Skip to content

feat(credentials): client-credentials service accounts — Zoom, Box, Salesforce + Pipedrive API tokens#5690

Open
waleedlatif1 wants to merge 1 commit into
stagingfrom
service-accounts-client-credentials
Open

feat(credentials): client-credentials service accounts — Zoom, Box, Salesforce + Pipedrive API tokens#5690
waleedlatif1 wants to merge 1 commit into
stagingfrom
service-accounts-client-credentials

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Second service-account kind (follow-up to feat(credentials): token-paste service accounts for 12 providers #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage
  • Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged
  • Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched
  • SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains) with DNS-failure discrimination; 408/429 from token endpoints never blamed on credentials
  • Zoom user-scoped tools document that server-to-server tokens don't support 'me'; Pipedrive pipeline-deals migrated off the sunset v1 endpoint
  • 4 setup-guide docs pages written against verified current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section

Type of Change

  • New feature

Testing

204 tests across minters, validators, the mint-cache suite, threading, and existing credential suites; typecheck, check:api-validation, docs MDX build all green. Specs and implementations verified against live vendor docs by independent research + adversarial verification rounds.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Building Building Preview, Comment Jul 16, 2026 2:46am

Request Review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@gitguardian

gitguardian Bot commented Jul 15, 2026

Copy link
Copy Markdown

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@cursor

cursor Bot commented Jul 15, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Changes credential storage, token minting, and auth header plumbing used by workflows; mistakes could break integrations or mishandle secrets, though validation, SSRF host checks, and broad test coverage mitigate this.

Overview
Adds a client-credential service-account path alongside existing token-paste and bespoke accounts: workspaces store client ID, secret, and org identifier, connect-time verification mints a real provider token, and runtime resolution re-mints with an in-process cache (TTL floor, secret fingerprint on rotation, short failure memo, single-flight coalescing). First providers: Zoom server-to-server, Box CCG, and Salesforce client-credentials against an allowlisted My Domain host with instanceUrl returned for API calls.

Pipedrive joins as a personal API token provider with descriptor-driven x-api-token auth: the OAuth token route exposes optional authStyle, tools and selector routes use a shared header helper, and OAuth Bearer behavior stays unchanged.

UI adds a generic client-credential connect modal and wires Box / Pipedrive / Salesforce / Zoom serviceAccountProviderId in OAuth config; credential APIs accept clientId / clientSecret / orgId on create and reconnect. Docs add setup guides and a Service Accounts & API Keys nav section. Zoom block copy clarifies that me is OAuth-only for user-scoped operations.

Reviewed by Cursor Bugbot for commit a7c8890. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds service-account credentials and API-token authentication for several integrations. The main changes are:

  • Client-credential token minting and caching for Zoom, Box, and Salesforce.
  • Pipedrive API-token authentication across tools and selector routes.
  • Credential API, contract, orchestration, and connection UI updates.
  • Setup guides for the four new credential options.
  • Tests for token minting, validation, caching, and authentication.

Confidence Score: 5/5

This looks safe to merge within the reviewed follow-up scope.

  • The latest update restores the existing Pipedrive pipeline pagination input and output contract.
  • No additional blocking issue qualifies for a new follow-up comment.

Important Files Changed

Filename Overview
apps/sim/tools/pipedrive/get_pipeline_deals.ts Restores the v1 pipeline endpoint and its start and next_start pagination fields while retaining shared authentication headers.
apps/sim/tools/pipedrive/utils.ts Provides shared Pipedrive headers for OAuth Bearer tokens and API-token credentials.
apps/sim/lib/credentials/client-credential-accounts/server.ts Defines server-side handling for client-credential service accounts.

Reviews (13): Last reviewed commit: "feat(credentials): client-credentials se..." | Re-trigger Greptile

Comment thread apps/sim/tools/pipedrive/get_pipeline_deals.ts
@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds service-account authentication for several integrations. The main changes are:

  • Client-credential token minting and caching for Zoom, Box, and Salesforce.
  • Pipedrive API-token authentication through the x-api-token header.
  • Salesforce My Domain validation and instance URL propagation.
  • Pipedrive pipeline-deal migration to the v2 cursor API.
  • Credential setup UI, API contracts, tests, and integration guides.

Confidence Score: 4/5

The client-credential creation path needs a fix before merging.

