Add multi-plugin OAuth connect UI#1163
Conversation
|
Vorflux skipped this auto review because this account has reached its Auto Review daily review limit (10/10). You can change this in Auto Review Settings: https://us1.vorflux.com/supermemory/settings?section=pull-requests |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
supermemory-mcp | 2c84eb0 | Jul 03 2026, 02:53 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
supermemory-app | 2c84eb0 | Commit Preview URL Branch Preview URL |
Jul 03 2026, 02:55 PM |
|
Claude finished @ishaanxgupta's task in 1m 16s —— View job Review Complete
Overview: Updates multi-plugin OAuth UI with proper client validation, plan-gating logic, and structured response format for CLI callbacks. Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:
Score: 9/10 Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs. |
There was a problem hiding this comment.
Overview: Adds multi-plugin OAuth UI that shows stacked plugin logos, handles plan-gating, and returns structured keys/errors to the CLI callback.
Issues found:
- Invalid client IDs can bypass validation when a Pro user uses the single
?client=parameter (see inline comment with fix)
Score: 8/10
The implementation is solid overall — the plan-gating logic, loading state handling, and multi-client response format are all well done. The one issue is a subtle regression where invalid client IDs slip through for Pro users on the single-client path. Easy fix with the suggested change.
| .split(",") | ||
| .map((value) => value.trim()) | ||
| .filter((value) => value in PLUGIN_INFO) | ||
| const requestedClients = clients.length > 0 ? clients : client ? [client] : [] |
There was a problem hiding this comment.
Bug: Invalid client IDs bypass validation for Pro users
When using the single client parameter (not clients), raw unvalidated values are included in requestedClients. The clients array properly filters to valid plugin IDs (value in PLUGIN_INFO), but this fallback uses the raw client value.
This causes a problem when a Pro user visits ?client=invalid_id:
requestedClients = ["invalid_id"]eligibleClientsfilter passes becausehasProProduct || isFreeTierPlugin(...)→ Pro users pass everything- API receives
client=invalid_idwhich could cause server errors
The original code avoided this by using validClient (which is null for invalid clients).
| const requestedClients = clients.length > 0 ? clients : client ? [client] : [] | |
| const requestedClients = clients.length > 0 ? clients : validClient ? [validClient] : [] |
There was a problem hiding this comment.
Overview: Updates multi-plugin OAuth UI to properly validate client IDs and handle invalid inputs.
Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:
- Separates raw inputs (
rawRequestedClients) from validated inputs (requestedClients) - Explicitly tracks and surfaces invalid clients via
invalidClients - Shows clear error messages for unsupported plugins in both the useEffect and handleConnect
This is a better fix than my original suggestion because it provides explicit user feedback rather than silently ignoring invalid clients.
Score: 9/10
Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.
There was a problem hiding this comment.
Overview: Updates multi-plugin OAuth UI with proper client validation, plan-gating logic, and structured response format for CLI callbacks.
Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:
- Separates raw inputs (
rawRequestedClients) from validated inputs (requestedClients) - Explicitly tracks and surfaces invalid clients via
invalidClients - Shows clear error messages for unsupported plugins in both the useEffect and handleConnect
- Properly handles the auto-connect flow after upgrade with a ref guard
This is a better fix than my original suggestion because it provides explicit user feedback rather than silently ignoring invalid clients.
Score: 9/10
Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.
There was a problem hiding this comment.
Overview: Updates multi-plugin OAuth UI with proper client validation, plan-gating logic, and structured response format for CLI callbacks.
Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:
- Separates raw inputs (
rawRequestedClients) from validated inputs (requestedClients) - Explicitly tracks and surfaces invalid clients via
invalidClients - Shows clear error messages for unsupported plugins in both the useEffect and handleConnect
- Properly handles the auto-connect flow after upgrade with a ref guard
This is a better fix than my original suggestion because it provides explicit user feedback rather than silently ignoring invalid clients.
Score: 9/10
Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.
Summary
/auth/connectUI for plugin OAuth requests withclients=....keysfor eligible clients anderrorsfor plan-gated clients to the CLI callback.