feat(vercel): enhance Vercel integration with URL sanitization, improved environment variable handling, and pagination support

Author: 0ski

apps/webapp/app/components/integrations/VercelOnboardingModal.tsx

@@ -52,7 +52,10 @@ import { useEffect, useState, useCallback, useRef } from "react";
 function safeRedirectUrl(url: string): string | null {
   try {
     const parsed = new URL(url, window.location.origin);
-    if (parsed.protocol === "https:" || parsed.origin === window.location.origin) {
+    if (parsed.origin === window.location.origin) {
+      return parsed.toString();
+    }
+    if (parsed.protocol === "https:" && /^([a-z0-9-]+\.)*vercel\.com$/i.test(parsed.hostname)) {
       return parsed.toString();
     }
   } catch {
@@ -1033,7 +1036,10 @@ export function VercelOnboardingModal({
                       variant="primary/medium"
                       onClick={() => {
                         setState("completed");
-                        window.location.href = nextUrl;
+                        const validUrl = safeRedirectUrl(nextUrl);
+                        if (validUrl) {
+                          window.location.href = validUrl;
+                        }
                       }}
                     >
                       Complete
@@ -1044,7 +1050,10 @@ export function VercelOnboardingModal({
                       onClick={() => {
                         setState("completed");
                         if (fromMarketplaceContext && nextUrl) {
-                          window.location.href = nextUrl;
+                          const validUrl = safeRedirectUrl(nextUrl);
+                          if (validUrl) {
+                            window.location.href = validUrl;
+                          }
                         }
                       }}
                     >

apps/webapp/app/models/vercelIntegration.server.ts

@@ -1,3 +1,4 @@
+import pLimit from "p-limit";
 import { Vercel } from "@vercel/sdk";
 import type {
   ResponseBodyEnvs,
@@ -441,7 +442,21 @@ export class VercelIntegrationRepository {
       }),
       "Failed to fetch Vercel environment variables",
       { projectId, teamId }
-    ).map((response) => extractVercelEnvs(response).map(toVercelEnvironmentVariable));
+    ).map((response) => {
+      // Warn if response is paginated (more data exists that we're not fetching)
+      if (
+        "pagination" in response &&
+        response.pagination &&
+        "next" in response.pagination &&
+        response.pagination.next !== null
+      ) {
+        logger.warn(
+          "Vercel filterProjectEnvs returned paginated response - some env vars may be missing",
+          { projectId, count: response.pagination.count }
+        );
+      }
+      return extractVercelEnvs(response).map(toVercelEnvironmentVariable);
+    });
   }
 
   static getVercelEnvironmentVariableValues(
@@ -469,9 +484,12 @@ export class VercelIntegrationRepository {
       });
 
       // Fetch decrypted values for encrypted vars, use list values for others
+      const concurrencyLimit = pLimit(5);
       return ResultAsync.fromPromise(
         Promise.all(
-          filteredEnvs.map((env) => this.#resolveEnvVarValue(client, projectId, teamId, env))
+          filteredEnvs.map((env) =>
+            concurrencyLimit(() => this.#resolveEnvVarValue(client, projectId, teamId, env))
+          )
         ),
         (error) => toVercelApiError(error)
       ).map((results) => results.filter((v): v is VercelEnvironmentVariableValue => v !== null));
@@ -588,97 +606,100 @@ export class VercelIntegrationRepository {
         return okAsync([]);
       }
 
+      const concurrencyLimit = pLimit(5);
       return ResultAsync.fromPromise(
         Promise.all(
-          envVars.map(async (env) => {
-            if (!env.id || !env.key) return null;
-
-            const envId = env.id;
-            const envKey = env.key;
-            const type = env.type || "plain";
-            const isSecret = isVercelSecretType(type);
-
-            if (isSecret) return null;
-
-            const listValue = (env as any).value as string | undefined;
-            const applyToAllCustomEnvs = (env as any).applyToAllCustomEnvironments as boolean | undefined;
-
-            if (listValue) {
-              return {
-                key: envKey,
-                value: listValue,
-                target: normalizeTarget(env.target),
-                type,
-                isSecret,
-                applyToAllCustomEnvironments: applyToAllCustomEnvs,
-              };
-            }
-
-            // Try to get the decrypted value for this shared env var
-            const getResult = await ResultAsync.fromPromise(
-              client.environment.getSharedEnvVar({
-                id: envId,
-                teamId,
-              }),
-              (error) => error
-            );
+          envVars.map((env) =>
+            concurrencyLimit(async () => {
+              if (!env.id || !env.key) return null;
+
+              const envId = env.id;
+              const envKey = env.key;
+              const type = env.type || "plain";
+              const isSecret = isVercelSecretType(type);
+
+              if (isSecret) return null;
+
+              const listValue = (env as any).value as string | undefined;
+              const applyToAllCustomEnvs = (env as any).applyToAllCustomEnvironments as boolean | undefined;
+
+              if (listValue) {
+                return {
+                  key: envKey,
+                  value: listValue,
+                  target: normalizeTarget(env.target),
+                  type,
+                  isSecret,
+                  applyToAllCustomEnvironments: applyToAllCustomEnvs,
+                };
+              }
 
