[Dashboard] Add error handling and refactor vault account rotation

joaquim-verges · joaquim-verges · commit b22381edc088 · 2025-07-11T14:21:03.000+12:00
diff --git a/apps/dashboard/src/@/components/project/create-project-modal/index.tsx b/apps/dashboard/src/@/components/project/create-project-modal/index.tsx
@@ -67,6 +67,12 @@ const CreateProjectDialog = (props: CreateProjectDialogProps) => {
         await createVaultAccountAndAccessToken({
           project: res.project,
           projectSecretKey: res.secret,
+        }).catch((error) => {
+          console.error(
+            "Failed to create vault account and access token",
+            error,
+          );
+          throw error;
         });
         return {
           project: res.project,
diff --git a/apps/dashboard/src/@/hooks/useApi.ts b/apps/dashboard/src/@/hooks/useApi.ts
@@ -2,7 +2,7 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useActiveAccount } from "thirdweb/react";
 import { apiServerProxy } from "@/actions/proxies";
 import type { Project } from "@/api/projects";
-import { createVaultAccountAndAccessToken } from "../../app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client";
+import { rotateVaultAccountAndAccessToken } from "../../app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client";
 import { accountKeys, authorizedWallets } from "../query-keys/cache-keys";
 
 // FIXME: We keep repeating types, API server should provide them
@@ -331,12 +331,17 @@ export async function rotateSecretKeyClient(params: { project: Project }) {
   }
 
   try {
-    // if the project has a vault admin key, rotate it as well
-    await createVaultAccountAndAccessToken({
-      project: params.project,
-      projectSecretKey: res.data.data.secret,
-      projectSecretHash: res.data.data.secretHash,
-    });
+    // if the project has an encrypted vault admin key, rotate it as well
+    const service = params.project.services.find(
+      (service) => service.name === "engineCloud",
+    );
+    if (service?.encryptedAdminKey) {
+      await rotateVaultAccountAndAccessToken({
+        project: params.project,
+        projectSecretKey: res.data.data.secret,
+        projectSecretHash: res.data.data.secretHash,
+      });
+    }
   } catch (error) {
     console.error("Failed to rotate vault admin key", error);
   }
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
@@ -30,6 +30,51 @@ export async function initVaultClient() {
   return vc;
 }
 
+export async function rotateVaultAccountAndAccessToken(props: {
+  project: Project;
+  projectSecretKey?: string;
+  projectSecretHash?: string;
+}) {
+  const vaultClient = await initVaultClient();
+  const service = props.project.services.find(
+    (service) => service.name === "engineCloud",
+  );
+  const storedRotationCode = service?.rotationCode;
+  if (!storedRotationCode) {
+    throw new Error("No rotation code found");
+  }
+
+  const rotateServiceAccountRes = await rotateServiceAccount({
+    client: vaultClient,
+    request: {
+      auth: {
+        rotationCode: storedRotationCode,
+      },
+    },
+  });
+  if (rotateServiceAccountRes.error) {
+    throw new Error(rotateServiceAccountRes.error.message);
+  }
+  const adminKey = rotateServiceAccountRes.data.newAdminKey;
+  const rotationCode = rotateServiceAccountRes.data.newRotationCode;
+
+  const { managementToken, walletToken } =
+    await createAndEncryptVaultAccessTokens({
+      project: props.project,
+      projectSecretKey: props.projectSecretKey,
+      projectSecretHash: props.projectSecretHash,
+      vaultClient,
+      adminKey,
+      rotationCode,
+    });
+
+  return {
+    adminKey,
+    managementToken,
+    walletToken,
+  };
+}
+
 export async function createVaultAccountAndAccessToken(props: {
   project: Project;
   projectSecretKey?: string;
@@ -38,53 +83,26 @@ export async function createVaultAccountAndAccessToken(props: {
   try {
     const vaultClient = await initVaultClient();
 
-    const service = props.project.services.find(
-      (service) => service.name === "engineCloud",
-    );
-    const storedRotationCode = service?.rotationCode;
-    const storedEncryptedAdminKey = service?.encryptedAdminKey;
-
-    let adminKey: string | null = null;
-    let rotationCode: string | null = null;
-
-    if (storedRotationCode && storedEncryptedAdminKey) {
-      // if the project has a managed vault admin key, rotate it
-      const rotateServiceAccountRes = await rotateServiceAccount({
-        client: vaultClient,
-        request: {
-          auth: {
-            rotationCode: storedRotationCode,
+    const serviceAccountResult = await createServiceAccount({
+      client: vaultClient,
+      request: {
+        options: {
+          metadata: {
+            projectId: props.project.id,
+            purpose: "Thirdweb Project Server Wallet Service Account",
+            teamId: props.project.teamId,
           },
         },
-      });
-      if (rotateServiceAccountRes.error) {
-        throw new Error(rotateServiceAccountRes.error.message);
-      }
-      adminKey = rotateServiceAccountRes.data.newAdminKey;
-      rotationCode = rotateServiceAccountRes.data.newRotationCode;
-    } else {
-      // otherwise create a new service account
-      const serviceAccountResult = await createServiceAccount({
-        client: vaultClient,
-        request: {
-          options: {
-            metadata: {
-              projectId: props.project.id,
-              purpose: "Thirdweb Project Server Wallet Service Account",
-              teamId: props.project.teamId,
-            },
-          },
-        },
-      });
-      if (serviceAccountResult.success === false) {
-        throw new Error(
-          `Failed to create service account: ${serviceAccountResult.error}`,
-        );
-      }
-      const serviceAccount = serviceAccountResult.data;
-      adminKey = serviceAccount.adminKey;
-      rotationCode = serviceAccount.rotationCode;
+      },
+    });
+    if (serviceAccountResult.success === false) {
+      throw new Error(
+        `Failed to create service account: ${serviceAccountResult.error}`,
+      );
     }
+    const serviceAccount = serviceAccountResult.data;
+    const adminKey = serviceAccount.adminKey;
+    const rotationCode = serviceAccount.rotationCode;
 
     const { managementToken, walletToken } =
       await createAndEncryptVaultAccessTokens({
diff --git a/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/rotate-admin-key.client.tsx b/apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/vault/components/rotate-admin-key.client.tsx
@@ -27,8 +27,8 @@ import { Spinner } from "@/components/ui/Spinner/Spinner";
 import { useDashboardRouter } from "@/lib/DashboardRouter";
 import { cn } from "@/lib/utils";
 import {
-  createVaultAccountAndAccessToken,
   maskSecret,
+  rotateVaultAccountAndAccessToken,
 } from "../../transactions/lib/vault.client";
 
 export default function RotateAdminKeyButton(props: {
@@ -43,7 +43,7 @@ export default function RotateAdminKeyButton(props: {
   const rotateAdminKeyMutation = useMutation({
     mutationFn: async () => {
       // passing no secret key means we're rotating the admin key and deleting any stored keys
-      const result = await createVaultAccountAndAccessToken({
+      const result = await rotateVaultAccountAndAccessToken({
         project: props.project,
       });
 
