Improve token persistence and sensitive data handling

AccessTokenManager now correctly persists rotated refresh tokens and handles expiration timestamps with nullish checks. OAuth.helper.ts avoids logging sensitive OAuth config data in plaintext and refines token data structure updates to better preserve existing fields.

Author: samme-abdul

packages/core/src/Components/APICall/AccessTokenManager.ts

@@ -116,23 +116,23 @@ class AccessTokenManager {
                 updatedData = {
                     ...this.tokensData,
                     auth_data: {
-                        ...this.tokensData.auth_data,
+                        ...(this.tokensData?.auth_data ?? {}),
                         primary: newAccessToken,
-                        secondary: this.secondaryToken,
-                        expires_in: expirationTimestamp ? expirationTimestamp.toString() : expirationTimestamp
+                        // Persist rotated refresh_token when provided; fall back to existing
+                        secondary: (response?.data?.refresh_token ?? this.secondaryToken),
+                        // Use nullish check so 0 is preserved
+                        expires_in: (expirationTimestamp ?? undefined) !== undefined ? String(expirationTimestamp) : undefined
                     }
                 };
             } else {
                 // Maintain old structure format
                 updatedData = {
                     ...this.tokensData,
                     primary: newAccessToken,
-                    expires_in: expirationTimestamp ? expirationTimestamp.toString() : expirationTimestamp
+                    expires_in: (expirationTimestamp ?? undefined) !== undefined ? String(expirationTimestamp) : undefined
                 };
-                // Keep secondary token if it exists
-                if (this.secondaryToken) {
-                    updatedData.secondary = this.secondaryToken;
-                }
+                // Persist rotated refresh_token when provided; otherwise keep existing
+                updatedData.secondary = (response?.data?.refresh_token ?? this.secondaryToken);
             }
 
             const save: any = await managedVault.user(AccessCandidate.agent(this.agent.id)).set(this.keyId, JSON.stringify(updatedData));

packages/core/src/Components/APICall/OAuth.helper.ts

@@ -286,7 +286,8 @@ export const handleOAuthHeaders = async (agent, config, reqConfig, logger, addit
         oAuthConfigString = await TemplateString(oAuthConfigString).parseTeamKeysAsync(oauthTokens.team || agent.teamId).asyncResult;
 
         const oAuthConfig = JSON.parse(oAuthConfigString);
-        console.log('oAuthConfig', oAuthConfig);
+        // Avoid logging sensitive OAuth config in plaintext
+        // console.log('oAuthConfig', { ...oAuthConfig, clientSecret: '***' });
         if (oauthTokens.service === 'oauth2_client_credentials') {
             const accessToken = await getClientCredentialToken(tokensData, logger, keyId, oauthTokens, config, agent, isNewStructure);
             headers['Authorization'] = `Bearer ${accessToken}`;
@@ -388,20 +389,26 @@ async function getClientCredentialToken(tokensData, logger, keyId, oauthTokens,
             // Maintain the same structure format when saving
             let updatedData;
             if (isNewStructure) {
-                // Maintain new structure format
+                // Maintain new structure format; preserve existing fields
+                const parts = String(config?.data?.oauth_con_id ?? '').split('_');
+                const prefixSuffix = parts.length > 1 ? parts[1] : parts[0];
+                const oauthKeysPrefix = prefixSuffix ? `OAUTH_${prefixSuffix}` : undefined;
                 updatedData = {
+                    ...(tokensData || {}),
                     auth_data: {
+                        ...(tokensData?.auth_data || {}),
                         primary: newAccessToken,
                         expires_in: expirationTimestamp.toString()
                     },
-                    auth_settings: tokensData.auth_settings || {
+                    auth_settings: {
+                        ...(tokensData?.auth_settings || {}),
                         type: 'oauth2',
                         tokenURL,
                         clientID,
                         clientSecret,
-                        oauth_keys_prefix: `OAUTH_${config?.data?.oauth_con_id?.split('_')[1]}`,
-                        service: 'oauth2_client_credentials'
-                    }
+                        ...(oauthKeysPrefix ? { oauth_keys_prefix: oauthKeysPrefix } : {}),
+                        service: 'oauth2_client_credentials',
+                    },
                 };
             } else {
                 // Maintain old structure format