Conversation
chore(integration): add support for encrypted client credentials
PR SummaryMedium Risk Overview The admin integrations page decrypts these fields client-side (when available) and shows a new in-card credentials summary with a toggle to reveal/hide the secret. OpenAPI schema is updated to add a required Written by Cursor Bugbot for commit f38dd50. This will update automatically on new commits. Configure here. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| clientIdHint: credential?.clientIdHint, | ||
| clientSecretHint: credential?.clientSecretHint, | ||
| encryptedClientId: credential?.encryptedClientId, | ||
| encryptedClientSecret: credential?.encryptedClientSecret, |
There was a problem hiding this comment.
API exposes encrypted credentials enabling full plaintext retrieval
High Severity
The listIntegrations endpoint now returns encryptedClientId and encryptedClientSecret to the browser. These are then decrypted via a 'use server' action and the full plaintext OAuth client secrets end up in browser memory, SWR cache, and the DOM. This contradicts the existing security design — the sibling getIntegration endpoint on line 114 explicitly says // don't expose actual credentials. Previously only masked clientIdHint/clientSecretHint values were sent. The full secrets are now accessible to any XSS vector, browser extension, or session-hijack targeting an admin user.
Additional Locations (2)
1 participant
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.