feat(oauth): add claim-token verification#1620
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 24 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="backend/airweave/api/v1/endpoints/connect.py">
<violation number="1" location="backend/airweave/api/v1/endpoints/connect.py:179">
P1: Custom agent: **Check for Cursor Rules Drift**
Update the relevant Cursor rule(s) for Rule 1's "modified API patterns or data flow changes" clause. The Connect OAuth flow now requires a claim-token verification call to `/connect/source-connections/{connection_id}/verify-oauth`, but the current Cursor guidance still describes the older popup-only flow.</violation>
</file>
<file name="connect/src/lib/useOAuthFlow.ts">
<violation number="1" location="connect/src/lib/useOAuthFlow.ts:67">
P1: Custom agent: **Check for Fern Documentation Drift**
Update the Direct OAuth Fern guide for the new `claim_token` + `verify-oauth` flow. Rule 2's manual MDX examples section is now out of sync: `direct-oauth.mdx` still says sync starts automatically after callback, so readers will omit the required verification request and the deferred sync will not start.</violation>
</file>
<file name="backend/airweave/domains/oauth/callback_service.py">
<violation number="1" location="backend/airweave/domains/oauth/callback_service.py:669">
P0: Status check will always reject claim-token flows. `_complete_connection_common` calls `mark_completed` during the callback, setting the session status to `COMPLETED`. By the time the client calls `verify_oauth_flow`, the session is already `COMPLETED`, so this `IN_PROGRESS` check always fails with a 400.
Either skip `mark_completed` in `_complete_connection_common` for claim-token sessions, or change this check to accept `COMPLETED`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
felixschmetz
approved these changes
Mar 13, 2026
hiddeco
force-pushed
the
feat/oauth-claim-token-verify
branch
from
cda0523 to
c64279d
Compare
hiddeco
force-pushed
the
feat/oauth-claim-token-verify
branch
from
c64279d to
565bb97
Compare
hiddeco
force-pushed
the
feat/oauth-claim-token-verify
branch
from
565bb97 to
2711bf3
Compare
hiddeco
force-pushed
the
feat/oauth-claim-token-verify
branch
from
2711bf3 to
670ad9b
Compare
hiddeco
force-pushed
the
feat/oauth-claim-token-verify
branch
from
670ad9b to
61af06a
Compare
Introduce a claim-token mechanism that ties an OAuth browser flow back to the session that initiated it. On creation the server returns a one-time token; after the provider callback the client must present it via a new `verify-oauth` endpoint to prove ownership before the sync is triggered. Key changes: - `ConnectionInitSession` gains three columns (`initiator_user_id`, `initiator_session_id`, `claim_token_hash`) and an `in_progress` status. - `OAuthCallbackService.verify_oauth_flow` validates the token, checks caller identity, marks the session completed, and starts the deferred sync. - Connect-js SDK stores the claim token and calls `verify-oauth` after popup success.
hiddeco
force-pushed
the
feat/oauth-claim-token-verify
branch
from
61af06a to
ee46b4f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce a claim-token mechanism that ties an OAuth browser flow back to the session that initiated it. On creation the server returns a one-time token; after the provider callback the client must present it via a new
verify-oauthendpoint to prove ownership before the sync is triggered.Key changes:
ConnectionInitSessiongains three columns (initiator_user_id,initiator_session_id,claim_token_hash) and anin_progressstatus.OAuthCallbackService.verify_oauth_flowvalidates the token, checks caller identity, marks the session completed, and starts the deferred sync.verify-oauthafter popup success.