-            if (getResult.isOk()) {
-              if (!getResult.value.value) return null;
-              return {
-                key: envKey,
-                value: getResult.value.value,
-                target: normalizeTarget(env.target),
-                type,
-                isSecret,
-                applyToAllCustomEnvironments: applyToAllCustomEnvs,
-              };
-            }
+              // Try to get the decrypted value for this shared env var
+              const getResult = await ResultAsync.fromPromise(
+                client.environment.getSharedEnvVar({
+                  id: envId,
+                  teamId,
+                }),
+                (error) => error
+              );
+
+              if (getResult.isOk()) {
+                if (!getResult.value.value) return null;
+                return {
+                  key: envKey,
+                  value: getResult.value.value,
+                  target: normalizeTarget(env.target),
+                  type,
+                  isSecret,
+                  applyToAllCustomEnvironments: applyToAllCustomEnvs,
+                };
+              }
 
-            // Workaround: Vercel SDK may throw ResponseValidationError even when the API response
-            // is valid (e.g., deletedAt: null vs expected number). Extract value from rawValue.
-            const error = getResult.error;
-            let errorValue: string | undefined;
-            if (error && typeof error === "object" && "rawValue" in error) {
-              const rawValue = (error as any).rawValue;
-              if (rawValue && typeof rawValue === "object" && "value" in rawValue) {
-                errorValue = rawValue.value as string | undefined;
+              // Workaround: Vercel SDK may throw ResponseValidationError even when the API response
+              // is valid (e.g., deletedAt: null vs expected number). Extract value from rawValue.
+              const error = getResult.error;
+              let errorValue: string | undefined;
+              if (error && typeof error === "object" && "rawValue" in error) {
+                const rawValue = (error as any).rawValue;
+                if (rawValue && typeof rawValue === "object" && "value" in rawValue) {
+                  errorValue = rawValue.value as string | undefined;
+                }
               }
-            }
 
-            const fallbackValue = errorValue || listValue;
+              const fallbackValue = errorValue || listValue;
+
+              if (fallbackValue) {
+                logger.warn("getSharedEnvVar failed validation, using value from error.rawValue or list response", {
+                  teamId,
+                  envId,
+                  envKey,
+                  error: error instanceof Error ? error.message : String(error),
+                  hasErrorRawValue: !!errorValue,
+                  hasListValue: !!listValue,
+                  valueLength: fallbackValue.length,
+                });
+                return {
+                  key: envKey,
+                  value: fallbackValue,
+                  target: normalizeTarget(env.target),
+                  type,
+                  isSecret,
+                  applyToAllCustomEnvironments: applyToAllCustomEnvs,
+                };
+              }
 
-            if (fallbackValue) {
-              logger.warn("getSharedEnvVar failed validation, using value from error.rawValue or list response", {
+              logger.warn("Failed to get decrypted value for shared env var, no fallback available", {
                 teamId,
+                projectId,
                 envId,
                 envKey,
                 error: error instanceof Error ? error.message : String(error),
-                hasErrorRawValue: !!errorValue,
-                hasListValue: !!listValue,
-                valueLength: fallbackValue.length,
+                errorStack: error instanceof Error ? error.stack : undefined,
+                hasRawValue: error && typeof error === "object" && "rawValue" in error,
               });
-              return {
-                key: envKey,
-                value: fallbackValue,
-                target: normalizeTarget(env.target),
-                type,
-                isSecret,
-                applyToAllCustomEnvironments: applyToAllCustomEnvs,
-              };
-            }
-
-            logger.warn("Failed to get decrypted value for shared env var, no fallback available", {
-              teamId,
-              projectId,
-              envId,
-              envKey,
-              error: error instanceof Error ? error.message : String(error),
-              errorStack: error instanceof Error ? error.stack : undefined,
-              hasRawValue: error && typeof error === "object" && "rawValue" in error,
-            });
-            return null;
-          })
+              return null;
+            })
+          )
         ),
         (error) => {
           logger.error("Failed to process shared environment variable values", {
@@ -696,21 +717,43 @@ export class VercelIntegrationRepository {
     client: Vercel,
     teamId?: string | null
   ): ResultAsync<VercelProject[], VercelApiError> {
-    return wrapVercelCall(
-      client.projects.getProjects({
-        ...(teamId && { teamId }),
-      }),
-      "Failed to fetch Vercel projects",
-      { teamId }
-    ).map((response) => {
-      // GetProjectsResponseBody is a union: objects with `projects` array, or direct array
-      const projects = Array.isArray(response)
-        ? response
-        : "projects" in response
-          ? response.projects
-          : [];
-      return projects.map(({ id, name }): VercelProject => ({ id, name }));
-    });
+    return ResultAsync.fromPromise(
+      (async () => {
+        const allProjects: VercelProject[] = [];
+        let from: string | undefined;
+
+        do {
+          const response = await client.projects.getProjects({
+            ...(teamId && { teamId }),
+            limit: "100",
+            ...(from && { from }),
+          });
+
+          const projects = Array.isArray(response)
+            ? response
+            : "projects" in response
+              ? response.projects
+              : [];
+          allProjects.push(...projects.map(({ id, name }): VercelProject => ({ id, name })));
+
+          // Get pagination token for next page
+          const pagination =
+            !Array.isArray(response) && "pagination" in response
+              ? response.pagination
+              : undefined;
+          from =
+            pagination && "next" in pagination && pagination.next !== null
+              ? String(pagination.next)
+              : undefined;
+        } while (from);
+
+        return allProjects;
+      })(),
+      (error) => {
+        logger.error("Failed to fetch Vercel projects", { teamId, error });
+        return toVercelApiError(error);
+      }
+    );
   }
 
