fix: close round-3 OAuth strict-proto config-field gaps (v0.2.4)#14
Merged
Conversation
BMW v0.51.5 local smoke surfaced two OAuth gaps the v0.2.3 sweep missed:
both fields BMW supplies via the step's config: block (templated at
runtime, but strict-proto validates Config at build-time as unresolved
literals).
- OAuthProviderConfig: added `string return_to = 11`. BMW's
step.auth_oauth_start passes `return_to: '{{ .return_to }}'` in
config. Handler now prefers config.return_to when non-empty, falls
back to current.return_to (OAuthProviderInput).
- OAuthProviderConfig: added `string access_token = 12`. BMW's
step.auth_oauth_userinfo passes
`access_token: '{{ index .steps "exchange_code" "access_token" }}'`
in config. Handler now prefers config.access_token when non-empty,
falls back to current.access_token (OAuthProviderInput).
New helper `oauthConfigOrCurrent(config, current, key)` enforces the
Config-when-non-empty rule. OAuthProviderInput remains valid for the
runtime-input shape; Config wins as tie-breaker.
Exhaustive BMW app.yaml audit of every step.auth_oauth_* config block
confirmed only `return_to` (start) and `access_token` (userinfo) were
the remaining gaps; provider + google_oauth_* fields are already on
the contract.
Tests:
- TestOAuthProviderConfig_AcceptsReturnToAndAccessToken — strict-proto
acceptance across all 4 OAuth step types.
- TestOAuthStart_{UsesReturnToFromConfig,ConfigReturnToWinsOverCurrent,
FallsBackToCurrentReturnTo} — start_oauth precedence.
- TestOAuthUserinfo_{UsesAccessTokenFromConfig,
ConfigAccessTokenWinsOverCurrent,FallsBackToCurrentAccessToken} —
userinfo precedence via httptest Bearer assertion.
CI fixture (.github/fixtures/workflow-compat.yaml) now exercises both
new config fields.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BMW v0.51.5 local smoke surfaced two OAuth strict-proto gaps the v0.2.3 sweep missed. Both involve fields BMW supplies via the step's
config:block (templated at runtime, but strict-proto validates Config at build-time when templates are still unresolved literals).OAuthProviderConfig: addedstring return_to = 11(BMW'sstep.auth_oauth_startpassesreturn_to: '{{ .return_to }}'in config).OAuthProviderConfig: addedstring access_token = 12(BMW'sstep.auth_oauth_userinfopassesaccess_token: '{{ index .steps "exchange_code" "access_token" }}'in config).Handlers now prefer Config when non-empty, falling back to
OAuthProviderInput(runtime input) — newoauthConfigOrCurrenthelper enforces the rule.Exhaustive third-pass BMW yaml audit of every
step.auth_oauth_*config block confirmed these were the only two remaining gaps;providerand thegoogle_oauth_*fields were already on the contract.Test plan
go test ./...passes (full suite, including 7 new test cases)go build ./cmd/workflow-plugin-authsucceedsprotocregeneratedinternal/contracts/auth.pb.gofrom updated.protoTestOAuthProviderConfig_AcceptsReturnToAndAccessToken(strict-proto acceptance across all 4 OAuth step types)TestOAuthStart_{UsesReturnToFromConfig, ConfigReturnToWinsOverCurrent, FallsBackToCurrentReturnTo}(handler precedence forreturn_to)TestOAuthUserinfo_{UsesAccessTokenFromConfig, ConfigAccessTokenWinsOverCurrent, FallsBackToCurrentAccessToken}(handler precedence foraccess_tokenvia httptest Bearer assertion).github/fixtures/workflow-compat.yamlexercises both new config fields onstep.auth_oauth_startandstep.auth_oauth_userinfoplugin.jsonbumped 0.2.3 → 0.2.4 (download URLs updated)Closes the BMW v0.51.5 → workflow-plugin-auth strict-proto rejection chain for the OAuth pipelines (start + userinfo).
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com