Merge pull request #4689 from activepieces/fix/remove-secret

chore: remove client secret in client grant and user custom oauth2
activepieces · May 14, 2024 · 8927736 · 8927736
2 parents 2fcaf15 + 9332e21
commit 8927736
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/packages/server/api/src/app/app-connection/app-connection-service/app-connection-service.ts b/packages/server/api/src/app/app-connection/app-connection-service/app-connection-service.ts
@@ -112,10 +112,14 @@ export const appConnectionService = {
 
         const appConnection = decryptConnection(encryptedAppConnection)
         if (!needRefresh(appConnection)) {
-            return appConnection
+            return oauth2Util.removeRefreshTokenAndClientSecret(appConnection)
         }
 
-        return lockAndRefreshConnection({ projectId, name })
+        const refreshedConnection = await lockAndRefreshConnection({ projectId, name })
+        if (isNil(refreshedConnection)) {
+            return null
+        }
+        return oauth2Util.removeRefreshTokenAndClientSecret(refreshedConnection)
     },
 
     async getOneOrThrow(params: GetOneParams): Promise<AppConnection> {

diff --git a/packages/server/api/src/app/app-connection/app-connection-service/oauth2/oauth2-util.ts b/packages/server/api/src/app/app-connection/app-connection-service/oauth2/oauth2-util.ts
@@ -3,6 +3,8 @@ import { pieceMetadataService } from '../../../pieces/piece-metadata-service'
 import { PropertyType } from '@activepieces/pieces-framework'
 import {
     ActivepiecesError,
+    AppConnection,
+    AppConnectionType,
     assertNotNullOrUndefined,
     BaseOAuth2ConnectionValue,
     deleteProps,
@@ -15,6 +17,22 @@ export const oauth2Util = {
     isExpired,
     isUserError,
     getOAuth2TokenUrl,
+    removeRefreshTokenAndClientSecret
+}
+
+function removeRefreshTokenAndClientSecret(connection: AppConnection): AppConnection {
+    if (connection.value.type === AppConnectionType.OAUTH2 && connection.value.grant_type === OAuth2GrantType.CLIENT_CREDENTIALS) {
+        connection.value.client_secret = '(REDACTED)'
+    }
+    if (connection.value.type === AppConnectionType.OAUTH2
+        || connection.value.type === AppConnectionType.CLOUD_OAUTH2
+        || connection.value.type === AppConnectionType.PLATFORM_OAUTH2) {
+        connection.value = {
+            ...connection.value,
+            refresh_token: '(REDACTED)',
+        }
+    }
+    return connection
 }
 
 function isExpired(connection: BaseOAuth2ConnectionValue): boolean {