Skip to content

feat(integrations): add Todoist integration block#4904

Open
iamshubham1704 wants to merge 5 commits into
simstudioai:mainfrom
iamshubham1704:main
Open

feat(integrations): add Todoist integration block#4904
iamshubham1704 wants to merge 5 commits into
simstudioai:mainfrom
iamshubham1704:main

Conversation

@iamshubham1704
Copy link
Copy Markdown

@iamshubham1704 iamshubham1704 commented Jun 8, 2026

Summary

Adds a complete Todoist integration to Sim, enabling agents to manage
tasks, projects, and comments via the Todoist REST API.

Changes

Todoist Integration (apps/sim/tools/todoist/)

  • create_task — Create tasks with description, project, priority, labels
  • get_task — Retrieve task details by ID
  • list_tasks — List/filter tasks by project, query, or label
  • update_task — Update task properties
  • close_task — Mark a task as complete
  • delete_task — Permanently delete a task
  • list_projects — Fetch all projects in the user's Todoist
  • add_comment — Append comments to tasks

Block & Registry

  • Added TodoistBlock in apps/sim/blocks/blocks/todoist.ts with
    correct dropdown states, conditional visibility, and tool mapping
  • Registered tools and block in respective monorepo registries
  • Added brand-compliant TodoistIcon in apps/sim/components/icons.tsx

Auth Flow Improvements

  • LoginPage and SignupPage now handle active session redirects
    directly in Next.js Server Components (cleaner than middleware layer)
  • CSP updated to allow unsafe-eval in dev mode (fixes HMR issues)
  • optimizeCss now only runs in production (faster local dev)
  • Fixed backslash → forward-slash path resolution in isolated-vm build
    scripts for Windows compatibility

Verification

Check Status
bun run type-check ✅ Passed (0 errors, 17 packages)
bun run test ✅ Passed (7,643 tests)
bun run check:boundaries ✅ Passed
bun run check:api-validation ⚠️ Pre-existing (no new API routes added)
bun run check:utils ⚠️ Pre-existing (no modified files affected)

Notes

  • No existing Todoist issue/PR exists in the repo — this is a net-new integration
  • Pre-existing CI failures (check:api-validation, check:utils) are present
    on the base branch (1ce8e9226) and are not caused by these changes

@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jun 8, 2026 4:06pm

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented Jun 8, 2026
edited
Loading

PR Summary

Medium Risk
Login/signup redirect logic touches auth entry points (mitigated by existing validateCallbackUrl); Todoist block passes user API keys into external API calls as with other integrations.

Overview
Adds a Todoist workflow block (API-key auth) with eight operations—task CRUD/list/close, projects, and comments—wired through conditional sub-blocks and tool param mapping, plus registry registration and a TodoistIcon.

Login and signup pages now redirect in server components when a session exists (or auth is disabled), sending users to a validated callbackUrl or /workspace instead of showing the forms.

Dev-only CSP adds 'unsafe-eval' to script-src. Sandbox bundle build normalizes polyfill import paths on Windows and logs Bun build failures more verbosely.

Reviewed by Cursor Bugbot for commit 6cb9530. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed Jun 8, 2026
View reviewed changes
Comment thread apps/sim/blocks/blocks/todoist.ts
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Jun 8, 2026
edited
Loading

Greptile Summary

This PR adds a complete Todoist integration (8 tools covering task CRUD, project listing, and comments) plus a few infrastructure fixes: active-session redirects moved from the middleware layer into Server Components, unsafe-eval added to the CSP only in dev mode, optimizeCss disabled in dev, and Windows path normalisation in the sandbox build script.

  • Todoist integration (apps/sim/tools/todoist/, apps/sim/blocks/blocks/todoist.ts): eight new tools with correct user-only API-key visibility, proper encodeURIComponent on task IDs in URL paths, and shared mapping utilities for tasks, projects, and comments.
  • Auth redirect refactor (proxy.ts, login/page.tsx, signup/page.tsx): middleware redirect removed in favour of Server Component getSession() checks; the login page is correct, but the signup page performs the session check after the registration-disabled guard, so authenticated users who visit /signup while registration is off see the error page instead of being sent to /workspace.
  • Dev experience fixes (csp.ts, next.config.ts, build.ts): all scoped to non-production environments or tooling paths.

Confidence Score: 3/5

Safe to merge after fixing the signup-page guard ordering; the Todoist tools and infrastructure changes are solid.

The Todoist integration itself is well-structured and the auth changes on the login page are correct. However, moving the session redirect out of the middleware without matching the guard order in the signup page means authenticated users who visit /signup when registration is disabled will see an error message instead of being redirected — a concrete regression introduced by this PR.

apps/sim/app/(auth)/signup/page.tsx — session check must be reordered to run before the registration-disabled guard.

Important Files Changed

Filename Overview
apps/sim/app/(auth)/signup/page.tsx Adds session-redirect logic to the Server Component, but the guard fires after the registration-disabled check — authenticated users see the error page instead of being redirected when registration is off.
apps/sim/app/(auth)/login/page.tsx Moves the active-session redirect from middleware into the Server Component; session check runs first before any other logic, correct ordering.
apps/sim/blocks/blocks/todoist.ts New Todoist block with correct dropdown-driven conditional field visibility, proper params mapping, and user-only visibility for the API key.
apps/sim/tools/todoist/create_task.ts New tool for creating Todoist tasks; correctly validates required params and maps API response, but lacks an idempotency key header for POST requests.
apps/sim/tools/todoist/update_task.ts New tool for updating Todoist tasks; silently sends an empty body if no optional fields are provided, resulting in a no-op API call that reports success.
apps/sim/tools/todoist/utils.ts Shared mappers for task, project, and comment API responses; correct field mapping with safe defaults.
apps/sim/tools/todoist/types.ts Well-typed interfaces for all eight Todoist operations; union type covers all response shapes cleanly.
apps/sim/proxy.ts Removes hasActiveSession redirect from middleware for login/signup paths, delegating that logic to the Server Components; intentional but shifts the burden to page components.
apps/sim/lib/core/security/csp.ts Adds unsafe-eval to script-src only in dev mode to fix HMR; production CSP is unchanged.
apps/sim/lib/execution/sandbox/bundles/build.ts Normalises backslashes to forward slashes in polyfill path for Windows compatibility and adds better error logging around Bun.build failures.

Sequence Diagram

sequenceDiagram
    participant User
    participant Middleware as proxy.ts (middleware)
    participant SC as Server Component
    participant TodoistAPI as Todoist REST API

    Note over User,Middleware: Auth redirect flow (login/signup)
    User->>Middleware: GET /login or /signup
    Middleware->>SC: next() (no session redirect)
    SC->>SC: getSession()
    alt has active session or auth disabled
        SC-->>User: redirect /workspace
    else no session
        SC-->>User: render login/signup form
    end

    Note over User,TodoistAPI: Todoist tool execution
    User->>SC: invoke Todoist block operation
    SC->>TodoistAPI: POST /tasks (create_task)
    TodoistAPI-->>SC: 200 + task JSON
    SC-->>User: mapped TodoistTask output

    SC->>TodoistAPI: POST /tasks/:id (update_task)
    TodoistAPI-->>SC: 200 + updated task
    SC-->>User: mapped TodoistTask output

    SC->>TodoistAPI: POST /tasks/:id/close (close_task)
    TodoistAPI-->>SC: 204 No Content
    SC-->>User: "{ success: true, taskId }"

    SC->>TodoistAPI: DELETE /tasks/:id (delete_task)
    TodoistAPI-->>SC: 204 No Content
    SC-->>User: "{ success: true, taskId }"

    SC->>TodoistAPI: POST /comments (add_comment)
    TodoistAPI-->>SC: 200 + comment JSON
    SC-->>User: mapped TodoistComment output
Loading

Comments Outside Diff (3)

  1. apps/sim/app/(auth)/signup/page.tsx, line 14-21 (link)

    P1 Authenticated-user redirect skipped when registration is disabled

    The isRegistrationDisabled guard fires before getSession() is called. When registration is disabled AND a user already has an active session, they land on the "Registration is disabled, please contact your admin" error page instead of being redirected to /workspace. Before this PR the middleware handled the redirect, so removing it from proxy.ts without adjusting the order here creates a regression for that specific case.

  2. apps/sim/tools/todoist/update_task.ts, line 1402-1410 (link)

    P2 Silent no-op when no update fields are supplied

    If a caller invokes todoist_update_task with only apiKey and taskId (all optional fields undefined), the built body will be {}. Todoist's REST API will happily return 200 with the unchanged task, so the caller gets a success response with zero mutations and no indication that nothing changed. A guard that throws when body is empty would surface misconfigured tool invocations early.

  3. apps/sim/tools/todoist/create_task.ts, line 472-489 (link)

    P2 No idempotency key on task-creation and comment-creation POST requests

    The Todoist REST API supports an X-Request-Id header (UUID per request) so that retried POST calls do not create duplicate tasks or comments. Without it, a transient network timeout that causes the framework to retry the request can silently create duplicate entries. The same applies to add_comment.ts. Adding a stable, per-call UUID header (crypto.randomUUID()) to the headers function would make these operations safe to retry.

Reviews (1): Last reviewed commit: "commit" | Re-trigger Greptile

cursor[bot]
cursor Bot reviewed Jun 8, 2026
View reviewed changes
Comment thread apps/sim/blocks/blocks/todoist.ts Outdated
cursor[bot]
cursor Bot reviewed Jun 8, 2026
View reviewed changes
Comment thread apps/sim/app/(auth)/login/page.tsx Outdated
Comment thread apps/sim/blocks/blocks/todoist.ts
.split(',')
.map((l: string) => l.trim())
.filter((l: string) => l.length > 0)
: undefined
Copy link
Copy Markdown

@cursor cursor Bot Jun 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Labels param crashes on arrays

Medium Severity

tools.config.params builds labelsArray by calling .split(',') on params.labels whenever it is truthy. Wired workflow inputs or agent-provided values can be a string array, which causes a runtime TypeError and fails the block run.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 2e92c72. Configure here.

@iamshubham1704
fix: validate and preserve callbackUrl during login/signup redirect, …
6a56fcf 
…and fix Windows path normalization in api-validation script
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 8, 2026

@iamshubham1704 is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

cursor[bot]
cursor Bot reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 6a56fcf. Configure here.

Comment thread apps/sim/tools/todoist/list_tasks.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iamshubham1704