fix(box): populate OAuth scopes for Box since token response omits them

waleedlatif1 · claude · waleedlatif1 · commit 1e16fa975d45 · 2026-03-18T22:52:47.000-07:00
Box's OAuth2 token endpoint does not return a scope field in the
response, so Better Auth stores nothing in the DB. This causes the
credential selector to always show "Additional permissions required".
Fix by populating the scope from the requested scopes in the
account.create.before hook.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -211,6 +211,16 @@ export const auth = betterAuth({
             modifiedAccount.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
           }
 
+          // Box token response does not include a scope field, so Better Auth
+          // stores nothing. Populate it from the requested scopes so the
+          // credential-selector can verify permissions.
+          if (account.providerId === 'box' && !account.scope) {
+            const requestedScopes = getCanonicalScopesForProvider('box')
+            if (requestedScopes.length > 0) {
+              modifiedAccount.scope = requestedScopes.join(' ')
+            }
+          }
+
           return { data: modifiedAccount }
         },
         after: async (account) => {
