Skip to content

fix: validate custom auth credentials against the platform auth envelope#49

Merged
TheRealAgentK merged 10 commits into
masterfrom
na/feat/strict-wrapped-auth-validation
Jul 3, 2026
Merged

fix: validate custom auth credentials against the platform auth envelope#49
TheRealAgentK merged 10 commits into
masterfrom
na/feat/strict-wrapped-auth-validation

Conversation

@NinosMan

@NinosMan NinosMan commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Description 📝

  • Purpose: Fixes the root cause of the ActiveCampaign outage (autohive-integrations PR #345 / hotfixed by #349). The platform sends integration auth as a wrapped envelope {"auth_type": "...", "credentials": {...}}, but the SDK validated the entire envelope against auth.fields — a schema that describes only the inner credentials object. Any integration declaring a non-empty auth.fields.required therefore failed validation on every action before its handler ran, while removing required made validation pass vacuously (even with empty credentials).
  • Approach: A single shared _validate_auth now runs in execute_action, execute_polling_trigger, and get_connected_account. It requires context.auth to be the platform envelope (dict credentials, auth_type from the AuthType enum) and validates context.auth["credentials"] against auth.fields. Auth failures are raised with source="auth" instead of source="input", so the platform no longer misclassifies them as LLM-argument errors. auth.fields.required is now honoured and recommended. Production runtime behavior is unchanged (the platform has always sent the envelope); flat auth contexts — used by many integrations' local tests — are now rejected, so test suites must migrate to the wrapped shape as integrations rebuild.
  • Release plan: This PR intentionally excludes release metadata (version bump, RELEASENOTES, regenerated apidocs) — those land on a 2.0.1 release branch cut from master with the 3.0-bound User-Agent change dropped. The metadata is preserved as a cherry-pickable commit on the local branch na/release/sdk-2.0.1-metadata.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • This change requires a documentation update

Updates

👉 Integration._validate_auth — one shared implementation replacing three divergent inline checks; validates the credentials object, enforces the envelope shape and AuthType membership, raises with source="auth"
👉 Docs, skills, samples, and tutorial swept of flat-auth examples — handlers read context.auth["credentials"], tests construct the wrapped envelope
👉 89 tests covering wrapped-auth success, missing/unknown/empty auth_type, missing required credentials, and flat-auth rejection across all three execution paths

Test plan 🧪

  • pytest tests/ — 89 passed, 100% coverage on integration.py
  • Regression scenario: an integration config with auth.fields.required: ["api_key", "api_url"] (the original ActiveCampaign shape) now passes with a production-shaped envelope and fails with source="auth" when a required credential is missing — verified in tests/test_integration.py
  • Verified against autohive-integrations: already-wrapped test suites (e.g. trello, 77/77) pass unchanged; flat-auth suites fail with the explicit envelope error, as expected and to be migrated by the team
  • Note for rollout: ~=2.0.0 pins resolve to 2.0.1 on the next rebuild once the release ships — coordinate the PyPI publish with the team heads-up about flat-test migration

Author(s) to check 👓

  • Project and all contained modules builds successfully
  • Self-/dev-tested
  • Unit/UI/Automation/Integration tests provided where applicable
  • Code is written to standards
  • Appropriate documentation written (code comments, internal docs)

NinosMan added 6 commits July 2, 2026 14:55
Validate context.auth["credentials"] against auth.fields via a shared
_validate_auth across execute_action, execute_polling_trigger, and
get_connected_account, raising with source="auth". Flat auth contexts are
rejected with an explicit envelope error. Adds ExecutionContext.credentials
as the blessed handler accessor. Bumps version to 3.0.0.
Validation now rejects envelopes missing a non-empty auth_type string,
closing an undocumented third shape that made fetch() default to
PlatformOauth2 header behavior. Tutorial and skill docs now teach the
wrapped envelope and context.credentials.
Production runtime is unchanged by the validation fix (the platform has
always sent the wrapped envelope), so this ships as a patch rather than
a new major. Release notes reframed accordingly; ~=2.0.0 pins pick this
up on next rebuild, so tests must be migrated before rebuilding.
Strict validation guarantees the envelope shape before handlers run, so
handlers read context.auth["credentials"] directly; no new API surface
in a patch release.
An auth_type outside the AuthType enum previously passed validation and
later surfaced as a raw ValueError inside fetch(); it now fails fast as
an auth-sourced validation error.
Comment thread docs/manual/building_your_first_integration.md Outdated
NinosMan added 2 commits July 3, 2026 14:13
Version bump, release notes, and regenerated apidocs move to the 2.0.1
release branch, which will be cut from master without the 3.0-bound
User-Agent change. The validation fix itself is unchanged.
The release number is decided on the release branch; the fix itself
stays version-agnostic.
@NinosMan NinosMan requested a review from TheRealAgentK July 3, 2026 02:28
@NinosMan NinosMan marked this pull request as ready for review July 3, 2026 02:28
NinosMan added 2 commits July 3, 2026 14:29
Master's User-Agent tests were written against the old flat-auth
contract and fail under strict envelope validation once merged.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 68b684657e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread src/autohive_integrations_sdk/integration.py
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Coverage — c7aecd2 (test: use wrapped auth envelope in user-agent identity tests) by @NinosMan

Total coverage: 100%

File Stmts Miss Cover Missing
src/autohive_integrations_sdk/__init__.py 2 0 100%
src/autohive_integrations_sdk/integration.py 388 0 100%

@TheRealAgentK TheRealAgentK merged commit 225ab12 into master Jul 3, 2026
1 check passed
@TheRealAgentK TheRealAgentK deleted the na/feat/strict-wrapped-auth-validation branch July 3, 2026 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants