fix(instagram,facebook): prevent broken page-grant channels and guide reconnection#1719
fix(instagram,facebook): prevent broken page-grant channels and guide reconnection#1719giladresisi wants to merge 1 commit into
Conversation
… reconnection
The Facebook OAuth page grant is shared across all Meta channels, which
caused two failure modes: the page picker offered pages the app was never
granted (saving one stored a poisoned "undefined___..." token), and a bad
grant could never be repaired because reconnecting silently reused the
previous selection.
Backend (provider files):
- Filter pages without an access_token out of the Facebook and Instagram
pickers - they were never granted in the OAuth dialog and cannot be
published to
- Classify Graph error code 190 as refresh-token instead of bad-body so
invalid tokens mark the channel for reconnection
- Add auth_type=rerequest to the OAuth URL so previously declined
permissions/assets are re-prompted and a bad grant can be repaired
- Clear refreshNeeded when a channel is reconnected (re-adding the same
account heals in place)
Frontend:
- Extend the Facebook/Instagram tile toolTip with the shared-grant warning
- Add an optional onBack prop to the continue-provider empty state so the
full-page OAuth landing is not a dead end ("Back to Postiz")
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Contribution-checker quality warning Heuristics that flagged:
If this is a genuine contribution, please add detail to your PR description and tighten the diff scope before reviewers look at it. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| ...params, | ||
| disabled: false, | ||
| deletedAt: null, | ||
| refreshNeeded: false, |
There was a problem hiding this comment.
updateIntegration is only called from saveProviderPage - the step where the user picks a page during reconnect and we save the fresh page token. It already clears disabled and deletedAt to revive the channel, but it left refreshNeeded set, so a channel flagged for reconnection stayed flagged even after the user reconnected with a valid token - the banner never went away and post workflows kept blocking it. The regular OAuth save path (createOrUpdateIntegration) already resets refreshNeeded to false, so this just makes the page-selection path consistent with it.
The Facebook OAuth page grant is shared across all Meta channels. The page picker offered pages the app was never actually granted — saving one stored a poisoned
undefined___...token — and a bad grant could not be repaired because reconnecting silently reused the previous selection.access_token) out of the Facebook and Instagram pickersrefresh-tokeninstead ofbad-bodyauth_type=rerequestto the OAuth URL so a bad grant can be fixed by reconnectingrefreshNeededon reconnect (re-adding the same account heals in place)Verified locally end-to-end against the Meta test app. Supersedes #1679.
🤖 Generated with Claude Code