Skip to content

feat(credentials): client-credentials service accounts — Zoom, Box, Salesforce + Pipedrive API tokens#5690

Merged
waleedlatif1 merged 1 commit into
stagingfrom
service-accounts-client-credentials
Jul 16, 2026
Merged

feat(credentials): client-credentials service accounts — Zoom, Box, Salesforce + Pipedrive API tokens#5690
waleedlatif1 merged 1 commit into
stagingfrom
service-accounts-client-credentials

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Second service-account kind (follow-up to feat(credentials): token-paste service accounts for 12 providers #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage
  • Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged
  • Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched
  • SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains) with DNS-failure discrimination; 408/429 from token endpoints never blamed on credentials
  • Zoom user-scoped tools document that server-to-server tokens don't support 'me'; Pipedrive pipeline-deals migrated off the sunset v1 endpoint
  • 4 setup-guide docs pages written against verified current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section

Type of Change

  • New feature

Testing

204 tests across minters, validators, the mint-cache suite, threading, and existing credential suites; typecheck, check:api-validation, docs MDX build all green. Specs and implementations verified against live vendor docs by independent research + adversarial verification rounds.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 16, 2026 6:22am

Request Review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@gitguardian

gitguardian Bot commented Jul 15, 2026

Copy link
Copy Markdown

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@cursor

cursor Bot commented Jul 15, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Changes core credential verification, token resolution, and outbound auth to third parties (including Salesforce host validation); mistakes could break workflows or misclassify errors, though coverage is broad and failures are mapped explicitly.

Overview
Introduces a client-credential service-account path: workspaces store client ID, secret, and org identifier; connect time verifies by minting a real token; runtime re-mints short-lived access tokens (Zoom S2S, Box CCG, Salesforce integration user) with per-credential in-memory caching, secret-fingerprint invalidation on rotation, single-flight coalescing, and brief failure memoization.

Salesforce mints against SSRF-allowlisted My Domain hosts and returns instanceUrl for API calls; Pipedrive joins the token-paste family with authStyle: x-api-token surfaced through the OAuth token route and shared header helpers for tools/selectors. Credential create/update/reconnect APIs accept clientId / clientSecret / orgId; a generic ClientCredentialAccountModal wires integration UI labels and validation codes (invalid_credentials, site_not_found, provider_unavailable → appropriate HTTP statuses).

Adds setup guides for Box, Pipedrive API tokens, Salesforce integration users, and Zoom server-to-server apps, and regroups integrations nav under Service Accounts & API Keys. Zoom block copy clarifies that me is OAuth-only for user-scoped operations.

Reviewed by Cursor Bugbot for commit 183f3db. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds service-account credentials for several integrations and expands API-token support. The main changes are:

  • Client-credential token minting for Zoom, Box, and Salesforce.
  • Pipedrive API-token authentication across its tools and selector routes.
  • Credential contracts, validation, caching, error handling, and setup UI.
  • Setup guides for the new credential types.
  • Restored backward-compatible Pipedrive pipeline pagination.

Confidence Score: 5/5

This looks safe to merge.

  • The saved Pipedrive pagination contract is restored with start and next_start.
  • The shared authentication helper is compatible with the pipeline-deals tool and established import patterns.
  • No blocking issue remains in the reviewed fix.

Important Files Changed

Filename Overview
apps/sim/tools/pipedrive/get_pipeline_deals.ts Restores the v1 pagination contract while retaining shared OAuth and API-token header handling.
apps/sim/lib/credentials/client-credential-accounts/server.ts Adds runtime resolution and caching for client-credential service-account tokens.
apps/sim/tools/pipedrive/utils.ts Centralizes Pipedrive Bearer and x-api-token header construction.

Reviews (16): Last reviewed commit: "feat(credentials): client-credentials se..." | Re-trigger Greptile

Comment thread apps/sim/tools/pipedrive/get_pipeline_deals.ts
@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds service-account authentication for several integrations. The main changes are:

  • Client-credential token minting and caching for Zoom, Box, and Salesforce.
  • Pipedrive API-token authentication through the x-api-token header.
  • Salesforce My Domain validation and instance URL propagation.
  • Pipedrive pipeline-deal migration to the v2 cursor API.
  • Credential setup UI, API contracts, tests, and integration guides.

Confidence Score: 4/5

The client-credential creation path needs a fix before merging.

  • Valid Zoom, Box, and Salesforce credentials fail because the create route drops all three required fields.
  • The update path forwards these fields correctly.
  • Token caching, Pipedrive header selection, and Salesforce host restrictions are consistent in the reviewed paths.

apps/sim/app/api/credentials/route.ts

Important Files Changed

Filename Overview
apps/sim/app/api/credentials/route.ts Extends credential creation for client-credential accounts, but the create branch drops their required fields before verification.
apps/sim/app/api/auth/oauth/utils.ts Adds client-credential token caching, mint coalescing, failure memoization, rotation detection, and token metadata propagation.
apps/sim/lib/credentials/client-credential-accounts/minters/salesforce.ts Adds Salesforce token minting with My Domain validation, transient error handling, and constrained instance URLs.
apps/sim/tools/pipedrive/utils.ts Centralizes Pipedrive Bearer and API-token header selection.
apps/sim/tools/pipedrive/get_pipeline_deals.ts Moves pipeline-deal retrieval from the v1 offset endpoint to the v2 cursor endpoint.
apps/sim/app/workspace/[workspaceId]/integrations/components/connect-service-account-modal/client-credential-account-modal.tsx Adds descriptor-driven forms for client-credential service accounts.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant UI as Service-account modal
    participant API as POST /api/credentials
    participant Builder as Secret builder
    participant Provider as Zoom, Box, or Salesforce
    participant DB as Credential store
    UI->>API: providerId, clientId, clientSecret, orgId
    API->>Builder: providerId without client credentials
    Builder-->>API: Missing required field error
    Note over Provider,DB: Verification and storage are not reached
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant UI as Service-account modal
    participant API as POST /api/credentials
    participant Builder as Secret builder
    participant Provider as Zoom, Box, or Salesforce
    participant DB as Credential store
    UI->>API: providerId, clientId, clientSecret, orgId
    API->>Builder: providerId without client credentials
    Builder-->>API: Missing required field error
    Note over Provider,DB: Verification and storage are not reached
Loading

Reviews (2): Last reviewed commit: "fix(credentials): Group B verification r..." | Re-trigger Greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 0d959f4. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit f9e356a. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 23a85f4. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/lib/credentials/token-service-accounts/errors.ts
Comment thread apps/sim/app/api/auth/oauth/token/route.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/workspace/page.tsx Outdated
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/api/auth/oauth/utils.ts Outdated
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit a7c8890. Configure here.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1 waleedlatif1 force-pushed the service-accounts-client-credentials branch from a7c8890 to 7055d14 Compare July 16, 2026 05:49
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/api/auth/oauth/token/route.ts
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 79dfed4. Configure here.

…alesforce + Pipedrive API tokens

Second service-account kind (follow-up to #5682): client-credential pairs
(client ID + secret + org identifier) that mint short-lived tokens at
execution — in-memory cache with ciphertext-fingerprint validation
(rotation-correct across instances), single-flight coalescing, 30s failure
memo, no refresh-token storage.

- Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce
  client-credentials (integration user) are the first minters; Salesforce's
  live instance_url rides the existing instanceUrl plumbing so all 40 tools
  work unchanged
- Pipedrive lands as a token-paste provider with explicit authStyle
  threading: descriptor declares x-api-token, one shared header helper drives
  all 18 tools + both selector routes, OAuth Bearer behavior untouched
- SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer
  partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays
  provider_unavailable; 408/429 from token endpoints never blamed on creds
- Create route forwards clientId/clientSecret/orgId to the builder, pinned by
  a route-level regression test
- Zoom user-scoped tools document that server-to-server tokens don't support
  'me'
- 4 setup-guide docs pages verified against current vendor flows (incl.
  Salesforce External Client Apps — the classic Connected App wizard is
  disabled by default since Spring '26); integrations sidebar gains a Service
  Accounts & API Keys section
@waleedlatif1 waleedlatif1 force-pushed the service-accounts-client-credentials branch from 79dfed4 to 183f3db Compare July 16, 2026 06:18
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 183f3db. Configure here.

@waleedlatif1 waleedlatif1 merged commit d7f0a11 into staging Jul 16, 2026
20 checks passed
@waleedlatif1 waleedlatif1 deleted the service-accounts-client-credentials branch July 16, 2026 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant