Skip to content

Devin/oauth developer settings 1764693294 #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
DhirenMhatre wants to merge 104 commits into
base: main
Choose a base branch
from
Open

Devin/oauth developer settings 1764693294 #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
104 commits
Select commit Hold shift + click to select a range
5dc87b3
feat: add OAuth client developer settings page with approval workflow
devin-ai-integration[bot] Dec 2, 2025
c6c68d4
fix: re-export generateSecret for backward compatibility
devin-ai-integration[bot] Dec 2, 2025
a3f1bc9
feat: make logo mandatory and list items clickable for OAuth clients
devin-ai-integration[bot] Dec 8, 2025
b1b39a2
fix: add missing translation keys and remove client secret from detai…
devin-ai-integration[bot] Dec 8, 2025
03c7d13
fix: address cubic AI reviewer comments
devin-ai-integration[bot] Dec 8, 2025
582cef5
fix: address PR review comments - fix indentation and use useCopy hook
devin-ai-integration[bot] Dec 8, 2025
c3e0b70
fix: change react-dom/server import to fix Turbopack compatibility
devin-ai-integration[bot] Dec 9, 2025
c29dbb3
Revert "fix: change react-dom/server import to fix Turbopack compatib…
devin-ai-integration[bot] Dec 9, 2025
c5f13a5
fix: use email service pattern for OAuth client notifications
devin-ai-integration[bot] Dec 9, 2025
fc9d47c
fix: add try-catch around email sending to handle Turbopack react-dom…
devin-ai-integration[bot] Dec 9, 2025
3804fe3
Revert "fix: add try-catch around email sending to handle Turbopack r…
devin-ai-integration[bot] Dec 9, 2025
05172df
fix: improve OAuth client UI with skeleton loaders and smaller dialog…
devin-ai-integration[bot] Dec 9, 2025
dfd5bc2
fix: improve skeleton loader to match actual OAuth client list structure
devin-ai-integration[bot] Dec 9, 2025
7500de8
fix skeleton
eunjae-lee Dec 9, 2025
a1d86ac
rename the selected oauth client dialog
eunjae-lee Dec 9, 2025
bc6f449
fix: address PR feedback - admin auth, dropdown styling, sidebar label
devin-ai-integration[bot] Dec 9, 2025
523db2f
update common.json
eunjae-lee Dec 9, 2025
661ffa7
feat: show client secret in approval email for confidential OAuth cli…
devin-ai-integration[bot] Dec 14, 2025
5b0b738
feat: add Website URL field, fix logo styling, show client secret aft…
devin-ai-integration[bot] Dec 22, 2025
a05ffea
fix: move clientSecret variable declaration outside if block for prop…
devin-ai-integration[bot] Dec 22, 2025
3fedda6
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 7, 2026
80dc2ed
refactor: dont expose client secret in emails
supalarry Jan 7, 2026
50daba7
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 8, 2026
098ebcc
refactor: dont regenerate secret upon status change
supalarry Jan 8, 2026
c0a7c5f
refactor: reuse existing hash function
supalarry Jan 8, 2026
c384a37
refactor: rename admin/oAuth to admin/oauth page
supalarry Jan 8, 2026
82274aa
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 8, 2026
93c2fd7
refactor: deduplicate oauth repositories
supalarry Jan 8, 2026
8415ef0
refactor: remove withGlobalPrisma from oauth repository
supalarry Jan 8, 2026
681f7a9
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 8, 2026
fa7458a
refactor: developer oauth page
supalarry Jan 8, 2026
d163a1d
refactor: oauth status by default accepted
supalarry Jan 8, 2026
cf5c4e3
refactor: request oauth status when creating
supalarry Jan 8, 2026
bb0af5b
refactor ux
supalarry Jan 9, 2026
74b8174
fix: address Cubic AI code review feedback
devin-ai-integration[bot] Jan 9, 2026
8652dbd
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 12, 2026
f6b3852
common.json file
supalarry Jan 12, 2026
daf04c4
refactor: delete all prisma migrations
supalarry Jan 12, 2026
8ee1ee5
refactor: have just 1 prisma migration
supalarry Jan 12, 2026
f4cdd32
revert: some devin changes
supalarry Jan 12, 2026
9b43e0a
fix: typecheck
supalarry Jan 12, 2026
db38f71
test: owner OAuth crud
supalarry Jan 12, 2026
a8d1688
test: admin OAuth approval / rejection
supalarry Jan 12, 2026
953e930
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 12, 2026
44dbc67
fix: address Cubic AI review feedback (confidence 9/10 issues)
devin-ai-integration[bot] Jan 12, 2026
fe44f1f