  • Valid Zoom, Box, and Salesforce credentials fail because the create route drops all three required fields.
  • The update path forwards these fields correctly.
  • Token caching, Pipedrive header selection, and Salesforce host restrictions are consistent in the reviewed paths.

apps/sim/app/api/credentials/route.ts

Important Files Changed

Filename Overview
apps/sim/app/api/credentials/route.ts Extends credential creation for client-credential accounts, but the create branch drops their required fields before verification.
apps/sim/app/api/auth/oauth/utils.ts Adds client-credential token caching, mint coalescing, failure memoization, rotation detection, and token metadata propagation.
apps/sim/lib/credentials/client-credential-accounts/minters/salesforce.ts Adds Salesforce token minting with My Domain validation, transient error handling, and constrained instance URLs.
apps/sim/tools/pipedrive/utils.ts Centralizes Pipedrive Bearer and API-token header selection.
apps/sim/tools/pipedrive/get_pipeline_deals.ts Moves pipeline-deal retrieval from the v1 offset endpoint to the v2 cursor endpoint.
apps/sim/app/workspace/[workspaceId]/integrations/components/connect-service-account-modal/client-credential-account-modal.tsx Adds descriptor-driven forms for client-credential service accounts.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant UI as Service-account modal
    participant API as POST /api/credentials
    participant Builder as Secret builder
    participant Provider as Zoom, Box, or Salesforce
    participant DB as Credential store
    UI->>API: providerId, clientId, clientSecret, orgId
    API->>Builder: providerId without client credentials
    Builder-->>API: Missing required field error
    Note over Provider,DB: Verification and storage are not reached
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant UI as Service-account modal
    participant API as POST /api/credentials
    participant Builder as Secret builder
    participant Provider as Zoom, Box, or Salesforce
    participant DB as Credential store
    UI->>API: providerId, clientId, clientSecret, orgId
    API->>Builder: providerId without client credentials
    Builder-->>API: Missing required field error
    Note over Provider,DB: Verification and storage are not reached
Loading

Reviews (2): Last reviewed commit: "fix(credentials): Group B verification r..." | Re-trigger Greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 0d959f4. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit f9e356a. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 23a85f4. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/lib/credentials/token-service-accounts/errors.ts
Comment thread apps/sim/app/api/auth/oauth/token/route.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/lib/credentials/orchestration/index.ts
@waleedlatif1 waleedlatif1 force-pushed the service-accounts-client-credentials branch from 2700cbc to a2e1187 Compare July 16, 2026 01:59
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@waleedlatif1 waleedlatif1 force-pushed the service-accounts-client-credentials branch from a2e1187 to 92a20e0 Compare July 16, 2026 02:00
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/api/tools/tiktok/publish-video/route.ts
Comment thread apps/sim/app/api/tools/tiktok/publish-video/route.ts Outdated
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/workspace/page.tsx Outdated
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/api/auth/oauth/utils.ts Outdated
…alesforce + Pipedrive API tokens

Second service-account kind (follow-up to #5682): client-credential pairs
(client ID + secret + org identifier) that mint short-lived tokens at
execution — in-memory cache with ciphertext-fingerprint validation
(rotation-correct across instances), single-flight coalescing, 30s failure
memo, no refresh-token storage.

- Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce
  client-credentials (integration user) are the first minters; Salesforce's
  live instance_url rides the existing instanceUrl plumbing so all 40 tools
  work unchanged
- Pipedrive lands as a token-paste provider with explicit authStyle
  threading: descriptor declares x-api-token, one shared header helper drives
  all 18 tools + both selector routes, OAuth Bearer behavior untouched
- SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer
  partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays
  provider_unavailable; 408/429 from token endpoints never blamed on creds
- Create route forwards clientId/clientSecret/orgId to the builder, pinned by
  a route-level regression test
- Zoom user-scoped tools document that server-to-server tokens don't support
  'me'
- 4 setup-guide docs pages verified against current vendor flows (incl.
  Salesforce External Client Apps — the classic Connected App wizard is
  disabled by default since Spring '26); integrations sidebar gains a Service
  Accounts & API Keys section
@waleedlatif1 waleedlatif1 force-pushed the service-accounts-client-credentials branch from 19ca423 to a7c8890 Compare July 16, 2026 02:46
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit a7c8890. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant