PR Custody

fix(anthology_student): migrate auth from OAuth2 to S2S OAuth (client_credentials)

@AgentWrapperchecks n/achecks…fix/PLEN-2215-anthology-student-s2s → master1 files · +33 −10updated 1mo ago

▸Description· 2 comments · 1 noise

Summary

Per the PLEN-2215 audit (Pattern B "soft misuse"), anthology_student_oauth was declared mode: 'OAUTH2' but issued grant_type: 'client_credentials'. CampusLabs/Anthology Student API is institutional M2M; the redirect-based authorize step was never reached. This PR migrates to mode: 'S2S_OAUTH2' (anthology_student_s2s_oauth2):

client_id/client_secret as auth_config_field (admin-managed CampusLabs API keys).
auth_method: 'body' — https://authorization.campuslabs.com/token accepts form-encoded creds in the body.
Preserves the per-institution strictFields.baseUrl.full field (institution-specific CampusLabs subdomain).
Drops unused authorization_url, disable_pkce, token_request_auth_method.

The unrelated anthology_student_api_key scheme is untouched.

Backwards compatibility: existing connections (if any) under anthology_student_oauth will need to be re-created under anthology_student_s2s_oauth2. Per the audit, the prior scheme cannot produce a working token.

Pattern matches PayPal (ComposioHQ/mercury#21885) and Neo4j (ComposioHQ/mercury#23064).

Refs: PLEN-2215.

Test plan

make validate-config file=apps/anthology_student/config.ts passes.
Create staging auth config with real CampusLabs creds + an institution-specific full base URL; confirm /token exchange returns 200.
Verify the anthology_student_api_key scheme is byte-for-byte unchanged.

@AgentWrapper1mo ago

Root Cause Analysis

The broken anthology_student_oauth scheme replaced by this PR was introduced in:

Origin PR: ComposioHQ/mercury#15679 — "feat(anthology_student): add config.ts with API_KEY auth"
Author: @rube-by-composio
Approved by: @Karthikeya-Meesala
Merged: 2026-02-25
Commit: f8a9f87a

Per the PLEN-2215 audit, this is Pattern B "soft misuse" — mode: 'OAUTH2' declared with grant_type: 'client_credentials'. The authorize URL was never reached at runtime, so the scheme could not produce a working token.

🤖 Auto-generated RCA.

@AgentWrapper1mo ago

original PR created by cortex: https://github.com/ComposioHQ/mercury/pull/15679

very clearly had bugs in oauth2 config ^

▸ 1 bot/status comment hidden

@linear-code[bot]1mo ago

Context

Neo4j Aura's public API (https://api.neo4j.io/oauth/token) only supports the OAuth2 client_credentials grant — there is no redirect authorization_code flow. Today the toolkit declares four auth schemes, two of which target this endpoint:

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):

loading diff…

@linear-code[bot]1mo ago

Context

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):