fix: make OAuth refresh_token optional to unblock wizard login#467
Draft
posthog[bot] wants to merge 1 commit into
Draft
fix: make OAuth refresh_token optional to unblock wizard login#467posthog[bot] wants to merge 1 commit into
posthog[bot] wants to merge 1 commit into
Conversation
The OAuth token endpoint does not always issue a refresh_token, but the schema marked it required, so parse() threw synchronously inside exchangeCodeForToken and aborted the entire wizard run during login. The performOAuthFlow result is consumed only for access_token and scoped_teams (src/utils/setup-utils.ts:488), so loosening the schema is safe. Generated-By: PostHog Code Task-Id: 9ee1d361-cf7f-4c33-8298-8f829cd4c6a0
🧙 Wizard CIRun the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands: Test all apps:
Test all apps in a directory:
Test an individual app:
Show more apps
Results will be posted here when complete. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Wizard login hard-aborts for any user whose OAuth token response from
POSTHOG_OAUTH_URL/oauth/tokenomitsrefresh_token.OAuthTokenResponseSchemadeclared the field required, soOAuthTokenResponseSchema.parseinexchangeCodeForTokenthrowsZodError: refresh_token Required, the catch inperformOAuthFlowcallsabort(), and the wizard run dies at its entry point with no workaround.Error tracking shows this across at least 4 distinct users on two separate wizard releases (bundle hashes
setup-utils-BYMsvp-X.jsandsetup-utils-DGUR4Djo.js), spanning 2026-04-30 through 2026-05-21 — so it reproduces across users and releases.Changes
src/utils/oauth.ts:51— markrefresh_tokenasz.string().optional().performOAuthFlow's result is consumed only atsrc/utils/setup-utils.ts:488, which readsaccess_tokenandscoped_teams; nothing downstream persists or uses the refresh token, so propagatingstring | undefinedis safe (the inferredOAuthTokenResponsetype updates automatically).The separate
TokenResponseSchemainsrc/utils/provisioning.ts(used by the provisioning signup flow, not the OAuth login flow) is unchanged — that code path forwardsrefresh_tokeninto its return value and is governed by a different server endpoint that does issue refresh tokens.Test plan
pnpm build— cleanpnpm testforsrc/__tests__/provision-cli.test.tsand provisioning suites — passing (one flaky full-suite timeout inprovision-cli.test.tsreproduces onmaintoo and is unrelated to this change)pnpm lint— no new errorsrefresh_tokenand confirm login completesCreated with PostHog Code