fix: validate custom auth credentials against the platform auth envelope#49
Merged
Merged
Conversation
Validate context.auth["credentials"] against auth.fields via a shared _validate_auth across execute_action, execute_polling_trigger, and get_connected_account, raising with source="auth". Flat auth contexts are rejected with an explicit envelope error. Adds ExecutionContext.credentials as the blessed handler accessor. Bumps version to 3.0.0.
Validation now rejects envelopes missing a non-empty auth_type string, closing an undocumented third shape that made fetch() default to PlatformOauth2 header behavior. Tutorial and skill docs now teach the wrapped envelope and context.credentials.
Production runtime is unchanged by the validation fix (the platform has always sent the wrapped envelope), so this ships as a patch rather than a new major. Release notes reframed accordingly; ~=2.0.0 pins pick this up on next rebuild, so tests must be migrated before rebuilding.
Strict validation guarantees the envelope shape before handlers run, so handlers read context.auth["credentials"] directly; no new API surface in a patch release.
An auth_type outside the AuthType enum previously passed validation and later surfaced as a raw ValueError inside fetch(); it now fails fast as an auth-sourced validation error.
NinosMan
commented
Jul 3, 2026
Version bump, release notes, and regenerated apidocs move to the 2.0.1 release branch, which will be cut from master without the 3.0-bound User-Agent change. The validation fix itself is unchanged.
The release number is decided on the release branch; the fix itself stays version-agnostic.
…ped-auth-validation
Master's User-Agent tests were written against the old flat-auth contract and fail under strict envelope validation once merged.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 68b684657e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
TheRealAgentK
approved these changes
Jul 3, 2026
This was referenced Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description 📝
{"auth_type": "...", "credentials": {...}}, but the SDK validated the entire envelope againstauth.fields— a schema that describes only the inner credentials object. Any integration declaring a non-emptyauth.fields.requiredtherefore failed validation on every action before its handler ran, while removingrequiredmade validation pass vacuously (even with empty credentials)._validate_authnow runs inexecute_action,execute_polling_trigger, andget_connected_account. It requirescontext.authto be the platform envelope (dictcredentials,auth_typefrom theAuthTypeenum) and validatescontext.auth["credentials"]againstauth.fields. Auth failures are raised withsource="auth"instead ofsource="input", so the platform no longer misclassifies them as LLM-argument errors.auth.fields.requiredis now honoured and recommended. Production runtime behavior is unchanged (the platform has always sent the envelope); flat auth contexts — used by many integrations' local tests — are now rejected, so test suites must migrate to the wrapped shape as integrations rebuild.na/release/sdk-2.0.1-metadata.Type of change
Updates
👉
Integration._validate_auth— one shared implementation replacing three divergent inline checks; validates the credentials object, enforces the envelope shape andAuthTypemembership, raises withsource="auth"👉 Docs, skills, samples, and tutorial swept of flat-auth examples — handlers read
context.auth["credentials"], tests construct the wrapped envelope👉 89 tests covering wrapped-auth success, missing/unknown/empty
auth_type, missing required credentials, and flat-auth rejection across all three execution pathsTest plan 🧪
pytest tests/— 89 passed, 100% coverage onintegration.pyauth.fields.required: ["api_key", "api_url"](the original ActiveCampaign shape) now passes with a production-shaped envelope and fails withsource="auth"when a required credential is missing — verified intests/test_integration.py~=2.0.0pins resolve to 2.0.1 on the next rebuild once the release ships — coordinate the PyPI publish with the team heads-up about flat-test migrationAuthor(s) to check 👓