(selectedCredential, requiredScopes || [])
+    : []
+  const needsUpdate = hasSelection && missingRequiredScopes.length > 0 && !disabled && !isLoading
+
   return (
     <>
       <Popover open={open} onOpenChange={handleOpenChange}>
@@ -240,12 +249,23 @@ export function ToolCredentialSelector({
         </PopoverContent>
       </Popover>
 
+      {needsUpdate && (
+        <div className='mt-2 flex items-center justify-between rounded-[6px] border border-amber-300/40 bg-amber-50/60 px-2 py-1 font-medium text-[12px] transition-colors dark:bg-amber-950/10'>
+          <span>Additional permissions required</span>
+          {/* We don't have reliable foreign detection context here; always show CTA */}
+          <Button onClick={() => setShowOAuthModal(true)}>Update access</Button>
+        </div>
+      )}
+
       <OAuthRequiredModal
         isOpen={showOAuthModal}
         onClose={handleOAuthClose}
         provider={provider}
         toolName={label}
-        requiredScopes={requiredScopes}
+        requiredScopes={getCanonicalScopesForProvider(
+          serviceId ? getProviderIdFromServiceId(serviceId) : (provider as string)
+        )}
+        newScopes={missingRequiredScopes}
         serviceId={serviceId}
       />
     </>

apps/sim/blocks/blocks/gmail.ts

@@ -48,7 +48,6 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       requiredScopes: [
         'https://www.googleapis.com/auth/gmail.send',
         'https://www.googleapis.com/auth/gmail.modify',
-        'https://www.googleapis.com/auth/gmail.readonly',
         'https://www.googleapis.com/auth/gmail.labels',
       ],
       placeholder: 'Select Gmail account',
@@ -162,10 +161,7 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       canonicalParamId: 'folder',
       provider: 'google-email',
       serviceId: 'gmail',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/gmail.readonly',
-        'https://www.googleapis.com/auth/gmail.labels',
-      ],
+      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
       placeholder: 'Select Gmail label/folder',
       dependsOn: ['credential'],
       mode: 'basic',
@@ -241,10 +237,7 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       canonicalParamId: 'addLabelIds',
       provider: 'google-email',
       serviceId: 'gmail',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/gmail.readonly',
-        'https://www.googleapis.com/auth/gmail.labels',
-      ],
+      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
       placeholder: 'Select destination label',
       dependsOn: ['credential'],
       mode: 'basic',
@@ -271,10 +264,7 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       canonicalParamId: 'removeLabelIds',
       provider: 'google-email',
       serviceId: 'gmail',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/gmail.readonly',
-        'https://www.googleapis.com/auth/gmail.labels',
-      ],
+      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
       placeholder: 'Select label to remove',
       dependsOn: ['credential'],
       mode: 'basic',
@@ -327,10 +317,7 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       canonicalParamId: 'labelIds',
       provider: 'google-email',
       serviceId: 'gmail',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/gmail.readonly',
-        'https://www.googleapis.com/auth/gmail.labels',
-      ],
+      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
       placeholder: 'Select label',
       dependsOn: ['credential'],
       mode: 'basic',

apps/sim/hooks/use-oauth-scope-status.ts

@@ -43,3 +43,29 @@ export function anyCredentialNeedsReauth(credentials: Credential[]): boolean {
 export function getCredentialsNeedingReauth(credentials: Credential[]): Credential[] {
   return credentials.filter(credentialNeedsReauth)
 }
+
+/**
+ * Compute which of the provided requiredScopes are NOT granted by the credential.
+ */
+export function getMissingRequiredScopes(
+  credential: Credential | undefined,
+  requiredScopes: string[] = []
+): string[] {
+  if (!credential) return [...requiredScopes]
+  const granted = new Set((credential.scopes || []).map((s) => s))
+  const missing: string[] = []
+  for (const s of requiredScopes) {
+    if (!granted.has(s)) missing.push(s)
+  }
+  return missing
+}
+
+/**
+ * Whether a credential needs an upgrade specifically for the provided required scopes.
+ */
+export function needsUpgradeForRequiredScopes(
+  credential: Credential | undefined,
+  requiredScopes: string[] = []
+): boolean {
+  return getMissingRequiredScopes(credential, requiredScopes).length > 0
+}