Validate credentials on save

apps/api/src/routes/credentials.ts

@@ -1,5 +1,4 @@
-import { createProvider } from '@simple-agent-manager/providers';
-import type { AgentCredentialInfo, AgentType, CreateCredentialRequest, CredentialKind, CredentialProvider, CredentialResponse, CredentialSource } from '@simple-agent-manager/shared';
+import type { AgentCredentialInfo, AgentType, CreateCredentialRequest, CredentialKind, CredentialProvider, CredentialResponse, CredentialSource, CredentialValidationStatus } from '@simple-agent-manager/shared';
 import { CREDENTIAL_PROVIDERS, getAgentDefinition, isValidAgentType } from '@simple-agent-manager/shared';
 import { and, eq, isNull } from 'drizzle-orm';
 import { drizzle } from 'drizzle-orm/d1';
@@ -11,15 +10,15 @@ import { maskCredential } from '../lib/credential-mask';
 import { log } from '../lib/logger';
 import { getCredentialEncryptionKey } from '../lib/secrets';
 import { ulid } from '../lib/ulid';
-import { getUserId,requireApproved, requireAuth } from '../middleware/auth';
+import { getUserId, requireApproved, requireAuth } from '../middleware/auth';
 import { errors } from '../middleware/error';
 import { rateLimitCredentialUpdate } from '../middleware/rate-limit';
-import { CreateCredentialSchema, CredentialKindBodySchema,jsonValidator, SaveAgentCredentialSchema } from '../schemas';
-import { validateAgentApiKeyWithProvider } from '../services/agent-credential-validation';
+import { CreateCredentialSchema, CredentialKindBodySchema, jsonValidator, SaveAgentCredentialSchema } from '../schemas';
 import { decrypt, encrypt } from '../services/encryption';
+import { getTimeoutMs } from '../services/fetch-timeout';
 import { getPlatformAgentCredential } from '../services/platform-credentials';
-import { buildProviderConfig, serializeCredentialToken } from '../services/provider-credentials';
-import { CredentialValidator } from '../services/validation';
+import { serializeCredentialToken } from '../services/provider-credentials';
+import { CredentialValidator, formatOnlyValidation, validateAgentApiKeyCredentialWithProvider, validateHetznerCredentialWithProvider, validateScalewayCredentialWithProvider } from '../services/validation';
 
 const credentialsRoutes = new Hono<{ Bindings: Env }>();
 
@@ -79,19 +78,45 @@ function getCloudCredentialFields(body: CreateCredentialRequest): CloudCredentia
   throw errors.badRequest(`Unsupported provider: ${providerName}`);
 }
 
-async function validateCloudCredential(providerName: CredentialProvider, tokenToValidate: string): Promise<void> {
-  if (providerName === 'gcp') return;
+const DEFAULT_SAVE_VALIDATION_TIMEOUT_MS = 8000;
 
-  try {
-    const providerConfig = buildProviderConfig(providerName, tokenToValidate);
-    const provider = createProvider(providerConfig);
-    await provider.validateToken();
-  } catch (err) {
-    log.error('credentials.validation_failed', { providerName, error: err instanceof Error ? err.message : String(err) });
-    throw errors.badRequest(`Invalid or unauthorized ${providerName} credentials`);
+function getSaveValidationTimeoutMs(env: Env): number {
+  return getTimeoutMs(env.AGENT_CREDENTIAL_VALIDATION_TIMEOUT_MS, DEFAULT_SAVE_VALIDATION_TIMEOUT_MS);
+}
+
+async function validateCloudCredentialRequest(
+  body: CreateCredentialRequest,
+  env: Env,
+): Promise<CredentialValidationStatus> {
+  if (body.provider === 'hetzner') {
+    return validateHetznerCredentialWithProvider(body.token, { timeoutMs: getSaveValidationTimeoutMs(env) });
+  }
+
+  if (body.provider === 'scaleway') {
+    return validateScalewayCredentialWithProvider(body.secretKey, body.projectId, {
+      timeoutMs: getSaveValidationTimeoutMs(env),
+    });
+  }
+
+  return formatOnlyValidation('GCP credential metadata accepted. Live validation runs during Google setup.');
+}
+
+function rejectInvalidCredentialValidation(validation: CredentialValidationStatus): void {
+  if (!validation.valid) {
+    throw errors.badRequest(validation.error ?? validation.message);
   }
 }
 
+function logCredentialValidationWarning(scope: 'cloud' | 'agent', providerName: string, validation: CredentialValidationStatus): void {
+  if (validation.valid) return;
+  log.warn('credentials.validation_warning', {
+    scope,
+    providerName,
+    status: validation.status,
+    error: validation.error ?? validation.message,
+  });
+}
+
 // Apply auth middleware to all routes
 credentialsRoutes.use('*', requireAuth(), requireApproved());
 
@@ -131,15 +156,13 @@ credentialsRoutes.get('/', async (c) => {
  */
 credentialsRoutes.post('/validate', jsonValidator(CreateCredentialSchema), async (c) => {
   const body = c.req.valid('json');
-  const { providerName, tokenToValidate } = getCloudCredentialFields(body);
-  await validateCloudCredential(providerName, tokenToValidate);
+  const { providerName } = getCloudCredentialFields(body);
+  const validation = await validateCloudCredentialRequest(body, c.env);
+  rejectInvalidCredentialValidation(validation);
 
   return c.json({
-    valid: true,
     provider: providerName,
-    message: providerName === 'gcp'
-      ? 'GCP credential metadata accepted. Live validation runs during Google setup.'
-      : `${providerName} credential validated.`,
+    ...validation,
   });
 });
 
@@ -150,8 +173,10 @@ credentialsRoutes.post('/', jsonValidator(CreateCredentialSchema), async (c) =>
   const userId = getUserId(c);
   const db = drizzle(c.env.DATABASE, { schema });
 
-  const { providerName, tokenToValidate: tokenToEncrypt } = getCloudCredentialFields(c.req.valid('json'));
-  await validateCloudCredential(providerName, tokenToEncrypt);
+  const requestBody = c.req.valid('json');
+  const { providerName, tokenToValidate: tokenToEncrypt } = getCloudCredentialFields(requestBody);
+  const validation = await validateCloudCredentialRequest(requestBody, c.env);
+  logCredentialValidationWarning('cloud', providerName, validation);
 
   // Encrypt the serialized credential token
   const { ciphertext, iv } = await encrypt(tokenToEncrypt, getCredentialEncryptionKey(c.env));
@@ -187,6 +212,7 @@ credentialsRoutes.post('/', jsonValidator(CreateCredentialSchema), async (c) =>
       provider: providerName,
       connected: true,
       createdAt: existingCred.createdAt,
+      validation,
     };
 
     return c.json(response);
@@ -210,6 +236,7 @@ credentialsRoutes.post('/', jsonValidator(CreateCredentialSchema), async (c) =>
     provider: providerName,
     connected: true,
     createdAt: now,
+    validation,
   };
 
   return c.json(response, 201);
@@ -278,7 +305,10 @@ credentialsRoutes.post('/agent/validate', jsonValidator(SaveAgentCredentialSchem
     });
   }
 
-  const result = await validateAgentApiKeyWithProvider(body.agentType, body.credential, c.env);
+  const result = await validateAgentApiKeyCredentialWithProvider(body.agentType, body.credential, {
+    timeoutMs: getSaveValidationTimeoutMs(c.env),
+  });
+  rejectInvalidCredentialValidation(result);
   return c.json({ agentType: body.agentType, ...result });
 });
 
@@ -378,6 +408,13 @@ credentialsRoutes.put('/agent', (c, next) => rateLimitCredentialUpdate(c.env)(c,
     throw errors.badRequest(`OAuth tokens are not supported for ${agentDef.name}`);
   }
 
+  const providerValidation = credentialKind === 'api-key'
+    ? await validateAgentApiKeyCredentialWithProvider(body.agentType, credential, {
+        timeoutMs: getSaveValidationTimeoutMs(c.env),
+      })
+    : formatOnlyValidation(`${agentDef.name} OAuth credential format looks valid.`);
+  logCredentialValidationWarning('agent', agentDef.provider, providerValidation);
+
   // Encrypt the credential
   const { ciphertext, iv } = await encrypt(credential, getCredentialEncryptionKey(c.env));
 
@@ -450,6 +487,7 @@ credentialsRoutes.put('/agent', (c, next) => rateLimitCredentialUpdate(c.env)(c,
       credentialKind,
       isActive: autoActivate,
       maskedKey,
+      validation: providerValidation,
       label: credentialKind === 'oauth-token' ? 'Pro/Max Subscription' : undefined,
       createdAt: existingCred.createdAt,
       updatedAt: now,
@@ -465,6 +503,7 @@ credentialsRoutes.put('/agent', (c, next) => rateLimitCredentialUpdate(c.env)(c,
     credentialKind,
     isActive: autoActivate,
     maskedKey,
+    validation: providerValidation,
     label: credentialKind === 'oauth-token' ? 'Pro/Max Subscription' : undefined,
     createdAt: now,
     updatedAt: now,

apps/api/src/services/validation.ts

@@ -1,6 +1,8 @@
-import type { AgentType, CredentialKind } from '@simple-agent-manager/shared';
+import type { AgentType, CredentialKind, CredentialValidationStatus } from '@simple-agent-manager/shared';
+import { DEFAULT_SCALEWAY_ZONE, getAgentDefinition } from '@simple-agent-manager/shared';
 
 import { expectJsonRecord, maybeJsonRecord } from '../lib/runtime-validation';
+import { fetchWithTimeout } from './fetch-timeout';
 
 const ANTHROPIC_API_KEY_PREFIX = 'sk-ant-api';
 const CLAUDE_OAUTH_TOKEN_PREFIX = 'sk-ant-oat';
@@ -28,7 +30,8 @@ function decodeJwtPayload(jwt: string): Record<string, unknown> | null {
     const parts = jwt.split('.');
     if (parts.length !== 3) return null;
     // Base64url → Base64 → decode
-    const payload = parts[1]!;
+    const payload = parts[1];
+    if (!payload) return null;
     const base64 = payload.replace(/-/g, '+').replace(/_/g, '/');
     const json = atob(base64);
     return JSON.parse(json);
@@ -116,6 +119,145 @@ export function validateOpenAICodexAuthJson(credential: string): OpenAIAuthJsonV
   };
 }
 
