Open
Conversation
Add OAuth2 authorization_code support alongside existing PAT auth for the GitHub source. Map OAuth access_token to personal_access_token transparently via model_validator, and ensure Accept: application/json header is sent on token exchange so GitHub returns JSON instead of URL-encoded form data.
Skip repo_name requirement in GitHubSource.create() when config is None (token-validation-only path). Add Accept: application/json header to domains OAuth2 token exchange so GitHub returns JSON.
Iterate auth_methods in backend-defined order instead of hardcoding direct_auth first. Default selection now picks the first available method, so sources with OAuth first (like GitHub) show it on top.
…tion - Add BaseSource.validate_token() classmethod for lightweight OAuth token checks without full source instantiation - GitHubSource.validate_token() pings GET /user to verify token - callback_service uses validate_token() instead of create()+validate() - GitHubAuthConfig: two explicit Optional fields (personal_access_token, access_token) with model_validator(after) requiring exactly one; token property returns whichever is set. No silent field remapping. - GitHubSource.create() restored to strict typed signature - Frontend validation accepts gho_ OAuth token prefix
…date, callback service
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 17 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="backend/airweave/platform/configs/tests/test_github_auth.py">
<violation number="1" location="backend/airweave/platform/configs/tests/test_github_auth.py:45">
P1: Custom agent: **Check for Cursor Rules Drift**
Update Cursor rule docs for GitHub token validation to include OAuth app tokens (`gho_`), since this PR adds that accepted format and currently violates the rule’s requirement to keep Cursor rules synchronized with API/auth pattern changes.</violation>
</file>
<file name="backend/airweave/domains/oauth/callback_service.py">
<violation number="1" location="backend/airweave/domains/oauth/callback_service.py:568">
P2: `SourceLifecycleService.validate` expects the raw access token for token-only sources (e.g., Todoist/Notion). Passing `{"access_token": ...}` results in a dict being treated as the token, breaking validation. Pass the access token string directly (as you already do in source connection creation).</violation>
</file>
<file name="backend/airweave/domains/sources/lifecycle.py">
<violation number="1" location="backend/airweave/domains/sources/lifecycle.py:183">
P2: `model_validate()` can raise before the `SourceCreationError` wrapper, so invalid credential payloads escape as raw exceptions instead of the service’s documented creation error type.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
4 issues found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="monke/auth/broker.py">
<violation number="1" location="monke/auth/broker.py:186">
P1: Custom agent: **Check for Cursor Rules Drift**
Update the Monke Cursor rules to match the new `token`-based credential flow; they still instruct `personal_access_token`/`access_token`, which is now drift for `monke/**` auth guidance.</violation>
</file>
<file name="backend/airweave/platform/auth_providers/composio.py">
<violation number="1" location="backend/airweave/platform/auth_providers/composio.py:40">
P1: Custom agent: **Check for Cursor Rules Drift**
Update the relevant Cursor rules for the unified GitHub `token` field. Rule `Check for Cursor Rules Drift` requires the auth-provider guidance to stay in sync, but the current rules still teach `personal_access_token`, so Cursor will keep suggesting the old credential shape for this flow.</violation>
</file>
<file name="monke/bongos/github.py">
<violation number="1" location="monke/bongos/github.py:30">
P1: Custom agent: **Check for Cursor Rules Drift**
Update the Cursor rules for GitHub Monke auth to use `token` instead of `personal_access_token`; they currently describe an auth contract this change no longer accepts.</violation>
<violation number="2" location="monke/bongos/github.py:30">
P2: Keep the legacy GitHub credential aliases here, or direct-auth GitHub runs will fail before the test starts.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Sources without auth_config_ref (Todoist, Notion) expect a plain token string. Lifecycle now wraps string credentials for auth_config_ref sources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Add GitHub OAuth browser flow and unify token handling under a single
tokenfield. Tokens are validated via the source lifecycle, and the UI now prefers OAuth when available.New Features
oauth_type: access_only); add OAuth endpoints todevandself-hostedintegration YAMLs; sendAccept: application/jsonon token exchange.GitHubAuthConfig.token; normalizepersonal_access_token/access_token; validateghp_,github_pat_,gho_, and 40-hex formats; update frontend and cursor validation rules.auth_methodsorder and defaults to the first.Other Changes
SourceLifecycleService.validate; fix token validation by passing the raw string; lifecycle wraps into auth config whenauth_config_refis present.GitHubSource: renamepersonal_access_tokentotoken; allow token-only instantiation for validation paths; preferoauth_browserinauth_methods; update auth headers.ComposioandPipedreamnow maptoken;monkebroker normalizesaccess_token→token; GitHub bongo usestoken.local_storagefromuvicornreload; add tests for GitHub auth config, lifecycle validate, and OAuth callback; fix test imports and lints; format tests withruff.Written for commit 10f3d6f. Summary will update on new commits.