Skip to content

Tweak to enable OSM token bridge by default#59

Merged
jeffmaki merged 1 commit into
developfrom
jeff-osm-api-auth
Jul 10, 2026
Merged

Tweak to enable OSM token bridge by default#59
jeffmaki merged 1 commit into
developfrom
jeff-osm-api-auth

Conversation

@jeffmaki

@jeffmaki jeffmaki commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Enabled the OSM token bridge by default with a dedicated feature flag.
  • Replaced the configured OAuth application ID with a stable client UID.
  • Added stable configuration for the OSM system user and automatic Doorkeeper application provisioning.
  • Added idempotent provisioning of OSM users and OAuth applications during token bridging.
  • Updated token mirroring and revocation to honor the bridge flag and handle database failures safely.
  • Expanded unit tests for provisioning, token metadata, missing emails, disabled bridging, rotation, reactivation, and rollback behavior.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd3b6fdc-d7a6-43fe-905b-c2a91dd07c93

📥 Commits

Reviewing files that changed from the base of the PR and between 025e73b and cd4cd64.

📒 Files selected for processing (3)
  • api/core/config.py
  • api/core/security.py
  • tests/unit/test_token_bridge.py

📝 Walkthrough

Walkthrough

The OSM token bridge now uses explicit enablement and stable OAuth client configuration, automatically provisions required OSM users and applications, mirrors tokens with derived expiry data, and applies the same flag to revocation. Unit tests cover provisioning, identity wiring, missing email, disabled operation, and rollback behavior.

Changes

OSM Token Bridge

Layer / File(s) Summary
Bridge configuration
api/core/config.py
Replaces application-ID configuration with an enable flag, stable OAuth client UID, scopes, and dedicated system-user identifiers.
Provisioning and token flow
api/core/security.py
Adds idempotent OSM user and OAuth application provisioning, updates token mirroring to use the ensured application ID, and gates revocation with the bridge flag.
Provisioning and revocation tests
tests/unit/test_token_bridge.py
Validates the provisioning chain, token fields, expiry handling, disabled behavior, identity wiring, and best-effort rollback behavior.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant _bridge_token_to_osm
  participant OSMDatabase
  Caller->>_bridge_token_to_osm: Present JWT
  _bridge_token_to_osm->>OSMDatabase: Ensure system user and caller user
  _bridge_token_to_osm->>OSMDatabase: Ensure OAuth application by client UID
  _bridge_token_to_osm->>OSMDatabase: Upsert mirrored access token
  _bridge_token_to_osm-->>Caller: Continue authentication
Loading

Poem

A bunny hops through tokens bright,
Provisions users left and right.
An OAuth app blooms from seed,
Expiry follows every need.
If databases stumble—spring rolls on!


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@jeffmaki jeffmaki merged commit e81363b into develop Jul 10, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant