PR Custody

fix(paychex): switch auth from OAuth2 to S2S OAuth (client_credentials)

@AgentWrapperchecks n/achecks…fix/PLEN-2215-paychex-s2s → master1 files · +33 −10updated 1mo ago

▸Description· 1 comment · 1 noise

Summary

Per the PLEN-2215 audit (Pattern B "hard breakage"), paychex_oauth was declared mode: 'OAUTH2' with authorization_url === token_url and grant_type: 'client_credentials' — an OAUTH2 scheme cannot have those properties; the redirect step is fiction and the scheme has never produced a working connection.

Paychex API supports client_credentials only (server-to-server, single endpoint at /auth/oauth/v2/token), so this PR replaces the broken OAuth2 scheme with S2S_OAUTH2 (paychex_s2s_oauth2):

client_id/client_secret exposed as auth_config_field (admin-managed, since Paychex API credentials are issued from the Developer Portal and are not per-end-user).
auth_method: 'body' — Paychex's token endpoint accepts form-encoded credentials in the body.
Drops the unused authorization_url and PKCE settings.

Pattern matches PayPal's S2S migration (ComposioHQ/mercury#21885) and the Neo4j sibling (ComposioHQ/mercury#23064).

⚠️ Backwards compatibility: existing connections (if any) under paychex_oauth will need to be re-created under paychex_s2s_oauth2, since the scheme name changes. Per the audit, the prior scheme could not produce a working token, so impact should be minimal.

Refs: PLEN-2215.

Test plan

make validate-config file=apps/paychex/config.ts passes.
Create an auth-config in staging with real Paychex API client credentials; confirm token exchange returns 200.
Hit get_current_user_endpoint (https://api.paychex.com/companies) with the resulting token; confirm 200.

@AgentWrapper1mo ago

Root Cause Analysis

The broken paychex_oauth scheme replaced by this PR was introduced in:

Origin PR: ComposioHQ/mercury#8615 — "feat(paychex): add config.ts with OAUTH2 auth"
Author: @rube-by-composio
Approved by: @Karthikeya-Meesala
Merged: 2026-03-03
Commit: 61da3579

The scheme has shipped with the misclassified mode: 'OAUTH2' + token_url === authorization_url + grant_type: 'client_credentials' pattern since that merge. Per the PLEN-2215 audit, this is Pattern B "hard breakage" — the redirect step is fictional and the scheme could not produce a working token.

🤖 Auto-generated RCA.

▸ 1 bot/status comment hidden

@linear-code[bot]1mo ago

Context

Neo4j Aura's public API (https://api.neo4j.io/oauth/token) only supports the OAuth2 client_credentials grant — there is no redirect authorization_code flow. Today the toolkit declares four auth schemes, two of which target this endpoint:

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):

loading diff…

@linear-code[bot]1mo ago

Context

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):