@zen-agentchecks…zen/fix-authconfig-masked-fields-gsv8ua → main3 files · +48 −5updated 1mo agoBug: When updating an auth config (e.g. changing scopes), the PATCH request also sent back masked/placeholder values for sensitive fields like client_secret and verification_token. The API returns these fields masked (e.g. "abcd...wxyz") for display, but because they were rendered as form defaults, clicking Save resubmitted the masked value — overwriting the real stored secret in the DB.
Root cause: handleSave in the manage flows iterated all fieldValues from the form and sent them as credentials, regardless of whether the user had touched them.
Fix: Track dirtyFields from react-hook-form in CredentialForm and expose them on the submit callback. Manage flows now only include fields the user actually modified in the PATCH payload. If nothing changed, show a "No changes to save" toast instead of firing a no-op request.
src/components/core/auth-config/credential-form/index.tsx — expose dirtyFieldNames + scopesDirty on the form submit/getValues callbacks via react-hook-form's formState.dirtyFields.src/app/(project)/[org]/[project]/auth-configs/[id]/_components/manage/manage-auth-config-tab.tsx — developer manage tab now only sends dirty credential fields / scopes.src/app/(connect)/[org]/~/connect/apps/[slug]/_components/manage-auth-config-sheet.tsx — consumer Connect manage sheet: same fix.Create flows (create-auth-config-dialog.tsx) are unaffected — they have no existing credentials, so every typed value starts dirty and is still sent.
Using react-hook-form's built-in dirty-field tracking is robust across all mask patterns: we don't have to pattern-match on "abcd...wxyz", "••••", "****-1234", or any future masking scheme. The form knows exactly which fields the user changed.
pnpm lint — same 99 warnings / 6 errors as origin/main (all pre-existing, none from this change).pnpm typecheck — no new errors in the three modified files (verified with grep).@composio/db workspace package in this sandbox — unrelated to this change. Visual E2E is expected on the Vercel preview.parseCredentials seeds the form with masked defaults → dirtyFields is empty → clicking Save with no edits shows "No changes to save" and sends nothing.scopesDirty=true, dirtyFieldNames=[] → PATCH payload contains only scopes.client_secret only → dirtyFieldNames=["client_secret"] → PATCH payload contains only client_secret; masked verification_token stays untouched in DB.The old /workspace/frontend (deprecated apps/web) has the same bug in ManageAuthConfig.tsx. Since it's deprecated in favor of this dashboard, I have not fixed it here — happy to open a follow-up PR if that frontend is still in production.
Triggered by: karan@composio.dev | Source: slack Session: https://zen-api-production-4c98.up.railway.app/dashboard/#/chat/zen-00aad1735d8e
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Actions | Updated (UTC) |
|---|---|---|---|
| dashboard |  Error | Apr 23, 2026 8:23pm |
Out of credits — this automation could not run because your credit balance is exhausted.
To resume this automation, top up your credits or enable on-demand usage.
| Trigger | Repos |
|---|---|
| PR Created | ComposioHQ/composio_dashboard |