feat(credentials): client-credentials service accounts — Zoom, Box, Salesforce + Pipedrive API tokens#5690
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@greptile-apps review |
|
@cursor review |
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
PR SummaryMedium Risk Overview Salesforce mints against SSRF-allowlisted My Domain hosts and returns Adds setup guides for Box, Pipedrive API tokens, Salesforce integration users, and Zoom server-to-server apps, and regroups integrations nav under Service Accounts & API Keys. Zoom block copy clarifies that Reviewed by Cursor Bugbot for commit 183f3db. Configure here. |
Greptile SummaryThis PR adds service-account credentials for several integrations and expands API-token support. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (16): Last reviewed commit: "feat(credentials): client-credentials se..." | Re-trigger Greptile |
Greptile SummaryThis PR adds service-account authentication for several integrations. The main changes are:
Confidence Score: 4/5The client-credential creation path needs a fix before merging.
apps/sim/app/api/credentials/route.ts Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant UI as Service-account modal
participant API as POST /api/credentials
participant Builder as Secret builder
participant Provider as Zoom, Box, or Salesforce
participant DB as Credential store
UI->>API: providerId, clientId, clientSecret, orgId
API->>Builder: providerId without client credentials
Builder-->>API: Missing required field error
Note over Provider,DB: Verification and storage are not reached
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant UI as Service-account modal
participant API as POST /api/credentials
participant Builder as Secret builder
participant Provider as Zoom, Box, or Salesforce
participant DB as Credential store
UI->>API: providerId, clientId, clientSecret, orgId
API->>Builder: providerId without client credentials
Builder-->>API: Missing required field error
Note over Provider,DB: Verification and storage are not reached
Reviews (2): Last reviewed commit: "fix(credentials): Group B verification r..." | Re-trigger Greptile |
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 0d959f4. Configure here.
|
@greptile-apps review |
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit f9e356a. Configure here.
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 23a85f4. Configure here.
|
@greptile-apps review |
|
@cursor review |
|
@greptile-apps review |
|
@cursor review |
35f2a4c to
19ca423
Compare
|
@greptile-apps review |
|
@cursor review |
19ca423 to
a7c8890
Compare
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit a7c8890. Configure here.
|
@greptile-apps review |
a7c8890 to
7055d14
Compare
|
@cursor review |
7055d14 to
79dfed4
Compare
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 79dfed4. Configure here.
…alesforce + Pipedrive API tokens Second service-account kind (follow-up to #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage. - Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged - Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched - SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays provider_unavailable; 408/429 from token endpoints never blamed on creds - Create route forwards clientId/clientSecret/orgId to the builder, pinned by a route-level regression test - Zoom user-scoped tools document that server-to-server tokens don't support 'me' - 4 setup-guide docs pages verified against current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section
79dfed4 to
183f3db
Compare
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 183f3db. Configure here.
Summary
Type of Change
Testing
204 tests across minters, validators, the mint-cache suite, threading, and existing credential suites; typecheck, check:api-validation, docs MDX build all green. Specs and implementations verified against live vendor docs by independent research + adversarial verification rounds.
Checklist