@zen-agentchecks…zen/fix-currentuser-template-substitution-4a22rb → master2 files · +202 −1review: @rohanprabhureview: @sarthakreview: @acsrujanreview: @anshugarg15updated 3w agoApollo's refresh worker checks the toolkit's get_current_user_endpoint
after a refresh failure to confirm whether the access token is still alive
— this is the safeguard that prevents transient refresh blips from
expiring otherwise-healthy connections. For toolkits where the URL
contains per-connection template placeholders, Apollo was passing the
literal template string to the proxy layer.
Example URLs from Mercury's apps/salesforce/config.ts and apps/jira/config.ts:
https://{{subdomain}}.salesforce.com/services/oauth2/userinfo
https://{{subdomain}}.atlassian.net/rest/api/3/serverInfo
When called as-is, Apollo's SSRF guard rejects the literal {{subdomain}}
hostname with SSRF blocked: DNS resolution returned no addresses,
currentUser returns NETWORK_ERROR, and the refresh-failure safeguard is
structurally bypassed for these toolkits.
Glean's deployment has MAX_AUTH_FAILURES_FOR_EXPIRY=1. Combined with
the broken safeguard, any Salesforce/Jira refresh failure — including
transient 5xx/429/network blips — caused immediate expiry of the
connection because currentUser could never return 2xx to clear the
counter. We saw 33 SSRF blocked log entries in a 7.4h window of
their prod logs, all for Salesforce and Jira current_user_endpoints
with unresolved {{subdomain}} placeholders.
resolveCurrentUserEndpoint() substitutes {{subdomain}},
{{your-domain}}, {{instanceEndpoint}}, etc. from the connection's
data before the proxy call, using the existing fillTemplatesInUrl +
getKeyValuePairsForFillingBaseUrlTemplate utilities.
preserveMissing=true keeps unresolved {{...}} placeholders intact and
logs a warning, so when a connection genuinely lacks the templated field
(e.g. an older Salesforce connection missing subdomain), the failure
shape stays diagnosable from logs rather than producing a malformed
https://.salesforce.com/... URL.
refreshAccessToken.current_user_template.test.ts:
undefined{{subdomain}} substitution{{subdomain}} substitutiondefault when connection value is missingrefreshAccessToken.dcr_oauth.test.ts (6 tests) and refreshAccessToken.html_response.test.ts (5 tests) still pass — 17/17 total.pnpm check-types clean.pnpm lint clean on the two changed files.fcfcfa3 predates this fix; they would need to either
upgrade or backport. Worth coordinating with Glean as a separate step.Based on git blame analysis of 2 file(s):
| Contributor | Contribution | Files |
|---|---|---|
| Zen Agent | 36% | 2 |
| anshugarg15 |
| 25% |
| 1 |
| lingalarahul7 | 15% | 1 |
| Dhawal Upadhyay | 14% | 1 |
| jkomyno | 4% | 1 |
Recommend Zen Agent and anshugarg15. Zen Agent authored the new test today and can verify its intent and coverage; anshugarg15 made recent edits to refreshAccessToken.ts and is familiar with the implementation details.
🤖 Based on git blame with recency weighting (recent edits count more).
:white_check_mark: All modified and coverable lines are covered by tests.
| Flag | Coverage Δ | |
|---|---|---|
| e2e-tests | 6.05% <0.00%> (-0.01%) | :arrow_down: |
| self-hosted-tests | 5.59% <0.00%> (-0.01%) | :arrow_down: |
| unit-tests | 58.85% <100.00%> (+<0.01%) | :arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
| Files with missing lines | Coverage Δ | |
|---|---|---|
| ...o/src/lib/connected_accounts/refreshAccessToken.ts | 59.48% <100.00%> (+2.25%) | :arrow_up: |
get_current_user_endpoint needs to work during auth_refresh for apps that require value substitution from user-provided fields, such as Jira and Salesforce, where the subdomain field is needed to construct the endpoint.
Glean's deployment has MAX_AUTH_FAILURES_FOR_EXPIRY=1. Combined with the broken safeguard, any Salesforce or Jira refresh failure — including transient 5xx, 429, or network blips — caused immediate expiry of the connection because currentUser could never return 2xx to clear the counter. There were 33 SSRF blocked log entries in a 7.4 hour window of prod logs, all for Salesforce and Jira current_user_endpoints with unresolved {{subdomain}} placeholders.