   static async updateVercelOrgIntegrationToken(params: {

apps/webapp/app/routes/api.v1.deployments.$deploymentId.ts

@@ -55,6 +55,7 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     version: deployment.version,
     imageReference: deployment.imageReference,
     imagePlatform: deployment.imagePlatform,
+    commitSHA: deployment.commitSHA,
     externalBuildData:
       deployment.externalBuildData as GetDeploymentResponseBody["externalBuildData"],
     errorData: deployment.errorData as GetDeploymentResponseBody["errorData"],

apps/webapp/app/routes/vercel.callback.ts

@@ -5,6 +5,7 @@ import { logger } from "~/services/logger.server";
 import { getUserId } from "~/services/session.server";
 import { setReferralSourceCookie } from "~/services/referralSource.server";
 import { requestUrl } from "~/utils/requestUrl.server";
+import { sanitizeVercelNextUrl } from "~/v3/vercel/vercelUrls.server";
 
 const VercelCallbackSchema = z
   .object({
@@ -42,7 +43,10 @@ export async function loader({ request }: LoaderFunctionArgs) {
     throw new Response("Invalid callback parameters", { status: 400 });
   }
 
-  const { code, state, error, error_description, configurationId, next: nextUrl } = parsed.data;
+  const { code, state, error, error_description, configurationId, next: rawNextUrl } = parsed.data;
+
+  // Sanitize the `next` parameter to prevent open redirects
+  const nextUrl = sanitizeVercelNextUrl(rawNextUrl);
 
   if (error) {
     logger.error("Vercel OAuth error", { error, error_description });

apps/webapp/app/routes/vercel.configure.tsx

@@ -2,6 +2,7 @@ import type { LoaderFunctionArgs } from "@remix-run/node";
 import { redirect } from "@remix-run/node";
 import { z } from "zod";
 import { prisma } from "~/db.server";
+import { requireUserId } from "~/services/session.server";
 import { organizationVercelIntegrationPath } from "~/utils/pathBuilder";
 
 const SearchParamsSchema = z.object({
@@ -12,6 +13,7 @@ const SearchParamsSchema = z.object({
  * Endpoint to handle Vercel integration configuration request coming from marketplace
  */
 export const loader = async ({ request }: LoaderFunctionArgs) => {
+  await requireUserId(request);
   const url = new URL(request.url);
   const searchParams = Object.fromEntries(url.searchParams);
 

apps/webapp/app/services/vercelIntegration.server.ts

@@ -427,7 +427,8 @@ export class VercelIntegrationService {
         discoverEnvVars: params.discoverEnvVars ?? null,
         vercelStagingEnvironment: params.vercelStagingEnvironment ?? null,
       },
-      syncEnvVarsMapping: existing.parsedIntegrationData.syncEnvVarsMapping,
+      //This is intentionally not updated here, in case of resetting the onboarding it should not override the existing mapping with an empty one
+      syncEnvVarsMapping: existing.parsedIntegrationData.syncEnvVarsMapping, 
       onboardingCompleted: true,
     };
 

apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts

@@ -220,7 +220,7 @@ export class EnvironmentVariablesRepository implements Repository {
                   version: {
                     increment: 1,
                   },
-                  lastUpdatedBy: options.lastUpdatedBy ? options.lastUpdatedBy : undefined,
+                  ...(options.lastUpdatedBy ? { lastUpdatedBy: options.lastUpdatedBy } : {}),
                   valueReferenceId: secretReference.id,
                   ...(options.isSecret !== undefined
                     ? {