cubic changes
Jan 13, 2026
ddaa111
refactor: dont log sensitive info and rethrow error
supalarry Jan 13, 2026
91f1f1c
cubic feedback
supalarry Jan 13, 2026
60fd4db
refactor: make oauth client purpose optional
supalarry Jan 13, 2026
6691d50
refactor: admin/oauth not allowed if not logged in
supalarry Jan 13, 2026
1a7453e
refactor: admin view skeleton
supalarry Jan 13, 2026
2795286
refactor: rename state
supalarry Jan 13, 2026
32d61ba
refactor: get rid of redundant mapping
supalarry Jan 13, 2026
d8ba093
refactor: remove redundant handler
supalarry Jan 13, 2026
14d5d92
refactor: remove redundant handler
supalarry Jan 13, 2026
bc146ab
refactor: re-usable new oauth client button
supalarry Jan 13, 2026
e9e0018
refactor: dialogs
supalarry Jan 13, 2026
100e0a1
refactor: modals
supalarry Jan 14, 2026
44a0f67
refactor: handler names, dialog, skeleton
supalarry Jan 14, 2026
350799d
fix: purpose being null
supalarry Jan 14, 2026
44ce7bd
refactor: rename handler and delete old oauth admin page
supalarry Jan 14, 2026
bb0faa8
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 14, 2026
c958f96
fix: purpose in submission
supalarry Jan 14, 2026
54ec8b9
refactor: handler names
supalarry Jan 14, 2026
1c6f039
refactor: rename
supalarry Jan 14, 2026
b6ebb15
refactor: update handler
supalarry Jan 14, 2026
52dc384
refactor: rename approvalStatus -> status
supalarry Jan 14, 2026
47723a8
refactor: simplify modal
supalarry Jan 14, 2026
df18f3c
refactor: name
supalarry Jan 14, 2026
ec19534
dont require repproval if redirectUri changes
supalarry Jan 14, 2026
1aa80b4
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 14, 2026
9457c40
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 15, 2026
6cc78d4
fix: remove integration sync index creation
supalarry Jan 15, 2026
a5c38be
refactor: require re-approval if redirectUri updated
supalarry Jan 15, 2026
154eee1
fix: flaky e2e test
supalarry Jan 15, 2026
83eccde
fix: flaky e2e test
supalarry Jan 15, 2026
b2888f4
fix: flaky e2e test
supalarry Jan 16, 2026
0b03d23
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 16, 2026
ce0fb75
fix: remove duplicate common.json keys
supalarry Jan 16, 2026
4a80d67
refactor: replace team@cal.com with SUPPORT_MAIL_ADDRESS
supalarry Jan 16, 2026
1e5854b
refactor: generate client secret on handler level
supalarry Jan 16, 2026
e8b809d
fix: authorization code only available to approved clients
supalarry Jan 16, 2026
d13e24a
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 19, 2026
f3278bb
refactor: cubic review dont display exclamation
supalarry Jan 19, 2026
0672df6
refactor: cubic review website_url in common json
supalarry Jan 19, 2026
166f2f3
fix: dont default in ui to approved status
supalarry Jan 19, 2026
e7324fd
refactor: optiona logo in schema create handler
supalarry Jan 19, 2026
34e5a52
fix: tests
supalarry Jan 19, 2026
f2da0c1
fix: tests
supalarry Jan 19, 2026
78bc8c5
fix: /authorize redirect if client not approved or show error
supalarry Jan 19, 2026
ccd11a8
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 19, 2026
102e5fe
test: authorize page with invalid client id
supalarry Jan 20, 2026
6d527b5
refactor: dont allow refreshing tokens unless approved client
supalarry Jan 20, 2026
80b02a5
fix: flaky e2e test
supalarry Jan 20, 2026
6bcdbd8
fix: flaky e2e test
supalarry Jan 20, 2026
6c6964c
fix: flaky e2e test
supalarry Jan 20, 2026
56939be
fix: flaky e2e test
supalarry Jan 20, 2026
8434fe8
fix: flaky e2e test
supalarry Jan 20, 2026
acecda3
fix: flaky e2e test
supalarry Jan 20, 2026
bcbd1e7
chore: warn that pending client is not usable
supalarry Jan 20, 2026
c761156
fix: approve and reject buttons
supalarry Jan 20, 2026
e22eeae
fix: /authorize show error if client not approved
supalarry Jan 20, 2026
c1e8b2e
refactor: info message about editing oauth client and status
supalarry Jan 20, 2026
285ec1d
Merge branch 'main' into devin/oauth-developer-settings-1764693294
supalarry Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 20 additions & 14 deletions apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,31 @@
import { _generateMetadata, getTranslate } from "app/_utils";
import { cookies, headers } from "next/headers";
import { redirect } from "next/navigation";

