OAuth credential sync and app integration enhancements#7
Conversation
…11059) * Add credential sync .env variables * Add webhook to send app credentials * Upsert credentials when webhook called * Refresh oauth token from a specific endpoint * Pass appSlug * Add credential encryption * Move oauth helps into a folder * Create parse token response wrapper * Add OAuth helpers to apps * Clean up * Refactor `appDirName` to `appSlug` * Address feedback * Change to safe parse * Remove console.log --------- Co-authored-by: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com> Co-authored-by: Omar López <zomars@me.com>
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 824145b0e2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const minimumTokenResponseSchema = z.object({ | ||
| access_token: z.string(), | ||
| // Assume that any property with a number is the expiry | ||
| [z.string().toString()]: z.number(), |
There was a problem hiding this comment.
When credential sharing is enabled, parseRefreshTokenResponse switches to minimumTokenResponseSchema, but the computed key [z.string().toString()] creates a literal property name (e.g. "ZodString") instead of matching arbitrary numeric expiry fields like expires_in or expiry_date. As a result, any real token payload will fail safeParse and the refresh path will always throw “Invalid refreshed tokens were returned,” breaking token refresh for shared-credential setups. Use catchall/z.record or explicitly model the expiry field names instead of computed object keys.
Useful? React with 👍 / 👎.
| const key = parseRefreshTokenResponse(googleCredentials, googleCredentialSchema); | ||
| await prisma.credential.update({ | ||
| where: { id: credential.id }, | ||
| data: { key }, |
There was a problem hiding this comment.
parseRefreshTokenResponse returns the Zod safeParse result, but this value is persisted directly as credential.key. That means after the first refresh the stored key becomes { success, data } instead of the token fields, so the next googleCredentialSchema.parse(credential.key) will fail and Google Calendar breaks after a token refresh. Save parseRefreshTokenResponse(...).data (or return data from the helper) before updating the credential.
Useful? React with 👍 / 👎.
3 participants
Test 8nn---nReplicated from ai-code-review-evaluation/cal.com-cursor#8