From 4072ffa737b1f9644be154f7a08a09053f273d30 Mon Sep 17 00:00:00 2001 From: waleed Date: Wed, 10 Jun 2026 18:17:02 -0700 Subject: [PATCH 1/2] fix(oauth): drop ungrantable JSM Forms scopes from Jira scope list Atlassian never published read/write/delete:form:jira-service-management to the OAuth 2.0 (3LO) or Forge scope catalogs, so no OAuth app can be configured with them and the authorize flow silently omits them from every grant. Because the credential check hard-requires the full canonical list, every Jira credential showed a permanent 'Additional permissions required' banner that 'Update access' could never clear. No granted credential has ever held these scopes, and no saved workflow uses the JSM forms operations, so removal changes no working behavior. --- apps/sim/lib/oauth/oauth.ts | 3 --- apps/sim/lib/oauth/utils.ts | 3 --- 2 files changed, 6 deletions(-) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index f7af93832e..9cca712769 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -541,9 +541,6 @@ export const OAUTH_PROVIDERS: Record = { 'write:request.participant:jira-service-management', 'read:request.approval:jira-service-management', 'write:request.approval:jira-service-management', - 'read:form:jira-service-management', - 'write:form:jira-service-management', - 'delete:form:jira-service-management', ], }, }, diff --git a/apps/sim/lib/oauth/utils.ts b/apps/sim/lib/oauth/utils.ts index 1f7eae2e77..f95626781a 100644 --- a/apps/sim/lib/oauth/utils.ts +++ b/apps/sim/lib/oauth/utils.ts @@ -201,9 +201,6 @@ export const SCOPE_DESCRIPTIONS: Record = { 'Add and remove participants from customer requests', 'read:request.approval:jira-service-management': 'View approvals on customer requests', 'write:request.approval:jira-service-management': 'Approve or decline customer requests', - 'read:form:jira-service-management': 'View JSM forms and templates', - 'write:form:jira-service-management': 'Attach, save, and submit JSM forms', - 'delete:form:jira-service-management': 'Delete JSM forms', // Microsoft scopes 'User.Read': 'Read Microsoft user', From 1458af675ae9937022578606a2397e42c5c65ded Mon Sep 17 00:00:00 2001 From: waleed Date: Wed, 10 Jun 2026 18:17:11 -0700 Subject: [PATCH 2/2] fix(secrets): keep a fixed-length value mask for read-only viewers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The viewer mask was derived from the value's length, but the server now withholds workspace secret values from non-admins (empty string), so the bullets disappeared entirely for read-only users. Always render a fixed-length mask for viewers — matching the component's documented behavior — which also stops leaking the secret's length. --- .../components/secret-value-field/secret-value-field.tsx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secret-value-field/secret-value-field.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secret-value-field/secret-value-field.tsx index fd3d8056c9..be6b14d6f9 100644 --- a/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secret-value-field/secret-value-field.tsx +++ b/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secret-value-field/secret-value-field.tsx @@ -6,6 +6,13 @@ import { ChipInput } from '@/components/emcn' const BULLET = '\u2022' +/** + * Viewers always see this many bullets regardless of the real value, which the + * server withholds (empty string) for non-admins. A fixed length also avoids + * leaking the secret's length. + */ +const VIEWER_MASK_LENGTH = 10 + type SecretValueFieldProps = Omit< ComponentProps<'input'>, 'type' | 'value' | 'onChange' | 'readOnly' @@ -50,7 +57,7 @@ export function SecretValueField({ const [focused, setFocused] = useState(false) const editable = canEdit && !readOnly const maskActive = canEdit && !unmasked && !focused - const displayValue = canEdit ? value : value ? BULLET.repeat(value.length) : '' + const displayValue = canEdit ? value : BULLET.repeat(VIEWER_MASK_LENGTH) const mergedStyle: CSSProperties | undefined = maskActive ? ({ ...style, WebkitTextSecurity: 'disc' } as CSSProperties)