fix(integrations): resolve BYO OAuth connect chain (tenant, envelope, redirect_uri)#28
Merged
Merged
Conversation
… redirect_uri)
Corrige a conexao de ferramentas BYO OAuth (Google Calendar, GitHub e os
demais providers MCP) no editor de agente. Eram bugs empilhados, cada um
mascarando o proximo:
1. redirect_uri null -> 500: o CRM nao guarda redirect_uri e o processor
exige os 3 campos. Deriva `<Origin>/<slug>/callback` do header Origin da
request do browser (rota fixa, so o host do front muda), sem env. Novo
src/api/oauth_redirect.py + wiring nos 11 route files.
2. Envelope nao desaninhado: global_config_service lia os campos de
credencial na RAIZ, mas o CRM responde `{success, data:{...}, meta}`.
Todos os campos vinham None -> 500. Helper `_unwrap_envelope` (defensivo)
nos 13 fetchers.
3. NameError mascarando 503: get_configuration_endpoint chamava
error_response(request=request) sem request no escopo -> NameError, que o
EvoAuth middleware relabelava como 503. error_response.request agora e
opcional (path/method None quando ausente).
4. 403 do core-service: o middleware enterprise de tenant e fail-closed em
X-Evo-Tenant-Id ausente. O http_client interno do MCPOAuthService so
mandava Authorization Bearer, sem o tenant, entao toda leitura/escrita de
integracao (PKCE store, load credentials) levava 403 forbidden. Threada o
tenant_id (ja resolvido no dep via current_context_id) ate o http_client
como X-Evo-Tenant-Id, em MCPOAuthService e nas 10 subclasses + deps.
Header so e anexado quando ha tenant (no-op community/standalone).
There was a problem hiding this comment.
Sorry @DavidsonGomes, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problema
Conectar ferramentas BYO OAuth (Google Calendar, GitHub, e os demais providers MCP) no editor de agente falhava. Eram bugs empilhados, cada fix desmascarando o próximo.
Bugs corrigidos
redirect_uri null → 500: o CRM não guarda
redirect_uri; o processor exige os 3 campos. Passa a derivar automaticamente<Origin>/<slug>/callbackdo headerOriginda request do browser (a rota de callback é fixa, só o host do front muda) — sem env. Novosrc/api/oauth_redirect.py+ wiring nos 11 route files. Google usa hífen (google-calendar).Envelope não desaninhado → 500:
global_config_servicelia os campos na raiz, mas o CRM responde{success, data:{...}, meta}(success_response), então client_id/secret/redirect vinham todosNone. Helper_unwrap_envelope(defensivo: só desaninha quando o shape é o envelope) nos 13 fetchers.NameError mascarando 503:
get_configuration_endpointchamavaerror_response(request=request)semrequestno escopo →NameError, que o EvoAuth middleware (catch-all) relabelava como 503 "Authentication service error", escondendo o erro real.error_response.requestagora é opcional (path/method= None quando ausente).403 do core-service: o middleware enterprise de tenant no core-service é fail-closed em
X-Evo-Tenant-Idausente. Ohttp_clientinterno doMCPOAuthServicesó mandavaAuthorization: Bearer, sem o tenant, então toda leitura/escrita de integração (PKCE store, load credentials) levava 403 forbidden. Threada otenant_id(já resolvido no dep viacurrent_context_id) até ohttp_clientcomoX-Evo-Tenant-Id, emMCPOAuthService+ as 10 subclasses e seus deps.Notas
X-Evo-Tenant-Idsó é anexado quando há tenant (no-op em community/standalone).redirect_uri=<origin>/google-calendar/callback; credenciais resolvem via método real;http_clientcarrega o tenant header quando bindado.Teste
python3 -m py_compileOK em todos os arquivos. Falta o teste E2E de "Conectar" no browser (redirect ao provider) — depende do OAuth app do usuário ter<front-origin>/<slug>/callbackregistrado.