( credentialId: string )
| 235 | * Throws if the credential is missing or not an Atlassian service account. |
| 236 | */ |
| 237 | export async function getAtlassianServiceAccountSecret( |
| 238 | credentialId: string |
| 239 | ): Promise<AtlassianServiceAccountSecret> { |
| 240 | const [credentialRow] = await db |
| 241 | .select({ encryptedServiceAccountKey: credential.encryptedServiceAccountKey }) |
| 242 | .from(credential) |
| 243 | .where(eq(credential.id, credentialId)) |
| 244 | .limit(1) |
| 245 | |
| 246 | if (!credentialRow?.encryptedServiceAccountKey) { |
| 247 | throw new Error('Atlassian service account secret not found') |
| 248 | } |
| 249 | |
| 250 | const { decrypted } = await decryptSecret(credentialRow.encryptedServiceAccountKey) |
| 251 | const parsed = JSON.parse(decrypted) as AtlassianServiceAccountSecret |
| 252 | if ( |
| 253 | parsed.type !== ATLASSIAN_SERVICE_ACCOUNT_SECRET_TYPE || |
| 254 | !parsed.apiToken || |
| 255 | !parsed.cloudId |
| 256 | ) { |
| 257 | throw new Error('Stored Atlassian service account secret is malformed') |
| 258 | } |
| 259 | return parsed |
| 260 | } |
| 261 | |
| 262 | /** |
| 263 | * For Atlassian service accounts, the API token IS the access token — |
no test coverage detected