fix: invalidate credential cache after OAuth refresh (#37630)

2026-06-22 19:21:13 +08:00 · 2026-06-22 10:30:32 +08:00 · 2026-06-22 10:30:32 +08:00 · 8cc690268b
commit 8cc690268b
parent f06127aaa4
2 changed files with 18 additions and 6 deletions
--- a/api/services/trigger/trigger_provider_service.py
+++ b/api/services/trigger/trigger_provider_service.py
@ -475,7 +475,7 @@ class TriggerProviderService:
                tenant_id=tenant_id, provider_id=provider_id
            )
            # Create encrypter
-            encrypter, cache = create_provider_encrypter(
+            encrypter, _ = create_provider_encrypter(
                tenant_id=tenant_id,
                config=[x.to_basic_provider_config() for x in provider_controller.get_oauth_client_schema()],
                cache=NoOpProviderCredentialCache(),
@ -506,14 +506,20 @@ class TriggerProviderService:
            subscription.credentials = dict(encrypter.encrypt(dict(refreshed_credentials.credentials)))
            subscription.credential_expires_at = refreshed_credentials.expires_at

-            # Clear cache
-            cache.delete()
-
-            return {
+            provider_id_value = subscription.provider_id
+            result = {
                "result": "success",
                "expires_at": refreshed_credentials.expires_at,
            }

+        # Clear the trigger runtime credential cache after the DB commit so dispatch uses the refreshed token.
+        delete_cache_for_subscription(
+            tenant_id=tenant_id,
+            provider_id=provider_id_value,
+            subscription_id=subscription_id,
+        )
+        return result
+
    @classmethod
    def refresh_subscription(
        cls,
--- a/api/tests/unit_tests/services/test_trigger_provider_service.py
+++ b/api/tests/unit_tests/services/test_trigger_provider_service.py
@ -560,6 +560,7 @@ def test_refresh_oauth_token_should_refresh_and_persist_new_credentials(
        return_value=(cred_enc, cache),
    )
    mocker.patch.object(TriggerProviderService, "get_oauth_client", return_value={"client_id": "id"})
+    mock_delete_cache = mocker.patch("services.trigger.trigger_provider_service.delete_cache_for_subscription")
    refreshed = SimpleNamespace(credentials={"access_token": "new"}, expires_at=12345)
    oauth_handler = MagicMock()
    oauth_handler.refresh_credentials.return_value = refreshed
@ -573,7 +574,12 @@ def test_refresh_oauth_token_should_refresh_and_persist_new_credentials(
    assert subscription.credentials == {"access_token": "new"}
    assert subscription.credential_expires_at == 12345

-    cache.delete.assert_called_once()
+    cache.delete.assert_not_called()
+    mock_delete_cache.assert_called_once_with(
+        tenant_id="tenant-1",
+        provider_id=str(provider_id),
+        subscription_id="sub-1",
+    )


 def test_refresh_subscription_should_raise_error_when_subscription_missing(