import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
import { getServerSession } from "@calcom/features/auth/lib/getServerSession";

import LegacyPage from "~/settings/admin/oauth-view";
import { buildLegacyRequest } from "@lib/buildLegacyCtx";

import OAuthClientsAdminView from "~/settings/admin/oauth-clients-admin-view";

const Page = async () => {
const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) });
await getTranslate();

if (!session) {
redirect("/auth/login?callbackUrl=/settings/admin/oauth");
}

return <OAuthClientsAdminView />;
};

export const generateMetadata = async () =>
await _generateMetadata(
(t) => t("oAuth"),
(t) => t("admin_oAuth_description"),
(t) => t("oauth_clients_admin"),
(t) => t("oauth_clients_admin_description"),
undefined,
undefined,
"/settings/admin/oAuth"
"/settings/admin/oauth"
);

const Page = async () => {
const t = await getTranslate();
return (
<SettingsHeader title={t("oAuth")} description={t("admin_oAuth_description")}>
<LegacyPage />
</SettingsHeader>
);
};

export default Page;
29 changes: 20 additions & 9 deletions apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,11 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
href: "/settings/developer/api-keys",
trackingMetadata: { section: "developer", page: "api_keys" },
},
{
name: "oAuth",
href: "/settings/developer/oauth",
trackingMetadata: { section: "developer", page: "oauth_clients" }
},
{
name: "admin_api",
href: "/settings/organizations/admin-api",
Expand Down Expand Up @@ -281,7 +286,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
},
{
name: "oAuth",
href: "/settings/admin/oAuth",
href: "/settings/admin/oauth",
trackingMetadata: { section: "admin", page: "oauth" },
},
{
Expand All @@ -298,7 +303,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
},
];

tabs.find((tab) => {
for (const tab of tabs) {
if (tab.name === "security" && !HOSTED_CAL_FEATURES) {
tab.children?.push({
name: "sso_configuration",
Expand All @@ -308,21 +313,21 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
// TODO: Enable dsync for self hosters
// tab.children?.push({ name: "directory_sync", href: "/settings/security/dsync" });
}

if (tab.name === "admin" && IS_CALCOM) {
tab.children?.push({
name: "create_org",
href: "/settings/organizations/new",
trackingMetadata: { section: "admin", page: "create_org" },
});
}
if (tab.name === "admin" && IS_CALCOM) {

tab.children?.push({
name: "create_license_key",
href: "/settings/license-key/new",
trackingMetadata: { section: "admin", page: "create_license_key" },
});
}
});
}

return tabs;
};
Expand All @@ -338,7 +343,7 @@ const organizationAdminKeys = [
"delegation_credential",
];

export interface SettingsPermissions {
interface SettingsPermissions {
canViewRoles?: boolean;
canViewOrganizationBilling?: boolean;
canUpdateOrganization?: boolean;
Expand Down Expand Up @@ -554,7 +559,7 @@ const TeamListCollapsible = ({ teamFeatures }: { teamFeatures?: Record<number, T
if (!teamMenuState[index]) {
return null;
}
if (teamMenuState.some((teamState) => teamState.teamId === team.id))
if (teamMenuState.some((teamState) => teamState.teamId === team.id)) {
return (
<Collapsible
className="cursor-pointer"
Expand Down Expand Up @@ -697,6 +702,9 @@ const TeamListCollapsible = ({ teamFeatures }: { teamFeatures?: Record<number, T
</CollapsibleContent>
</Collapsible>
);
}

return null;
})}
</>
);
Expand Down Expand Up @@ -1037,14 +1045,14 @@ const MobileSettingsContainer = (props: { onSideContainerOpen?: () => void }) =>
);
};

export type SettingsLayoutProps = {
type SettingsLayoutProps = {
children: React.ReactNode;
containerClassName?: string;
teamFeatures?: Record<number, TeamFeatures>;
permissions?: SettingsPermissions;
} & ComponentProps<typeof Shell>;

export default function SettingsLayoutAppDirClient({
function SettingsLayoutAppDirClient({
children,
teamFeatures,
permissions,
Expand Down Expand Up @@ -1133,3 +1141,6 @@ const SidebarContainerElement = ({
</>
);
};

export type { SettingsLayoutProps, SettingsPermissions };
export default SettingsLayoutAppDirClient;
33 changes: 33 additions & 0 deletions apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
import { _generateMetadata, getTranslate } from "app/_utils";
import { cookies, headers } from "next/headers";
import { redirect } from "next/navigation";

import { getServerSession } from "@calcom/features/auth/lib/getServerSession";

import { buildLegacyRequest } from "@lib/buildLegacyCtx";

import OAuthClientsView from "~/settings/developer/oauth-clients-view";

export const generateMetadata = async () =>
await _generateMetadata(
(t) => t("oauth_clients"),
(t) => t("oauth_clients_description"),
undefined,
undefined,
"/settings/developer/oauth"
);

const Page = async () => {
const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) });
const t = await getTranslate();

if (!session) {
redirect("/auth/login?callbackUrl=/settings/developer/oauth");
}

return (
<OAuthClientsView />
);
};

export default Page;
4 changes: 4 additions & 0 deletions apps/web/app/api/auth/oauth/token/__tests__/route.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ describe("POST /api/auth/oauth/token", () => {
redirectUri: "https://app.example.com/callback",
clientSecret: null,
clientType: "PUBLIC" as const,
status: "APPROVED" as const,
} as const;

const mockAccessCode = {
Expand Down Expand Up @@ -279,6 +280,7 @@ describe("POST /api/auth/oauth/token", () => {
redirectUri: "https://app.example.com/callback",
clientSecret: "hashed_secret",
clientType: "CONFIDENTIAL" as const,
status: "APPROVED" as const,
} as const;

const mockAccessCode = {
Expand Down Expand Up @@ -494,6 +496,7 @@ describe("POST /api/auth/oauth/token", () => {
redirectUri: "https://app.example.com/callback",
clientSecret: null,
clientType: "PUBLIC" as const,
status: "APPROVED" as const,
} as Awaited<ReturnType<typeof prismaMock.oAuthClient.findUnique>>);

const tokenRequest = createTokenRequest({
Expand All @@ -517,6 +520,7 @@ describe("POST /api/auth/oauth/token", () => {
redirectUri: "https://app.example.com/callback",
clientSecret: null,
clientType: "PUBLIC" as const,
status: "APPROVED" as const,
} as Awaited<ReturnType<typeof prismaMock.oAuthClient.findUnique>>);
prismaMock.accessCode.findFirst.mockResolvedValue(null);

Expand Down
98 changes: 71 additions & 27 deletions apps/web/modules/auth/oauth2/authorize-view.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ import { Button } from "@calcom/ui/components/button";
import { Select } from "@calcom/ui/components/form";
import { Icon } from "@calcom/ui/components/icon";

export default function Authorize() {
export function Authorize() {
const { t } = useLocale();
const { status } = useSession();

const router = useRouter();
const searchParams = useCompatSearchParams();

const client_id = (searchParams?.get("client_id") as string) || "";
const redirect_uri = searchParams?.get("redirect_uri") as string;
const state = searchParams?.get("state") as string;
const scope = searchParams?.get("scope") as string;
const code_challenge = searchParams?.get("code_challenge") as string;
Expand All @@ -32,12 +33,17 @@ export default function Authorize() {
const [selectedAccount, setSelectedAccount] = useState<{ value: string; label: string } | null>();
const scopes = scope ? scope.toString().split(",") : [];

const { data: client, isPending: isPendingGetClient } = trpc.viewer.oAuth.getClient.useQuery(
const {
data: client,
error: getClientError,
isPending: isPendingGetClient,
} = trpc.viewer.oAuth.getClientForAuthorization.useQuery(
{
clientId: client_id as string,
redirectUri: redirect_uri,
},
{
enabled: status !== "loading",
enabled: status === "authenticated" && !!redirect_uri,
Comment on lines +40 to +46

@codity-dm codity-dm Bot May 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Robustness Medium

The client lookup now requires redirect_uri and bails out unless it is present (enabled: status === "authenticated" && !!redirect_uri), but the later success/error redirects still assume client.redirectUri exists and build a URL from it. If redirect_uri is missing or malformed in the incoming authorize request, the page no longer loads the client and the user is left on a blank screen instead of being redirected or shown a clear error. For example, an authorize link without redirect_uri now never reaches the OAuth client fetch that used to run.

