v0.3.25: oauth credentials sharing mechanism, workflow block error handling changes, subflow fixes, multipart uploads#964
Conversation
Co-authored-by: Adam Gough <adamgough@Adams-MacBook-Pro.local>
* improvement(oauth): credential UX while sharing workflows * fix tests * address greptile comments * fix linear, jira, folder selectors * fix routes * fix linear * jira fix attempt * jira fix attempt * jira fixes * fix * fix * fix jira * fix selector disable behaviour * minor fixes * clear selectors correctly * fix project selector jira * fix gdrive * fix labels dropdown * fix webhook realtime collab * fix * fix webhooks persistence * fix folders route * fix lint * test webhook intermittent error * fix * fix display
* File upload retries + multipart uploads * Lint * FIle uploads * File uploads 2 * Lint * Fix file uploads * Add auth to file upload routes * Lint
…nd status schemas to match parallel/loop (#956)
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Skipped Deployment
|
There was a problem hiding this comment.
Greptile Summary
This PR implements a comprehensive OAuth credentials sharing mechanism for collaborative workflows, addressing a critical issue where credential auto-selection was overwriting collaborator configurations and causing deselection of dependent subblocks. The solution introduces a distinction between 'owner credentials' and 'foreign credentials', allowing workflows to execute using the original creator's OAuth tokens while being accessed by other users within the same workspace.
The credential sharing system works by:
- Adding
workflowIdparameters to API calls for proper authorization context - Implementing database-level credential owner resolution instead of relying solely on session users
- Modifying UI components to display 'Saved by collaborator' for foreign credentials while hiding sensitive owner information
- Removing problematic auto-selection logic that was interfering with shared credential configurations
- Adding automatic clearing of dependent fields when credentials change to prevent stale data
Additionally, the PR includes significant upload system improvements with multipart upload support for large files (>50MB), concurrent batch processing (5 files at a time), exponential backoff retry logic (up to 3 attempts), and comprehensive progress tracking. A new /api/files/multipart endpoint handles S3 multipart uploads with proper authentication.
Other notable improvements include fixing workflow change detection for parallel execution blocks, adding proper authentication to file upload endpoints, implementing a Microsoft brand verification file, simplifying API request handling to avoid stringification issues, and reverting error bubbling behavior in workflow blocks to return structured error objects instead of throwing exceptions.
The Helm chart now supports external database configurations through a new secret template, and various API routes have been updated to support the credential sharing mechanism while maintaining security through workspace permission checks.
Confidence score: 4/5
- This PR introduces complex authentication and authorization changes that require careful review due to security implications around cross-user credential access
- Score reflects the comprehensive nature of changes affecting critical authentication flows, though the implementation follows established patterns and includes proper permission checks
- Pay close attention to OAuth credential sharing logic in API routes, multipart upload implementation, and workflow error handling changes
49 files reviewed, 18 comments
| if (uploadType === 'copilot') { | ||
| if (!userId?.trim()) { | ||
| throw new ValidationError('userId is required for copilot uploads') | ||
| if (!sessionUserId?.trim()) { |
There was a problem hiding this comment.
logic: The sessionUserId?.trim() check is redundant since session.user.id is already validated to exist on line 59. The trim() check suggests expecting a string that could be empty, but the session validation ensures it's present.
| if (!sessionUserId?.trim()) { | |
| if (!sessionUserId) { |
| // Allow collaborator read when workflowId present; otherwise require ownership | ||
| const ownerUserId = credential.userId | ||
| const requesterUserId = session.user.id | ||
| if (ownerUserId !== requesterUserId && !workflowId) { |
There was a problem hiding this comment.
logic: Security concern: This bypasses credential ownership when workflowId is present, but there's no verification that the workflow actually uses this specific credential or that the requester has proper workflow permissions.
| headers, | ||
| }, | ||
| error: response.ok ? undefined : `HTTP error ${response.status}: ${response.statusText}`, | ||
| error: undefined, // Errors are handled upstream in executeTool |
There was a problem hiding this comment.
logic: Setting error to undefined means failed HTTP requests (4xx, 5xx) won't be reported as errors. Verify upstream error handling captures HTTP failures properly.
| const data = await (contentType.includes('application/json') | ||
| ? response.json() | ||
| : response.text()) |
There was a problem hiding this comment.
logic: Response.json() and Response.text() can only be called once. If upstream code also tries to read the response body, this will throw an error.
| ) : selectedProjectId ? ( | ||
| <div className='flex items-center gap-2 overflow-hidden'> | ||
| <JiraIcon className='h-4 w-4' /> | ||
| <span className='truncate font-normal'>{selectedProjectId}</span> | ||
| </div> | ||
| ) : ( |
There was a problem hiding this comment.
style: displays raw project ID when metadata unavailable - consider adding loading indicator or 'Unknown project' text for better UX
| prevCredRef.current = cred | ||
| const keys = Object.keys(current) | ||
| const dependentKeys = keys.filter((k) => k !== 'credential') | ||
| dependentKeys.forEach((k) => collaborativeSetSubblockValue(id, k, '')) |
There was a problem hiding this comment.
logic: Setting empty strings may not be appropriate for all field types. Some fields might expect null, undefined, or default values instead of empty strings.
v0.3.25: oauth credentials sharing mechanism, workflow block error handling changes
Summary
Checklist