Skip to content

fix(instagram,facebook): prevent broken page-grant channels and guide reconnection#1719

Open
giladresisi wants to merge 1 commit into
mainfrom
fix/meta-page-grant-v2
Open

fix(instagram,facebook): prevent broken page-grant channels and guide reconnection#1719
giladresisi wants to merge 1 commit into
mainfrom
fix/meta-page-grant-v2

Conversation

@giladresisi

Copy link
Copy Markdown
Collaborator

The Facebook OAuth page grant is shared across all Meta channels. The page picker offered pages the app was never actually granted — saving one stored a poisoned undefined___... token — and a bad grant could not be repaired because reconnecting silently reused the previous selection.

  • Filter ungranted pages (no access_token) out of the Facebook and Instagram pickers
  • Classify Graph error code 190 as refresh-token instead of bad-body
  • Add auth_type=rerequest to the OAuth URL so a bad grant can be fixed by reconnecting
  • Clear refreshNeeded on reconnect (re-adding the same account heals in place)
  • Add tile tooltips warning that the page grant is shared across Meta channels
  • Add a "Back to Postiz" button to the OAuth-landing empty state (was a dead end)

Verified locally end-to-end against the Meta test app. Supersedes #1679.

🤖 Generated with Claude Code

… reconnection

The Facebook OAuth page grant is shared across all Meta channels, which
caused two failure modes: the page picker offered pages the app was never
granted (saving one stored a poisoned "undefined___..." token), and a bad
grant could never be repaired because reconnecting silently reused the
previous selection.

Backend (provider files):
- Filter pages without an access_token out of the Facebook and Instagram
  pickers - they were never granted in the OAuth dialog and cannot be
  published to
- Classify Graph error code 190 as refresh-token instead of bad-body so
  invalid tokens mark the channel for reconnection
- Add auth_type=rerequest to the OAuth URL so previously declined
  permissions/assets are re-prompted and a bad grant can be repaired
- Clear refreshNeeded when a channel is reconnected (re-adding the same
  account heals in place)

Frontend:
- Extend the Facebook/Instagram tile toolTip with the shared-grant warning
- Add an optional onBack prop to the continue-provider empty state so the
  full-page OAuth landing is not a dead end ("Back to Postiz")

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@postiz-contribution postiz-contribution Bot added the contribution:approved Approved contributor label Jul 14, 2026
@postiz-contribution

Copy link
Copy Markdown

Contribution-checker quality warning
Heuristic score: 2/100 (low). This is a non-blocking warning surfaced by the project's quality settings.

Heuristics that flagged:

  • Excessive inline code references: 6 inline refs (>3)
  • PR doesn't use the repo's PR template: 5 required checkbox items missing (max 1, match ≥80%)
  • AI watermark phrase: Matched: "Generated with Claude Code"
  • Commit message too long: Longest: 1214 chars
  • Excessive added comments: 11 added comment lines (ratio 0.14)

If this is a genuine contribution, please add detail to your PR description and tighten the diff scope before reviewers look at it.

@postiz-agent

postiz-agent Bot commented Jul 14, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

...params,
disabled: false,
deletedAt: null,
refreshNeeded: false,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this was added?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updateIntegration is only called from saveProviderPage - the step where the user picks a page during reconnect and we save the fresh page token. It already clears disabled and deletedAt to revive the channel, but it left refreshNeeded set, so a channel flagged for reconnection stayed flagged even after the user reconnected with a valid token - the banner never went away and post workflows kept blocking it. The regular OAuth save path (createOrUpdateIntegration) already resets refreshNeeded to false, so this just makes the page-selection path consistent with it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contribution:approved Approved contributor

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants