Skip to content

feat(x): support OAuth 2.0 authentication#1702

Closed
onyedikachi-david wants to merge 1 commit into
gitroomhq:mainfrom
onyedikachi-david:feat/x-oauth2-authentication
Closed

feat(x): support OAuth 2.0 authentication#1702
onyedikachi-david wants to merge 1 commit into
gitroomhq:mainfrom
onyedikachi-david:feat/x-oauth2-authentication

Conversation

@onyedikachi-david

@onyedikachi-david onyedikachi-david commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

What kind of change does this PR introduce?

Feature: add OAuth 2.0 authentication support for X channels alongside OAuth 1.0a.

Why was this change needed?

X OAuth 2.0 provides PKCE, refreshable access tokens, and modern API access while existing OAuth 1.0a connections must remain compatible.

Other information:

  • Added OAuth 1.0a/OAuth 2.0 selection for new X channels.
  • Preserved the selected authentication mode during refresh.
  • Added OAuth 2.0 support for publishing, media, analytics, and mentions.
  • Improved authentication modal contrast for light and dark themes.
image image image

Checklist:

  • I have read the CONTRIBUTING guide.
  • I have signed the Contributor License Agreement (CLA).
  • I confirm I have not used AI to submit this PR or generate code for it.
  • I checked that there were no similar issues or PRs already open for this.
  • This PR fixes just ONE issue

@postiz-contribution postiz-contribution Bot added the contribution:approved Approved contributor label Jul 11, 2026
@onyedikachi-david onyedikachi-david marked this pull request as ready for review July 11, 2026 12:48
@postiz-agent

postiz-agent Bot commented Jul 11, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Comment on lines +498 to +507
expiresIn,
picture: profile_image_url || '',
username,
};
}

private async getClient(accessToken: string) {
if (accessToken.startsWith(X_OAUTH2_PREFIX)) {
return new TwitterApi(accessToken.slice(X_OAUTH2_PREFIX.length));
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The uploadMedia function attempts to use client.v2.uploadMedia() with an OAuth 2.0 token, which is not supported by the X API and will cause media uploads to fail.
Severity: HIGH

Suggested Fix

In the uploadMedia method, add a check to determine the authentication type. If the client is using OAuth 2.0, prevent the call to client.v2.uploadMedia() and either inform the user that media uploads are not supported with their authentication method or handle the failure gracefully. The X API requires OAuth 1.0a for this functionality.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: libraries/nestjs-libraries/src/integrations/social/x.provider.ts#L498-L507

Potential issue: The `getClient` method can create an OAuth 2.0 client using a bearer
token. However, the `uploadMedia` function subsequently calls `client.v2.uploadMedia()`,
an endpoint that does not support OAuth 2.0 user context tokens for media uploads, as
confirmed by the X API documentation. This will cause any user who authenticates with
the recommended OAuth 2.0 method and attempts to post with media (images or video) to
encounter a 403 Forbidden error from the API, breaking the posting functionality.

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current X documentation explicitly supports OAuth 2.0 user tokens for media uploads:

  • POST /2/media/upload authorizes OAuth2UserToken and requires an OAuth2 access token. X Upload Media docs
  • The chunked upload flow uses Bearer $USER_ACCESS_TOKEN for initialize, append, finalize, and status requests. X Chunked Upload docs
  • OAuth2 defines media.write specifically for uploading media, and the provider requests that scope. X OAuth2 scopes

@nevo-david

Copy link
Copy Markdown
Contributor

Not at the moment, maybe in the future

@nevo-david nevo-david closed this Jul 14, 2026
@onyedikachi-david

Copy link
Copy Markdown
Contributor Author

Hi Nevo, This is unrelated though, I noticed the Software/Support Engineer opening on the hiring page. Is the position still available? I’ve been exploring and contributing to the Postiz codebase, and I’d love to be considered for the role. I’d be happy to share my résumé and any other relevant details. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contribution:approved Approved contributor

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants