fix(auth): detect nested grok oauth credentials

skulidropek · skulidropek · commit 21e63e167f30 · 2026-05-18T05:43:33.000Z
diff --git a/packages/api/src/services/project-auth.ts b/packages/api/src/services/project-auth.ts
@@ -241,7 +241,7 @@ const grokUserSettingsCredentialMarkers: ReadonlyArray<RegExp> = [
   /"accessToken"\s*:\s*"[^"]+"/u,
   /"refreshToken"\s*:\s*"[^"]+"/u,
   /"authToken"\s*:\s*"[^"]+"/u,
-  /"oauth"\s*:\s*\{[^}]*"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)"\s*:\s*"[^"]+"/su
+  /"oauth"\s*:\s*\{[\s\S]*?"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)"\s*:\s*"[^"]+"/u
 ]
 
 const hasGrokUserSettingsCredentials = (
diff --git a/packages/app/src/lib/usecases/auth-grok-helpers.ts b/packages/app/src/lib/usecases/auth-grok-helpers.ts
@@ -178,7 +178,7 @@ const grokUserSettingsCredentialMarkers: ReadonlyArray<RegExp> = [
   /"accessToken"\s*:\s*"[^"]+"/u,
   /"refreshToken"\s*:\s*"[^"]+"/u,
   /"authToken"\s*:\s*"[^"]+"/u,
-  /"oauth"\s*:\s*\{[^}]*"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)"\s*:\s*"[^"]+"/su
+  /"oauth"\s*:\s*\{[\s\S]*?"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)"\s*:\s*"[^"]+"/u
 ]
 
 const hasGrokUserSettingsCredentials = (content: string): boolean =>
diff --git a/packages/lib/src/usecases/auth-grok-helpers.ts b/packages/lib/src/usecases/auth-grok-helpers.ts
@@ -177,7 +177,7 @@ const grokUserSettingsCredentialMarkers: ReadonlyArray<RegExp> = [
   /"accessToken"\s*:\s*"[^"]+"/u,
   /"refreshToken"\s*:\s*"[^"]+"/u,
   /"authToken"\s*:\s*"[^"]+"/u,
-  /"oauth"\s*:\s*\{[^}]*"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)"\s*:\s*"[^"]+"/su
+  /"oauth"\s*:\s*\{[\s\S]*?"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)"\s*:\s*"[^"]+"/u
 ]
 
 const hasGrokUserSettingsCredentials = (content: string): boolean =>
diff --git a/packages/lib/tests/usecases/auth-grok.test.ts b/packages/lib/tests/usecases/auth-grok.test.ts
@@ -181,6 +181,25 @@ describe("authGrokLogin", () => {
       })
     ).pipe(Effect.provide(NodeContext.layer)))
 
+  it.effect("detects nested oauth user settings as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+
+        const detected = yield* _(
+          detectUserSettingsPayload(fs, path, accountPath, {
+            oauth: {
+              meta: {},
+              accessToken: "oauth-token"
+            }
+          })
+        )
+        expect(detected).toBe(true)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
   it.effect("does not treat bootstrap user settings as Grok credentials", () =>
     withTempDir((root) =>
       Effect.gen(function*(_) {

Original file line number	Diff line number	Diff line change
`@@ -241,7 +241,7 @@ const grokUserSettingsCredentialMarkers: ReadonlyArray<RegExp> = [`
`241`	`241`	`/"accessToken"\s:\s"[^"]+"/u,`
`242`	`242`	`/"refreshToken"\s:\s"[^"]+"/u,`
`243`	`243`	`/"authToken"\s:\s"[^"]+"/u,`
`244`		`- /"oauth"\s:\s\{[^}]"(?:apiKey\|accessToken\|access_token\|authToken\|refreshToken\|refresh_token\|token)"\s:\s*"[^"]+"/su`
	`244`	`+ /"oauth"\s:\s\{[\s\S]?"(?:apiKey\|accessToken\|access_token\|authToken\|refreshToken\|refresh_token\|token)"\s:\s*"[^"]+"/u`
`245`	`245`	`]`
`246`	`246`
`247`	`247`	`const hasGrokUserSettingsCredentials = (`
Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,7 @@ const grokUserSettingsCredentialMarkers: ReadonlyArray<RegExp> = [`
`178`	`178`	`/"accessToken"\s:\s"[^"]+"/u,`
`179`	`179`	`/"refreshToken"\s:\s"[^"]+"/u,`
`180`	`180`	`/"authToken"\s:\s"[^"]+"/u,`
`181`		`- /"oauth"\s:\s\{[^}]"(?:apiKey\|accessToken\|access_token\|authToken\|refreshToken\|refresh_token\|token)"\s:\s*"[^"]+"/su`
	`181`	`+ /"oauth"\s:\s\{[\s\S]?"(?:apiKey\|accessToken\|access_token\|authToken\|refreshToken\|refresh_token\|token)"\s:\s*"[^"]+"/u`
`182`	`182`	`]`
`183`	`183`
`184`	`184`	`const hasGrokUserSettingsCredentials = (content: string): boolean =>`
Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ const grokUserSettingsCredentialMarkers: ReadonlyArray<RegExp> = [`
`177`	`177`	`/"accessToken"\s:\s"[^"]+"/u,`
`178`	`178`	`/"refreshToken"\s:\s"[^"]+"/u,`
`179`	`179`	`/"authToken"\s:\s"[^"]+"/u,`
`180`		`- /"oauth"\s:\s\{[^}]"(?:apiKey\|accessToken\|access_token\|authToken\|refreshToken\|refresh_token\|token)"\s:\s*"[^"]+"/su`
	`180`	`+ /"oauth"\s:\s\{[\s\S]?"(?:apiKey\|accessToken\|access_token\|authToken\|refreshToken\|refresh_token\|token)"\s:\s*"[^"]+"/u`
`181`	`181`	`]`
`182`	`182`
`183`	`183`	`const hasGrokUserSettingsCredentials = (content: string): boolean =>`