feat: ENG-12261 add OAuth 2.0 support and settings UI for Phrase integration#4699
Conversation
|
|
View your CI Pipeline Execution ↗ for commit 5e0c959
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗ ☁️ Nx Cloud last updated this comment at |
…nnection and disconnection functionality
…ion disconnection state
…leakage across organizations
…for improved isolation across organizations
…ization-specific plugin settings
…ons for Phrase integration
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5e0c959. Configure here.
| const info = await refreshRes.json().catch(() => ({} as any)); | ||
| throw new Error(info?.error || 'Phrase session expired. Please reconnect.'); | ||
| } | ||
| res = await doFetch(); |
There was a problem hiding this comment.
Refresh ignores client expiry
Medium Severity
After a successful oauth/refresh on 401, client OAuth metadata (readOrgPluginSetting('oauth') and sessionOAuth) is not updated. Later ensureAuthenticated still uses the old expiresAt, so actions can fail with “session expired” even though the server token was just refreshed.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 5e0c959. Configure here.


Description
Adds OAuth 2.0 support and settings UI for Phrase integration
Note
Medium Risk
Changes authentication and how Phrase API calls are authorized (OAuth popup, session state, 401 refresh), which can break translation workflows if server OAuth endpoints or token refresh behave differently than password auth.
Overview
Adds SSO / OAuth 2.0 as an alternative to username/password for the Phrase connector, aimed at orgs that block password login. Settings gain an Authentication dropdown, per-org OAuth Client ID, US data-center flag, and a custom Connect / Disconnect panel that runs the Builder API OAuth popup flow (
prepare→start→postMessage); tokens stay server-side and the browser only sees connection metadata.Translation actions now go through a new
PhraseApiwrapper that checks credentials (ensureAuthenticated), retries on 401 viaoauth/refreshin OAuth mode, and handles org switches and stale in-memory OAuth state with apiKey-scoped session markers. Username/password fields are shown only when not in OAuth mode; both credential types can coexist when switching modes.The README documents OAuth setup (Phrase registered app, redirect URI, admin connect steps) and a sequence diagram. Plugin version bumps to 0.0.17. The stub Request an updated translation content action is removed; pending-job outdated source warnings are refactored into
checkTranslationFreshness.Reviewed by Cursor Bugbot for commit 5e0c959. Bugbot is set up for automated code reviews on this repo. Configure here.