Skip to content

Add multi-plugin OAuth connect UI#1163

Open
ishaanxgupta wants to merge 4 commits into
mainfrom
plugin-oauth-multi-client-ui
Open

Add multi-plugin OAuth connect UI#1163
ishaanxgupta wants to merge 4 commits into
mainfrom
plugin-oauth-multi-client-ui

Conversation

@ishaanxgupta

@ishaanxgupta ishaanxgupta commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds multi-client handling to the /auth/connect UI for plugin OAuth requests with clients=....
  • Shows stacked plugin logos and shared benefit copy for multi-plugin approvals.
  • Gates non-free plugins by plan while preserving one shared API key flow for eligible clients.
  • Returns keys for eligible clients and errors for plan-gated clients to the CLI callback.

@vorflux

vorflux Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Vorflux skipped this auto review because this account has reached its Auto Review daily review limit (10/10). You can change this in Auto Review Settings: https://us1.vorflux.com/supermemory/settings?section=pull-requests

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 26, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
supermemory-mcp 2c84eb0 Jul 03 2026, 02:53 PM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 26, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
supermemory-app 2c84eb0 Commit Preview URL

Branch Preview URL
Jul 03 2026, 02:55 PM

@ishaanxgupta ishaanxgupta marked this pull request as ready for review June 26, 2026 14:43
@graphite-app graphite-app Bot requested a review from Dhravya June 26, 2026 14:43
@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Claude finished @ishaanxgupta's task in 1m 16s —— View job


Review Complete

  • Fetch and analyze the updated diff
  • Check for bugs, security issues, and logic errors
  • Review against previous feedback
  • Submit review

Overview: Updates multi-plugin OAuth UI with proper client validation, plan-gating logic, and structured response format for CLI callbacks.

Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:

  • Separates raw inputs (rawRequestedClients) from validated inputs (requestedClients)
  • Explicitly tracks and surfaces invalid clients via invalidClients
  • Shows clear error messages for unsupported plugins in both the useEffect and handleConnect
  • Properly handles the auto-connect flow after upgrade with a ref guard

Score: 9/10

Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview: Adds multi-plugin OAuth UI that shows stacked plugin logos, handles plan-gating, and returns structured keys/errors to the CLI callback.

Issues found:

  • Invalid client IDs can bypass validation when a Pro user uses the single ?client= parameter (see inline comment with fix)

Score: 8/10

The implementation is solid overall — the plan-gating logic, loading state handling, and multi-client response format are all well done. The one issue is a subtle regression where invalid client IDs slip through for Pro users on the single-client path. Easy fix with the suggested change.

Comment thread apps/web/app/auth/connect/page.tsx Outdated
.split(",")
.map((value) => value.trim())
.filter((value) => value in PLUGIN_INFO)
const requestedClients = clients.length > 0 ? clients : client ? [client] : []

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Invalid client IDs bypass validation for Pro users

When using the single client parameter (not clients), raw unvalidated values are included in requestedClients. The clients array properly filters to valid plugin IDs (value in PLUGIN_INFO), but this fallback uses the raw client value.

This causes a problem when a Pro user visits ?client=invalid_id:

  1. requestedClients = ["invalid_id"]
  2. eligibleClients filter passes because hasProProduct || isFreeTierPlugin(...) → Pro users pass everything
  3. API receives client=invalid_id which could cause server errors

The original code avoided this by using validClient (which is null for invalid clients).

Suggested change
const requestedClients = clients.length > 0 ? clients : client ? [client] : []
const requestedClients = clients.length > 0 ? clients : validClient ? [validClient] : []

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview: Updates multi-plugin OAuth UI to properly validate client IDs and handle invalid inputs.

Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:

  • Separates raw inputs (rawRequestedClients) from validated inputs (requestedClients)
  • Explicitly tracks and surfaces invalid clients via invalidClients
  • Shows clear error messages for unsupported plugins in both the useEffect and handleConnect

This is a better fix than my original suggestion because it provides explicit user feedback rather than silently ignoring invalid clients.

Score: 9/10

Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview: Updates multi-plugin OAuth UI with proper client validation, plan-gating logic, and structured response format for CLI callbacks.

Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:

  • Separates raw inputs (rawRequestedClients) from validated inputs (requestedClients)
  • Explicitly tracks and surfaces invalid clients via invalidClients
  • Shows clear error messages for unsupported plugins in both the useEffect and handleConnect
  • Properly handles the auto-connect flow after upgrade with a ref guard

This is a better fix than my original suggestion because it provides explicit user feedback rather than silently ignoring invalid clients.

Score: 9/10

Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview: Updates multi-plugin OAuth UI with proper client validation, plan-gating logic, and structured response format for CLI callbacks.

Issues found: None — the previous issue (invalid client IDs bypassing validation for Pro users) has been fixed with a cleaner approach. The code now:

  • Separates raw inputs (rawRequestedClients) from validated inputs (requestedClients)
  • Explicitly tracks and surfaces invalid clients via invalidClients
  • Shows clear error messages for unsupported plugins in both the useEffect and handleConnect
  • Properly handles the auto-connect flow after upgrade with a ref guard

This is a better fix than my original suggestion because it provides explicit user feedback rather than silently ignoring invalid clients.

Score: 9/10

Solid implementation. The client validation is now robust across all code paths, and the user experience is improved with clear error messaging for invalid plugin IDs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants