PR Custody

PRPR Custody

fix(airship): remove unsupported S2S OAuth config

@AgentWrapperchecks n/achecks…fix/PLEN-2215-airship-s2s → master1 files · +5 −57updated 1mo ago

GitHub

▸Description· 6 comments · 1 noise

Summary\n- remove the attempted Airship S2S OAuth scheme because Airship key-pair OAuth requires signed ES384 JWT assertion token exchange that the current auth framework cannot express yet\n- keep the supported Airship auth schemes: Basic App Key/Master Secret and Bearer Token\n- document the intentional omission in config and track generic assertion-based S2S OAuth support in PLEN-2460\n\n## Validation\n- nox -s chk_app -- apps/airship\n\n## Links\n- Follow-up platform ticket: https://linear.app/composio/issue/PLEN-2460/support-assertion-based-s2s-oauthjwt-auth-profiles-across-mercury-apps\n- PLEN-2215

@AgentWrapper1mo ago

Root Cause Analysis

The broken airship_oauth scheme replaced by this PR was introduced in:

Origin PR: ComposioHQ/mercury#13131 — "feat(airship): add config.ts with API_KEY auth"
Author: @rube-by-composio
Approved by: @Karthikeya-Meesala
Merged: 2026-02-20
Commit: 6cab29cf

Per the PLEN-2215 audit, this is Pattern B "soft misuse" — distinct authorize/token URLs, but mode: 'OAUTH2' declared with grant_type: 'client_credentials'. Airship's OAuth 2.0 endpoint is client_credentials only; the redirect step the OAUTH2 mode expects was never reachable.

🤖 Auto-generated RCA.

@AgentWrapper1mo ago

Diagnosis: auth setup is failing on staging

While debugging the "Failed to connect account" error a tester saw on staging, I tried the token exchange directly with curl against Airship's /token endpoint using a test App Key + Secret. Found two layers of issues — one with the credentials provided, one with our config + framework.

Layer 1 — the test credentials don't authenticate against Airship at all

Test creds (App Key uUyc19voSRqP9sdix4H7cQ / Secret ZjOHsLxFSWu6mlYMgCodag) return HTTP 401 invalid_client against both:

The OAuth 2.0 token endpoint (oauth2.asnapius.com/token and oauth2.asnapieu.com/token), with the correct request shape — see Layer 2 below.
Airship's legacy data plane (go.urbanairship.com/api/channels, api.asnapius.com/api/channels), which would have worked if they were the classic App Key + Master Secret pair.

Most likely: the test creds are the project's App Key + Master Secret, not the OAuth Client's separately-issued client_id + client_secret. In Airship's console, the OAuth Client (Settings → APIs & Integrations → OAuth) is a different artifact from the project App Key, and gets its own UUID-shaped client_id + secret.

This is a tester-side fix (get valid OAuth Client credentials), not a config-side fix.

Layer 2 — Airship's `/token` deviates from standard OAuth 2.0 in ways this PR doesn't handle

While testing, I confirmed (against Airship's OAuth docs) that the token endpoint diverges from the standard S2S_OAUTH2 shape in three ways:

Accept: application/json is required. Without it the endpoint returns 406. The framework's S2S code path doesn't appear to set an Accept header on the token request, so this currently fails on the wire.
A sub=app:<APP_KEY> body field is required. Non-standard — the OAuth 2.0 spec has no sub in the token request body. This PR doesn't send it.
Scopes use repeated scope= parameters, not space-separated: scope=psh&scope=chn&scope=evt rather than scope=psh chn evt. This PR's scope_separator: ' ' produces the wrong serialization.

The third point is the hardest: S2SOAuth2AuthSchemeSchema.token_config.params is typed as Record<string, string> in @composiohq/auth-config. You can't express a repeated form-encoded parameter in that shape. So even with the right credentials and the right Accept/sub/separator config, the framework can't currently serialize Airship's expected request body.

Implication

The PLEN-2215 audit's classification of airship as S2S_OAUTH2 was directionally right — it's client_credentials, no user redirect, admin-managed credentials. But Airship's actual OAuth 2.0 implementation diverges from the spec in ways our framework can't handle today. This puts airship closer to the Wix situation (custom-flow OAuth that needs OAUTH2-mode + a custom token shape) than to the clean Vanta/PayPal S2S pattern.

Recommended next steps (in order)

Defer this PR. The migration as written cannot produce a working token exchange even with valid OAuth Client credentials. Don't merge until Layer 2 is resolved.
Open a framework ticket on @composiohq/auth-config to extend S2SOAuth2AuthSchemeSchema.token_config with: (a) params: Record<string, string | string[]> (so repeated scope= params can be expressed), (b) an optional accept_header / extra_headers override on token_config, (c) optional arbitrary extra body fields (for sub=app:<APP_KEY>). With those, airship becomes expressible.
Alternative: keep airship on its existing OAUTH2 mode misclassification (which has been on master for months and was already broken per the audit) and treat it like Wix — leave the file as-is and add a // ci-skip: config-breaking-changes / allowlist entry when the proposed Tier-1 lint lands.

Open to either approach. The audit's correctness call about airship doesn't change — but the implementation path needs framework support that doesn't yet exist.

🤖 Diagnostic posted as part of the PLEN-2215 staging validation.

@AgentWrapper1mo ago

Updated this PR after testing the real Airship OAuth flow with the provided test account.

What I verified live:

Airship OAuth works with the provided key-pair credentials via the JWT assertion variant: grant_type=client_credentials&assertion=<ES384 JWT> returned 200, token_type=Bearer, expires_in=3600.
Using that token against GET https://api.asnapius.com/api/channels/?limit=1 returned 200 with {"ok":true,"channels":[]}.
The current Basic-client-secret shape does not work with the provided key-pair credentials if the public key is pasted as client_secret — Airship returns 401 invalid_client.
Airship also rejects token requests without Accept: application/json (406 invalid_request).

Patch pushed in 7534fd4e04:

Split Airship project app_key from OAuth client_id (the previous PR conflated them).
Use X-UA-Appkey from app_key, not client_id.
Add required Basic-flow token params: sub=app:<app_key> and scopes.
Mark the OAuth region as auth_config_field for the S2S flow.
Add token_exchange_headers: { Accept: 'application/json' } for Airship's token endpoint.
Clarified the client_secret field description: it is for Airship's Basic OAuth client-secret variant, not the public key from a key-pair credential.

Important limitation: the credentials shared for testing are Airship's key-pair/JWT-assertion variant. This config now models the documented Basic OAuth client-secret variant correctly, but the key-pair/JWT assertion variant still requires framework support to dynamically build/sign an ES384 JWT from a stored private key. I also corrected /private/tmp/oauth2-vs-s2s.html: the prior doc was wrong that Airship requires repeated scope= params only; docs allow space-delimited scopes too. The real blocker for key-pair credentials is JWT assertion generation/signing, not repeated-scope serialization.

Local checks:

nox -s chk_app -- apps/airship ✅
bun run prettier --write apps/airship/config.ts ✅

@AgentWrapper1mo ago

Fixed CI import/config generation failure in a091... by moving app_key into strictFields.headers (still as auth_config_field). The auth-config builder only passes header strict fields to the headers callback, so keeping app_key in db made X-UA-Appkey serialize as undefined.

@AgentWrapper1mo ago

Deployed Airship auth changes to the staging tools registry.\n\nSuccessful force-push workflow run: https://github.com/ComposioHQ/mercury/actions/runs/25666557209\n\nNote: the first deployment attempt failed because app_key is not an allowed strictFields.headers key in @composiohq/auth-config@0.1.18. I fixed that by using the allowed generic_id field (legacy_template_name remains app_key) and re-ran the deploy successfully.

@AgentWrapper1mo ago

Updated per follow-up decision: removed the unsupported airship_s2s_oauth2 auth scheme from Airship config until the platform supports Airship's assertion-JWT token exchange. Airship now exposes only Basic App Key/Master Secret and Bearer Token.\n\nValidation:\n- nox -s chk_app -- apps/airship ✅\n- npm run typecheck, npm run lint, and npm test are not available in this repo checkout (missing npm scripts).\n\nFiled the broader platform ticket for assertion-based S2S OAuth/JWT support: https://linear.app/composio/issue/PLEN-2460/support-assertion-based-s2s-oauthjwt-auth-profiles-across-mercury-apps

▸ 1 bot/status comment hidden

@linear-code[bot]1mo ago

Context

Neo4j Aura's public API (https://api.neo4j.io/oauth/token) only supports the OAuth2 client_credentials grant — there is no redirect authorization_code flow. Today the toolkit declares four auth schemes, two of which target this endpoint:

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):

loading diff…

@AgentWrapper1mo ago

Diagnosis: auth setup is failing on staging

Layer 1 — the test credentials don't authenticate against Airship at all

Test creds (App Key uUyc19voSRqP9sdix4H7cQ / Secret ZjOHsLxFSWu6mlYMgCodag) return HTTP 401 invalid_client against both:

The OAuth 2.0 token endpoint (oauth2.asnapius.com/token and oauth2.asnapieu.com/token), with the correct request shape — see Layer 2 below.
Airship's legacy data plane (go.urbanairship.com/api/channels, api.asnapius.com/api/channels), which would have worked if they were the classic App Key + Master Secret pair.

This is a tester-side fix (get valid OAuth Client credentials), not a config-side fix.

Layer 2 — Airship's `/token` deviates from standard OAuth 2.0 in ways this PR doesn't handle

While testing, I confirmed (against Airship's OAuth docs) that the token endpoint diverges from the standard S2S_OAUTH2 shape in three ways:

Accept: application/json is required. Without it the endpoint returns 406. The framework's S2S code path doesn't appear to set an Accept header on the token request, so this currently fails on the wire.
A sub=app:<APP_KEY> body field is required. Non-standard — the OAuth 2.0 spec has no sub in the token request body. This PR doesn't send it.
Scopes use repeated scope= parameters, not space-separated: scope=psh&scope=chn&scope=evt rather than scope=psh chn evt. This PR's scope_separator: ' ' produces the wrong serialization.

Implication

Recommended next steps (in order)

Defer this PR. The migration as written cannot produce a working token exchange even with valid OAuth Client credentials. Don't merge until Layer 2 is resolved.
Open a framework ticket on @composiohq/auth-config to extend S2SOAuth2AuthSchemeSchema.token_config with: (a) params: Record<string, string | string[]> (so repeated scope= params can be expressed), (b) an optional accept_header / extra_headers override on token_config, (c) optional arbitrary extra body fields (for sub=app:<APP_KEY>). With those, airship becomes expressible.
Alternative: keep airship on its existing OAUTH2 mode misclassification (which has been on master for months and was already broken per the audit) and treat it like Wix — leave the file as-is and add a // ci-skip: config-breaking-changes / allowlist entry when the proposed Tier-1 lint lands.

Open to either approach. The audit's correctness call about airship doesn't change — but the implementation path needs framework support that doesn't yet exist.

🤖 Diagnostic posted as part of the PLEN-2215 staging validation.

Root Cause Analysis

Diagnosis: auth setup is failing on staging

Layer 1 — the test credentials don't authenticate against Airship at all

Layer 2 — Airship's /token deviates from standard OAuth 2.0 in ways this PR doesn't handle

Implication

Recommended next steps (in order)

Context

Proposed direction

Open questions for planning

References

Root Cause Analysis

Diagnosis: auth setup is failing on staging

Layer 1 — the test credentials don't authenticate against Airship at all

Layer 2 — Airship's /token deviates from standard OAuth 2.0 in ways this PR doesn't handle

Implication

Recommended next steps (in order)

Context

Proposed direction

Open questions for planning

References

Layer 2 — Airship's `/token` deviates from standard OAuth 2.0 in ways this PR doesn't handle

Layer 2 — Airship's `/token` deviates from standard OAuth 2.0 in ways this PR doesn't handle