fix: Add username to the tokenStoreKey so the saved token is invalidated when the user changes in the environment

plugins/auth-oauth2/src/grants/password.ts

@@ -32,6 +32,7 @@ export async function getPassword(
     clientId,
     accessTokenUrl,
     authorizationUrl: null,
+    username,
   };
   const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
     accessTokenUrl,

plugins/auth-oauth2/src/index.ts

@@ -103,6 +103,7 @@ export const plugin: PluginDefinition = {
             authorizationUrl: stringArg(values, 'authorizationUrl'),
             accessTokenUrl: stringArg(values, 'accessTokenUrl'),
             clientId: stringArg(values, 'clientId'),
+            username: stringArgOrNull(values, 'username'),
           };
           const token = await getToken(ctx, tokenArgs);
           if (token == null) {
@@ -128,6 +129,7 @@ export const plugin: PluginDefinition = {
             authorizationUrl: stringArg(values, 'authorizationUrl'),
             accessTokenUrl: stringArg(values, 'accessTokenUrl'),
             clientId: stringArg(values, 'clientId'),
+            username: stringArgOrNull(values, 'username'),
           };
           if (await deleteToken(ctx, tokenArgs)) {
             await ctx.toast.show({
@@ -478,6 +480,7 @@ export const plugin: PluginDefinition = {
             authorizationUrl: stringArg(values, 'authorizationUrl'),
             accessTokenUrl: stringArg(values, 'accessTokenUrl'),
             clientId: stringArg(values, 'clientId'),
+            username: stringArgOrNull(values, 'username'),
           };
           const token = await getToken(ctx, tokenArgs);
           if (token == null) {

plugins/auth-oauth2/src/store.ts

@@ -43,6 +43,7 @@ export interface TokenStoreArgs {
   clientId: string;
   accessTokenUrl: string | null;
   authorizationUrl: string | null;
+  username?: string | null;
 }
 
 /**
@@ -55,6 +56,7 @@ function tokenStoreKey(args: TokenStoreArgs) {
   if (args.clientId) hash.update(args.clientId.trim());
   if (args.accessTokenUrl) hash.update(args.accessTokenUrl.trim().replace(/^https?:\/\//, ''));
   if (args.authorizationUrl) hash.update(args.authorizationUrl.trim().replace(/^https?:\/\//, ''));
+  if (args.username) hash.update(args.username);
   const key = hash.digest('hex');
   return ['token', key].join('::');
 }

plugins/auth-oauth2/tests/store.test.ts

@@ -0,0 +1,45 @@
+import { describe, expect, test } from 'vitest';
+import { getToken, storeToken } from '../src/store';
+
+function createMockContext() {
+  const values = new Map<string, unknown>();
+
+  return {
+    store: {
+      async set<T>(key: string, value: T) {
+        values.set(key, value);
+      },
+      async get<T>(key: string) {
+        return values.get(key) as T | undefined;
+      },
+    },
+  } as any;
+}
+
+describe('token store', () => {
+  test('separates password grant tokens when credentials change', async () => {
+    const ctx = createMockContext();
+
+    const aliceArgs = {
+      contextId: 'request-1',
+      clientId: 'client-123',
+      accessTokenUrl: 'https://auth.example.com/token',
+      authorizationUrl: null,
+      username: 'alice@example.com',
+      password: 'secret',
+    };
+    const bobArgs = {
+      contextId: 'request-1',
+      clientId: 'client-123',
+      accessTokenUrl: 'https://auth.example.com/token',
+      authorizationUrl: null,
+      username: 'bob@example.com',
+      password: 'secret',
+    };
+
+    await storeToken(ctx, aliceArgs, { access_token: 'alice-token' });
+
+    expect((await getToken(ctx, aliceArgs))?.response.access_token).toBe('alice-token');
+    expect(await getToken(ctx, bobArgs)).toBeUndefined();
+  });
+});