perf(mcp): fold last-used lookup into single grouped query

Author: Ripwords

apps/dashboard/server/api/me/mcp-connections.get.ts

@@ -1,5 +1,5 @@
 import { defineEventHandler } from "h3"
-import { eq, desc } from "drizzle-orm"
+import { eq, desc, max } from "drizzle-orm"
 import { db } from "../../db"
 import { oauthConsent, oauthClient, oauthAccessToken } from "../../db/schema/auth-schema"
 import { requireSession } from "../../lib/permissions"
@@ -25,20 +25,20 @@ export default defineEventHandler(async (event) => {
     .orderBy(desc(oauthConsent.createdAt))
 
   // Last-used per client = latest access token's createdAt for that (user, client) pair.
+  // One query: max(createdAt) per (userId, clientId). Scopes by userId so a
+  // shared client_id between users doesn't leak each other's last-used.
+  const lastUsedRows = await db
+    .select({
+      clientId: oauthAccessToken.clientId,
+      lastUsedAt: max(oauthAccessToken.createdAt),
+    })
+    .from(oauthAccessToken)
+    .where(eq(oauthAccessToken.userId, session.userId))
+    .groupBy(oauthAccessToken.clientId)
+
   const lastUsedByClient = new Map<string, Date>()
-  const lastUsedResults = await Promise.all(
-    consents.map((c) =>
-      db
-        .select({ createdAt: oauthAccessToken.createdAt })
-        .from(oauthAccessToken)
-        .where(eq(oauthAccessToken.clientId, c.clientId))
-        .orderBy(desc(oauthAccessToken.createdAt))
-        .limit(1)
-        .then((rows) => ({ clientId: c.clientId, createdAt: rows[0]?.createdAt ?? null })),
-    ),
-  )
-  for (const r of lastUsedResults) {
-    if (r.createdAt) lastUsedByClient.set(r.clientId, r.createdAt)
+  for (const row of lastUsedRows) {
+    if (row.lastUsedAt) lastUsedByClient.set(row.clientId, row.lastUsedAt)
   }
 
   return {