bug: remove refresh endpoint and require auth#6256
bug: remove refresh endpoint and require auth#6256chloebyun-wd wants to merge 3 commits intomainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request secures the OAuth2 token refresh endpoint by adding an internal header authentication check and removing sensitive token data from the response. However, the implementation should use the getEncryptionKey utility for the authentication header to ensure compatibility with various secret storage backends. Additionally, the endpoint must remain in the whitelist to prevent global authentication middleware from blocking internal requests before the header check is performed.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request enhances the security of the OAuth2 token refresh endpoint by introducing an internal authentication mechanism using an x-flowise-internal-key header and removing sensitive token data from the response body. The internal key is propagated through various flow execution parameters. Feedback identifies a missing propagation of this key in the executeAgentFlow function, which would cause failures in Agentflows, and suggests caching the encryption key to reduce I/O overhead during frequent refresh requests.
…ey, use timing-safe comparison - Pass internalRefreshKey through executeAgentFlow, executeNode, and recursive sub-flow calls so OAuth2 refresh works in Agentflows - Cache getEncryptionKey() result to avoid file I/O or AWS calls per request - Use crypto.timingSafeEqual for key comparison to prevent timing attacks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 participant
No description provided.