Bump SDK to pick up PKCE auto-negotiation from discovery#49
Conversation
The SDK's performInteractiveLogin unconditionally generated PKCE (code_challenge + code_verifier), but Launchpad's discovery document advertises no code_challenge_methods_supported. The SDK now checks discovery metadata and only generates PKCE when the server advertises S256 support (basecamp/basecamp-sdk#148). Also adapts to the SDK's renamed error code ("auth" → "auth_required").
There was a problem hiding this comment.
Pull request overview
This PR fixes the interactive OAuth flow by bumping @37signals/basecamp from 63388ed → b0939b8 (v0.2.0 → v0.2.2). Launchpad's OAuth discovery document does not advertise code_challenge_methods_supported, so the SDK was previously sending PKCE parameters unconditionally, breaking the authorization code flow. The new SDK version auto-negotiates PKCE based on the discovery document. The companion code change adapts classifyDispatchError to the SDK's renamed error code ("auth" → "auth_required").
Changes:
- Bumps
@37signals/basecampto commitb0939b8(v0.2.2) with PKCE auto-negotiation and"auth_required"error code rename. - Adapts
classifyDispatchErrorinsrc/dispatch.tsto handle the renamed SDK error code. - Updates
package-lock.jsonto reflect the new SDK version, integrity hash, and incidental lockfile cleanups (removal ofhonoas an orphaned entry, protocol normalizations togit+ssh://).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/dispatch.ts |
Renames the matched BasecampError code from "auth" to "auth_required" to align with the updated SDK. |
package.json |
Pins @37signals/basecamp to the new commit hash. |
package-lock.json |
Updates resolved version/integrity for the SDK bump; removes orphaned hono entry; normalizes git URLs to git+ssh://. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: addab80654
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
npm install rewrote resolved URLs from git+https:// to git+ssh:// due to local SSH config, which would break installs without GitHub SSH access.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Regenerate package-lock.json with npm 10.9.4 (Node 22.22.0) to match CI, fixing the hono sync error. Fix git+ssh:// resolved URLs back to git+https://. - Add tests for classifyDispatchError with BasecampError instances (auth_required, forbidden, rate_limit) to cover the structured code path alongside the existing heuristic fallback tests.
jeremy
force-pushed
the
bump/sdk-pkce-negotiation
branch
from
2396027 to
f15e16e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
@37signals/basecampfrom63388ed→b0939b8to pick up Auto-negotiate PKCE from OAuth discovery metadata (basecamp/basecamp-sdk#148)classifyDispatchErrorto the SDK's renamed error code ("auth"→"auth_required")Problem
Launchpad's OAuth discovery document contains no
code_challenge_methods_supported:{ "issuer": "https://launchpad.37signals.com", "authorization_endpoint": "https://launchpad.37signals.com/authorization/new", "token_endpoint": "https://launchpad.37signals.com/authorization/token", "response_types_supported": ["code"], "grant_types_supported": ["authorization_code", "refresh_token"] }The SDK's
performInteractiveLoginunconditionally generated PKCE (code_challenge+code_verifier). Launchpad ignores these parameters, breaking the interactive OAuth flow.SDK fix (b0939b8)
The SDK now reads
code_challenge_methods_supportedfrom discovery and only generates PKCE when the server advertises S256:Wire-level evidence (before/after auth URLs and token exchange bodies) is in the SDK repo's own test suite.
Test plan
npm run typecheck— cleannpm test— 1130 passed, 10 skippednpm run lint— pre-existing warnings only, none from this changeopenclaw channels addend-to-end smoke test (interactive, requires browser)