+
+const DEFAULT_CREDENTIAL_VALIDATION_TIMEOUT_MS = 8000;
+
+interface ProviderCheck {
+  displayName: string;
+  request: string | URL;
+  init: RequestInit;
+}
+
+export interface CredentialValidationOptions {
+  timeoutMs?: number;
+}
+
+function statusMessage(status: number, statusText: string): string {
+  return `${status} ${statusText || 'Provider Error'}`;
+}
+
+function providerRejected(displayName: string, response: Response): CredentialValidationStatus {
+  const message = `Token rejected by ${displayName} API (${statusMessage(response.status, response.statusText)})`;
+  return {
+    valid: false,
+    message,
+    error: message,
+    status: response.status,
+    validationMode: 'provider',
+  };
+}
+
+function providerUnavailable(displayName: string, err: unknown): CredentialValidationStatus {
+  const detail = err instanceof Error ? err.message : String(err);
+  const message = `Could not validate with ${displayName} API: ${detail}`;
+  return {
+    valid: false,
+    message,
+    error: message,
+    validationMode: 'provider',
+  };
+}
+
+async function runProviderCheck(
+  check: ProviderCheck,
+  successMessage: string,
+  options: CredentialValidationOptions = {},
+): Promise<CredentialValidationStatus> {
+  try {
+    const response = await fetchWithTimeout(
+      check.request,
+      check.init,
+      options.timeoutMs ?? DEFAULT_CREDENTIAL_VALIDATION_TIMEOUT_MS,
+    );
+
+    if (response.ok) {
+      return { valid: true, message: successMessage, validationMode: 'provider' };
+    }
+
+    return providerRejected(check.displayName, response);
+  } catch (err) {
+    return providerUnavailable(check.displayName, err);
+  }
+}
+
+export function formatOnlyValidation(message: string): CredentialValidationStatus {
+  return { valid: true, message, validationMode: 'format' };
+}
+
+export async function validateHetznerCredentialWithProvider(
+  token: string,
+  options?: CredentialValidationOptions,
+): Promise<CredentialValidationStatus> {
+  return runProviderCheck(
+    {
+      displayName: 'Hetzner',
+      request: 'https://api.hetzner.cloud/v1/servers',
+      init: { headers: { Authorization: `Bearer ${token}` } },
+    },
+    'Hetzner credential validated.',
+    options,
+  );
+}
+
+export async function validateScalewayCredentialWithProvider(
+  secretKey: string,
+  projectId: string,
+  options?: CredentialValidationOptions,
+): Promise<CredentialValidationStatus> {
+  const query = new URLSearchParams({ per_page: '1', project: projectId });
+  return runProviderCheck(
+    {
+      displayName: 'Scaleway',
+      request: `https://api.scaleway.com/instance/v1/zones/${DEFAULT_SCALEWAY_ZONE}/servers?${query.toString()}`,
+      init: { headers: { 'X-Auth-Token': secretKey } },
+    },
+    'Scaleway credential validated.',
+    options,
+  );
+}
+
+export async function validateAgentApiKeyCredentialWithProvider(
+  agentType: AgentType,
+  credential: string,
+  options?: CredentialValidationOptions,
+): Promise<CredentialValidationStatus> {
+  const agentDef = getAgentDefinition(agentType);
+  if (!agentDef) {
+    return { valid: false, message: 'Unknown agent type', error: 'Unknown agent type', validationMode: 'format' };
+  }
+
+  if (agentDef.provider === 'anthropic') {
+    return runProviderCheck(
+      {
+        displayName: 'Anthropic',
+        request: 'https://api.anthropic.com/v1/models',
+        init: {
+          headers: {
+            'x-api-key': credential,
+            'anthropic-version': '2023-06-01',
+          },
+        },
+      },
+      `${agentDef.name} credential validated.`,
+      options,
+    );
+  }
+
+  if (agentDef.provider === 'openai') {
+    return runProviderCheck(
+      {
+        displayName: 'OpenAI',
+        request: 'https://api.openai.com/v1/models',
+        init: { headers: { Authorization: `Bearer ${credential}` } },
+      },
+      `${agentDef.name} credential validated.`,
+      options,
+    );
+  }
+
+  return formatOnlyValidation('Credential format looks valid. Provider reachability validation is not available for this agent.');
+}
+
 /**
  * Validate and detect credential format
  */