Conversation
The frontend hook posted `userId: ''` with a comment that the API would fill it in from the auth context, but the controller was reading userId straight from the request body, so every IntegrationOAuthState row was written with an empty userId. This was harmless until #2712 added a defense-in-depth session check on the OAuth callback that compares `session.user.id` to `oauthState.userId`. Because the stored value was always empty, every OAuth flow (GitHub, GCP, AWS, Rippling, etc.) now redirects with `error=session_mismatch` and "OAuth flow can only be completed by the user who initiated it." The spec did not catch this because the callback tests mocked `oauthState` directly with a non-empty userId rather than exercising start -> callback end-to-end. Resolve userId via the @userid() decorator instead of trusting the request body, drop it from StartOAuthDto, and stop sending it from the client. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Address cubic-dev-ai review feedback. With HybridAuthGuard alone, an API-key or service-token caller would reach the @userid() decorator, which throws a plain Error (turning into a generic 500) when no session user is present. Add SessionOnlyGuard between HybridAuthGuard and PermissionGuard so non-session auth is rejected with a clean 403 and a clear message. The OAuth callback already requires a real session (see checkSessionMatchesState), so non-session callers could never have completed the flow anyway — this just moves the rejection upfront. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ntext fix(integrations): source OAuth initiator userId from auth context
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.39.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.