Skip to content

improvement(credentials-security): use clear credentials sharing helper, fix google sheets block url split bug#968

Merged
icecrasher321 merged 5 commits intostagingfrom
improvement/credentials-sharing-security
Aug 14, 2025
Merged

improvement(credentials-security): use clear credentials sharing helper, fix google sheets block url split bug#968
icecrasher321 merged 5 commits intostagingfrom
improvement/credentials-sharing-security

Conversation

@icecrasher321
Copy link
Collaborator

@icecrasher321 icecrasher321 commented Aug 14, 2025

Summary

  • Reuse authorizeCredentialUse helper everywhere to reduce code surface area
  • Fix google sheets url splitting bug

Type of Change

  • Bug fix

Testing

Manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Aug 14, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
sim Ready Preview Comment Aug 14, 2025 6:50pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
docs ⬜️ Skipped Aug 14, 2025 6:50pm

greptile-apps[bot]
greptile-apps bot reviewed Aug 14, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR implements a comprehensive security improvement by centralizing credential authorization logic across the codebase and fixing a URL parsing bug in Google Sheets tools. The main change introduces a new authorizeCredentialUse helper function (apps/sim/lib/auth/credential-access.ts) that consolidates authentication and authorization logic for credential access across different authentication methods (session, API key, internal JWT).

The centralized helper implements role-based access control with workspace-level permissions, ensuring credential owners can access their own credentials while requiring workspace membership validation for collaboration scenarios. This replaces scattered manual authentication code across 11 API endpoints, including Microsoft Teams, Linear, Slack, and Google Drive integrations. Each endpoint previously implemented its own session validation, database queries, and custom permission checks - now all use the standardized helper.

The second improvement addresses a URL parsing bug in Google Sheets tools (read.ts, write.ts, update.ts, append.ts) where the code assumed response.url would always be a string. The fix adds type guards (typeof response.url === 'string') before calling .split() to prevent runtime errors when the URL property is undefined or not a string. This defensive programming approach ensures tools continue functioning even when URL extraction fails.

Additionally, the tools/index.ts file was updated to provide the resolved URL in mock response objects, ensuring tool transformation functions have access to response.url for URL parsing operations. Tests were also updated to reflect the new centralized authorization flow with proper mocking of the new helper functions.

Confidence score: 4/5

  • This PR significantly improves security through centralization but requires careful review due to complex authentication logic changes
  • Score reflects robust centralization of security logic and defensive programming improvements, though the complexity warrants thorough testing
  • Pay close attention to apps/sim/lib/auth/credential-access.ts and the Microsoft Teams/Linear/Slack API endpoints for proper authorization flow

16 files reviewed, 8 comments

Edit Code Review Bot Settings | Greptile

@icecrasher321 icecrasher321 changed the title Improvement/credentials sharing security improvement(credentials-security): use clear credentials sharing helper, fix google sheets block url split bug Aug 14, 2025
@vercel vercel bot temporarily deployed to Preview – docs August 14, 2025 18:46 Inactive
@icecrasher321 icecrasher321 merged commit fd9e61f into staging Aug 14, 2025
5 checks passed
@icecrasher321 icecrasher321 mentioned this pull request Aug 14, 2025
Merged
@waleedlatif1 waleedlatif1 deleted the improvement/credentials-sharing-security branch August 15, 2025 17:03
arenadeveloper02 pushed a commit to arenadeveloper02/p2-sim that referenced this pull request Sep 19, 2025
@icecrasher321
improvement(credentials-security): use clear credentials sharing help…
6f13e90 
…er, fix google sheets block url split bug (simstudioai#968)

* improvement(credentials-sharing-security): cleanup and reuse helper to determine credential access

* few more routes

* fix google sheets block

* fix test mocks

* fix calendar route
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@icecrasher321