fix(oauth): move client secrets from URL query params to POST body#346
Open
Arjxm wants to merge 1 commit intowithoneai:mainfrom
Open
fix(oauth): move client secrets from URL query params to POST body#346Arjxm wants to merge 1 commit intowithoneai:mainfrom
Arjxm wants to merge 1 commit intowithoneai:mainfrom
Conversation
Arjxm
force-pushed
the
fix/oauth-secrets-query-params
branch
from
7c4f0bb to
688a151
Compare
Zoho and Jira OAuth implementations were passing client_secret in URL query parameters, which exposes credentials in: - Server access logs - Proxy/CDN logs - Browser history - Referer headers Changes: - zoho/init.ts, zoho/refresh.ts: Use form-urlencoded POST body - jira/init.ts, jira/refresh.ts: Use JSON POST body (per Atlassian docs) - package.json: Add qs and @types/qs as explicit dependencies Verified against official API documentation: - Zoho: https://www.zoho.com/crm/developer/docs/api/v6/access-refresh.html - Jira: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/
Arjxm
force-pushed
the
fix/oauth-secrets-query-params
branch
from
688a151 to
ab940e6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the OAuth flows for Jira and Zoho integrations to use form-encoded POST requests instead of query parameters, improving standards compliance and security. It also introduces the
qslibrary for request serialization and updates dependencies accordingly.Dependency updates:
qsand its type definitions tocore/oauth/package.jsonfor request body serialization.Jira integration improvements:
core/oauth/src/connections/jira/init.tsto use a form-encoded POST request for token exchange, replacing the previous use of query parameters. [1] [2]core/oauth/src/connections/jira/refresh.tsto use a form-encoded POST request for token refresh. [1] [2]Zoho integration improvements:
core/oauth/src/connections/zoho/init.tsto use a form-encoded POST request for token exchange, replacing the previous use of query parameters. [1] [2]core/oauth/src/connections/zoho/refresh.tsto use a form-encoded POST request for token refresh. [1] [2]