feat: ENG-12261 add OAuth 2.0 support and settings UI for Phrase integration#4699
feat: ENG-12261 add OAuth 2.0 support and settings UI for Phrase integration#4699sanyamkamat wants to merge 20 commits into
Conversation
|
|
View your CI Pipeline Execution ↗ for commit b71137f
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗ ☁️ Nx Cloud last updated this comment at |
…nnection and disconnection functionality
…ion disconnection state
…leakage across organizations
…for improved isolation across organizations
…ization-specific plugin settings
…ons for Phrase integration
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b71137f. Configure here.
| await this.loaded; | ||
| if (readOrgPluginSetting('authMode') !== 'oauth') { | ||
| if (!readOrgPluginSetting('userName') || !readOrgPluginSetting('password')) { | ||
| throw new Error('Phrase username/password is not configured.'); |
There was a problem hiding this comment.
Auth reads persisted org settings
Medium Severity
ensureAuthenticated and the 401 refresh branch use readOrgPluginSetting for authMode and OAuth metadata, while job calls use the plugin settings object elsewhere. Unsaved Authentication changes can leave persisted org data on password mode, so a successful OAuth connect still fails Translate with username/password errors until settings are saved.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit b71137f. Configure here.
There was a problem hiding this comment.
Fixed. Reworked ensureAuthenticated so the OAuth session marker (set by connectWithOAuth) is the primary signal: it now treats the org as OAuth mode when authMode === 'oauth' OR a live session marker exists. So a successful OAuth connect passes the client check even before the persisted authMode has propagated to the in-memory org model (or before the form is saved), instead of falling into the username/password branch. The server already decides the real mode from persisted Firestore keys, so this just keeps the client pre-check in step.
| const oauth = candidates.reduce((a: any, b: any) => (b.expiresAt > a.expiresAt ? b : a)); | ||
| if (oauth.expiresAt <= Date.now()) { | ||
| throw new Error("Phrase OAuth session expired. Please reconnect."); | ||
| } |
There was a problem hiding this comment.
Missing expiresAt passes auth check
Low Severity
After picking the best OAuth candidate, ensureAuthenticated only tests expiresAt <= Date.now(). It never uses isOAuthValid, so metadata without expiresAt skips both the expiry failure and a proper not-connected error and can proceed to API calls incorrectly.
Reviewed by Cursor Bugbot for commit b71137f. Configure here.
There was a problem hiding this comment.
Fixed. The chosen candidate now goes through isOAuthValid(oauth) (which rejects both missing expiresAt and expired tokens) instead of a bare expiresAt <= Date.now() comparison, so metadata without an expiresAt no longer slips past as connected — it throws a proper not-connected / reconnect error.


Description
Adds OAuth 2.0 support and settings UI for Phrase integration
Note
Medium Risk
Touches authentication and all Phrase translation API calls; OAuth/session edge cases are handled explicitly but depend on server OAuth endpoints behaving correctly.
Overview
Adds SSO / OAuth 2.0 alongside username/password for the Phrase connector, with settings for auth mode, per-org OAuth Client ID, and a Connect / Disconnect UI that runs the popup flow via Builder’s
/api/v1/memsource/oauth/*endpoints (tokens stay server-side).Replaces the direct
Phraseclient withPhraseApi, which calls the monolith for jobs and apply-translation, checks credentials before translate actions, and retries afteroauth/refreshon 401.oauth-client.tshandles prepare/start, origin-checkedpostMessage, disconnect, and apiKey-scoped session markers so connect/disconnect and org switches don’t show stale connection state.Plugin settings hide password fields in OAuth mode; translate/apply paths call
ensureAuthenticated(). README documents OAuth setup and the flow. Package version bumps to 0.0.17-1; the stub Request an updated translation content action is removed while outdated translation warnings are refactored intocheckTranslationFreshness.Reviewed by Cursor Bugbot for commit b71137f. Bugbot is set up for automated code reviews on this repo. Configure here.