feat(x): support OAuth 2.0 authentication#1702
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| expiresIn, | ||
| picture: profile_image_url || '', | ||
| username, | ||
| }; | ||
| } | ||
|
|
||
| private async getClient(accessToken: string) { | ||
| if (accessToken.startsWith(X_OAUTH2_PREFIX)) { | ||
| return new TwitterApi(accessToken.slice(X_OAUTH2_PREFIX.length)); | ||
| } |
There was a problem hiding this comment.
Bug: The uploadMedia function attempts to use client.v2.uploadMedia() with an OAuth 2.0 token, which is not supported by the X API and will cause media uploads to fail.
Severity: HIGH
Suggested Fix
In the uploadMedia method, add a check to determine the authentication type. If the client is using OAuth 2.0, prevent the call to client.v2.uploadMedia() and either inform the user that media uploads are not supported with their authentication method or handle the failure gracefully. The X API requires OAuth 1.0a for this functionality.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: libraries/nestjs-libraries/src/integrations/social/x.provider.ts#L498-L507
Potential issue: The `getClient` method can create an OAuth 2.0 client using a bearer
token. However, the `uploadMedia` function subsequently calls `client.v2.uploadMedia()`,
an endpoint that does not support OAuth 2.0 user context tokens for media uploads, as
confirmed by the X API documentation. This will cause any user who authenticates with
the recommended OAuth 2.0 method and attempts to post with media (images or video) to
encounter a 403 Forbidden error from the API, breaking the posting functionality.
Did we get this right? 👍 / 👎 to inform future reviews.
There was a problem hiding this comment.
Current X documentation explicitly supports OAuth 2.0 user tokens for media uploads:
- POST /2/media/upload authorizes OAuth2UserToken and requires an OAuth2 access token. X Upload Media docs
- The chunked upload flow uses Bearer $USER_ACCESS_TOKEN for initialize, append, finalize, and status requests. X Chunked Upload docs
- OAuth2 defines media.write specifically for uploading media, and the provider requests that scope. X OAuth2 scopes
|
Not at the moment, maybe in the future |
|
Hi Nevo, This is unrelated though, I noticed the Software/Support Engineer opening on the hiring page. Is the position still available? I’ve been exploring and contributing to the Postiz codebase, and I’d love to be considered for the role. I’d be happy to share my résumé and any other relevant details. Thanks! |
What kind of change does this PR introduce?
Feature: add OAuth 2.0 authentication support for X channels alongside OAuth 1.0a.
Why was this change needed?
X OAuth 2.0 provides PKCE, refreshable access tokens, and modern API access while existing OAuth 1.0a connections must remain compatible.
Other information:
Checklist: