Skip to content

Fix FLOWISE 566 OAuth2#6276

Open
yau-wd wants to merge 5 commits intomainfrom
fix/flowise-566-oauth2
Open

Fix FLOWISE 566 OAuth2#6276
yau-wd wants to merge 5 commits intomainfrom
fix/flowise-566-oauth2

Conversation

@yau-wd
Copy link
Copy Markdown
Contributor

@yau-wd yau-wd commented Apr 23, 2026
edited
Loading

FLOWISE-566
FLOWISE-341
FLOWISE-524

@yau-wd yau-wd self-assigned this Apr 23, 2026
@yau-wd yau-wd added the bug Something isn't working label Apr 23, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces security enhancements for OAuth2 authentication flows, including domain validation for authorization and token endpoints and sanitization of token response fields. It adds new configuration options via environment variables to control these security checks and whitelist specific domains. The feedback highlights the need for explicit error handling when using the secureAxiosRequest utility, as it does not throw on non-2xx status codes, and suggests adding type safety to the token field extraction logic to handle non-JSON responses gracefully.

Comment thread packages/server/src/routes/oauth2/index.ts
Comment thread packages/server/src/routes/oauth2/index.ts
Comment thread packages/server/src/utils/oauth2Security.ts
HenryHengZJ
HenryHengZJ reviewed Apr 28, 2026
View reviewed changes
Comment thread packages/server/src/routes/oauth2/index.ts
credentialId: credential.id,
tokenInfo: {
...tokenData,
token_type: tokenData.token_type,
Copy link
Copy Markdown
Contributor

@HenryHengZJ HenryHengZJ Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we sure we just need token_type ? how bout other data inside tokenData ? the tokenData should be clean now with the new function extractOAuth2TokenFields right? why not pass in ...tokenData

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HenryHengZJ HenryHengZJ HenryHengZJ approved these changes

@igor-magun-wd igor-magun-wd igor-magun-wd approved these changes

@0xi4o 0xi4o Awaiting requested review from 0xi4o

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yau-wd yau-wd

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yau-wd @HenryHengZJ @igor-magun-wd