PR Custody

fix(gagelist): set auth_method='body' on gagelist_s2s_oauth2 scheme

@AgentWrapperchecks n/achecks…fix/PLEN-2215-gagelist-s2s-auth-method → master1 files · +1 −0updated 1mo ago

▸Description· 1 comment · 1 noise

Summary

Per the PLEN-2215 audit (Pattern A), gagelist_s2s_oauth2 already exposes client_id/client_secret and wires them into token_config.params, but token_config.auth_method was unset — the runtime had no instruction on how to send the credentials at the token exchange.

Per gagelist's auth docs, the /api/token endpoint accepts form-encoded client_id/client_secret in the body, so this sets auth_method: 'body'.

Side note (out of scope): gagelist docs document grant_type: password for some flows, while this scheme uses client_credentials. The audit only flagged auth_method; verifying the grant choice is a separate follow-up.

Refs: PLEN-2215. Sibling per-app fixes are being opened from the same audit. Reference pattern: ComposioHQ/mercury#23064 (Neo4j).

Test plan

make validate-config file=apps/gagelist/config.ts passes.
Stage smoke test: create auth config with real gagelist creds, confirm /api/token exchange returns 200 with form-encoded body.
Verify the existing gagelist_api_key scheme is unchanged.

@AgentWrapper1mo ago

Root Cause Analysis

The gagelist_s2s_oauth2 scheme this PR fixes was introduced (without auth_method) in:

Origin PR: ComposioHQ/mercury#18439 — "feat: add S2S OAuth2 for Neo4j & Twilio, fix Lark token response"
Author: @Karthikeya-Meesala
Approved by: @wjayesh
Merged: 2026-03-23
Commit: 56bb42a85d

The scheme has shipped without token_config.auth_method since that merge. Per the PLEN-2215 audit, this is Pattern A — credentials are wired but the runtime had no instruction on how to send them at the token exchange.

🤖 Auto-generated RCA.

▸ 1 bot/status comment hidden

@linear-code[bot]1mo ago

Context

Neo4j Aura's public API (https://api.neo4j.io/oauth/token) only supports the OAuth2 client_credentials grant — there is no redirect authorization_code flow. Today the toolkit declares four auth schemes, two of which target this endpoint:

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):

loading diff…

@linear-code[bot]1mo ago

Context

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):