Suggested fix 
      {
        clientId: client_id as string,
        redirectUri: redirect_uri,
      },
      {
        enabled: status === "authenticated",
      }
Prompt for AI assistance

Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:

You are an expert bash developer with deep knowledge of security, performance, and best practices.

### Context

File: apps/web/modules/auth/oauth2/authorize-view.tsx
Lines: 40-46
Issue Type: robustness-medium
Severity: medium

Issue Description:
The client lookup now requires `redirect_uri` and bails out unless it is present (`enabled: status === "authenticated" && !!redirect_uri`), but the later success/error redirects still assume `client.redirectUri` exists and build a URL from it. If `redirect_uri` is missing or malformed in the incoming authorize request, the page no longer loads the client and the user is left on a blank screen instead of being redirected or shown a clear error. For example, an authorize link without `redirect_uri` now never reaches the OAuth client fetch that used to run.

Current Code:
      {
        clientId: client_id as string,
        redirectUri: redirect_uri,
      },
      {
        enabled: status === "authenticated" && !!redirect_uri,
      }

---

### Instructions

1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow bash best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed

### Constraints

- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready

---

Like Dislike Create Issue Jira

}
);

Expand All @@ -50,29 +56,12 @@ export default function Authorize() {
data.redirectUrl ?? `${client?.redirectUri}?code=${data.authorizationCode}&state=${state}`;
},
onError: (error) => {
let oauthError = "server_error";
if (error.data?.code === "BAD_REQUEST") {
oauthError = "invalid_request";
} else if (error.data?.code === "UNAUTHORIZED") {
oauthError = "unauthorized_client";
}

const errorParams = new URLSearchParams({
error: oauthError,
});

if (error.message) {
errorParams.append("error_description", error.message);
}

if (state) {
errorParams.append("state", state);
}

if (client?.redirectUri) {
window.location.href = `${client.redirectUri}${
client.redirectUri.includes("?") ? "&" : "?"
}${errorParams.toString()}`;
redirectToOAuthError({
redirectUri: client.redirectUri,
trpcError: error,
state,
});
}
},
});
Expand Down Expand Up @@ -120,9 +109,11 @@ export default function Authorize() {
}
}, [status]);

const isPending = isPendingGetClient || isPendingProfiles || status !== "authenticated";
if (getClientError) {
return <div>{getClientError.message}</div>;
}

if (isPending) {
if (isPendingGetClient || isPendingProfiles || status !== "authenticated") {
return <></>;
}

Expand Down Expand Up @@ -248,3 +239,56 @@ export default function Authorize() {
</div>
);
}

function mapTrpcCodeToOAuthError(code: string | undefined) {
if (code === "BAD_REQUEST") return "invalid_request";
if (code === "UNAUTHORIZED") return "unauthorized_client";
return "server_error";
}

function buildOAuthErrorRedirectUrl({
redirectUri,
error,
errorDescription,
state,
}: {
redirectUri: string;
error: string;
errorDescription?: string;
state?: string;
}) {
const errorParams = new URLSearchParams({
error,
});

if (errorDescription) {
errorParams.append("error_description", errorDescription);
}

if (state) {
errorParams.append("state", state);
}

return `${redirectUri}${redirectUri.includes("?") ? "&" : "?"}${errorParams.toString()}`;
}

function redirectToOAuthError({
redirectUri,
trpcError,
state,
}: {
redirectUri: string;
trpcError: { data?: { code?: string } | null; message: string };
state?: string;
}) {
const redirectUrl = buildOAuthErrorRedirectUrl({
redirectUri,
error: mapTrpcCodeToOAuthError(trpcError.data?.code),
errorDescription: trpcError.message,
state,
});

window.location.href = redirectUrl;
}

export default Authorize;
Loading