Skip to content

fix: point permission-apply link at official /page/scope-apply entry#1722

Merged
liangshuo-1 merged 1 commit into
mainfrom
fix/permission-apply-scope-apply-url
Jul 2, 2026
Merged

fix: point permission-apply link at official /page/scope-apply entry#1722
liangshuo-1 merged 1 commit into
mainfrom
fix/permission-apply-scope-apply-url

Conversation

@liangshuo-1

@liangshuo-1 liangshuo-1 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

The console_url we surface on app-scope-not-applied errors (Lark 99991672 / 99991679) was built against the historical internal /app/{appID}/auth?q= entry, which the open-platform open-pages spec explicitly warns developers not to depend on. This switches it to the official application-scope apply entry, /page/scope-apply?clientID=...&scopes=....

Changes

  • errclass.ConsoleURL now emits https://<open-host>/page/scope-apply?clientID=<appID>&scopes=<comma-joined>; clientID and the comma-joined scopes are query-escaped so hostile values cannot inject extra query parameters.
  • Converge the brand→host mapping in both scope-apply URL builders (errclass.ConsoleURL and registry.BuildConsoleScopeURL) onto core.ResolveOpenBaseURL, instead of re-deriving open.feishu.cn / open.larksuite.com inline, so the open-platform base URL has a single source of truth.
  • errclass now imports internal/core (verified: no import cycle — core does not depend on errclass); the stale comment claiming a cycle is removed.
  • Update classify_test.go assertions to the new entry format.

Test Plan

  • Unit tests pass (errclass, registry, client, cmd/api, shortcuts/common)

  • Manual local verification against the live server (same app, same missing scopes; only the URL format changed):

    lark api GET /open-apis/okr/v1/periods --as bot   # → 99991672 app_scope_not_applied
    
    console_url
    before https://open.feishu.cn/app/cli_xxx/auth?q=okr:okr.period:readonly,...
    after https://open.feishu.cn/page/scope-apply?clientID=cli_xxx&scopes=okr:okr.period:readonly,...

    The host convergence is a zero-behavior-change refactor: existing tests assert the exact open.feishu.cn / open.larksuite.com hosts and output is byte-identical.

Related Issues

  • None

Summary by CodeRabbit

  • New Features

    • Updated console links for requesting app scopes to open a dedicated scope-apply page, prefilled with the app ID and requested permissions.
    • Console URL generation for Feishu and Lark is now consistent across brands.
  • Bug Fixes

    • Fixed console link generation to use the correct scope-apply URL format and parameters.
    • Improved escaping/formatting of app IDs and permission scopes to prevent malformed links.
  • Tests

    • Updated assertions to match the new console URL format.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c17d1b40-3b52-4cfc-9411-f71d70175f6a

📥 Commits

Reviewing files that changed from the base of the PR and between 2bd5b0c and 1126d17.

📒 Files selected for processing (5)
  • errs/types_test.go
  • internal/errclass/classify.go
  • internal/errclass/classify_test.go
  • internal/registry/scope_hint.go
  • shortcuts/task/task_util_test.go
✅ Files skipped from review due to trivial changes (1)
  • shortcuts/task/task_util_test.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • internal/registry/scope_hint.go
  • internal/errclass/classify.go
  • internal/errclass/classify_test.go

📝 Walkthrough

Walkthrough

Console URL construction for scope-apply flows now uses core.ResolveOpenBaseURL and core.ParseBrand instead of hardcoded brand hosts. The URL format changes to /page/scope-apply?clientID=...&scopes=..., and the related tests now assert that shape.

Changes

Scope-apply console URL construction

Layer / File(s) Summary
ConsoleURL rewrite using core brand resolution
internal/errclass/classify.go, internal/registry/scope_hint.go
Console URL building now resolves the base URL through core helpers and emits page/scope-apply with clientID and scopes query parameters instead of the prior brand-specific host and /app/{id}/auth scheme.
ConsoleURL test expectations updated to scope-apply format
internal/errclass/classify_test.go, errs/types_test.go, shortcuts/task/task_util_test.go
Console URL assertions and permission hint expectations are updated to the new page/scope-apply URL shape, including escaped clientID and scopes values where applicable.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: moving the permission apply link to the official scope-apply entry.
Description check ✅ Passed The description matches the template well and includes summary, changes, test plan, and related issues.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/permission-apply-scope-apply-url

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the size/M Single-domain feat or fix with limited business impact label Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
internal/registry/scope_hint.go (1)

58-68: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider consolidating with errclass.ConsoleURL.

Both BuildConsoleScopeURL here and errclass.ConsoleURL now independently build the same /page/scope-apply?clientID=...&scopes=... URL shape on top of core.ResolveOpenBaseURL. Now that brand-to-host resolution is unified, consider extracting the shared "build scope-apply URL from base+appID+scopes" logic into internal/core (or another shared package) to avoid future drift between the two implementations (e.g., differing escaping or query-param ordering).

♻️ Example shared helper
// in internal/core
func BuildScopeApplyURL(brand LarkBrand, appID string, scopes []string) string {
	if appID == "" {
		return ""
	}
	base := fmt.Sprintf("%s/page/scope-apply?clientID=%s",
		ResolveOpenBaseURL(brand), url.QueryEscape(appID))
	if len(scopes) == 0 {
		return base
	}
	return base + "&scopes=" + url.QueryEscape(strings.Join(scopes, ","))
}

Both errclass.ConsoleURL (parsing a raw brand string) and registry.BuildConsoleScopeURL (single scope) could then delegate to this helper.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/registry/scope_hint.go` around lines 58 - 68, BuildConsoleScopeURL
currently duplicates the same scope-apply console URL construction that
errclass.ConsoleURL also performs, so consolidate this shared logic into a
common helper in internal/core (or another shared package). Add a reusable
helper that takes the resolved brand/base, appID, and scopes, then have
BuildConsoleScopeURL delegate to it so escaping, query param formatting, and
future changes stay consistent with errclass.ConsoleURL.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/registry/scope_hint.go`:
- Around line 58-68: BuildConsoleScopeURL currently duplicates the same
scope-apply console URL construction that errclass.ConsoleURL also performs, so
consolidate this shared logic into a common helper in internal/core (or another
shared package). Add a reusable helper that takes the resolved brand/base,
appID, and scopes, then have BuildConsoleScopeURL delegate to it so escaping,
query param formatting, and future changes stay consistent with
errclass.ConsoleURL.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 24f2fc03-8378-41c4-801f-8ff83624b1fa

📥 Commits

Reviewing files that changed from the base of the PR and between ddc0f2a and 2bd5b0c.

📒 Files selected for processing (3)
  • internal/errclass/classify.go
  • internal/errclass/classify_test.go
  • internal/registry/scope_hint.go

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@1126d1711511b1731ec73f4a81266b0c91d147b9

🧩 Skill update

npx skills add larksuite/cli#fix/permission-apply-scope-apply-url -y -g

The console_url carried on app-scope-not-applied errors (Lark
99991672/99991679) built the historical internal /app/{appID}/auth?q=
entry, which the open-platform open-pages spec explicitly warns against.
Switch it to the official /page/scope-apply?clientID=...&scopes=... entry;
clientID and the comma-joined scopes are query-escaped so hostile values
cannot inject extra parameters.

Also converge the brand->host mapping in both scope-apply URL builders
(errclass.ConsoleURL and registry.BuildConsoleScopeURL) onto
core.ResolveOpenBaseURL instead of re-deriving open.feishu.cn /
open.larksuite.com inline, so the open-platform base URL has a single
source of truth. errclass now imports internal/core (verified: no import
cycle); the stale comment claiming a cycle is removed.
@liangshuo-1 liangshuo-1 force-pushed the fix/permission-apply-scope-apply-url branch from 2bd5b0c to 1126d17 Compare July 2, 2026 10:53
@github-actions github-actions Bot added the domain/task PR touches the task domain label Jul 2, 2026
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.40%. Comparing base (462358a) to head (1126d17).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1722      +/-   ##
==========================================
- Coverage   74.52%   74.40%   -0.13%     
==========================================
  Files         851      854       +3     
  Lines       87155    88375    +1220     
==========================================
+ Hits        64952    65752     +800     
- Misses      17231    17552     +321     
- Partials     4972     5071      +99     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@liangshuo-1 liangshuo-1 merged commit 578e2db into main Jul 2, 2026
34 of 36 checks passed
@liangshuo-1 liangshuo-1 deleted the fix/permission-apply-scope-apply-url branch July 2, 2026 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

domain/task PR touches the task domain size/M Single-domain feat or fix with limited business impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants