fix: update Instagram scopes for Meta's new permission naming#1199
Open
avrystroeve wants to merge 7 commits intogitroomhq:mainfrom
Open
fix: update Instagram scopes for Meta's new permission naming#1199avrystroeve wants to merge 7 commits intogitroomhq:mainfrom
avrystroeve wants to merge 7 commits intogitroomhq:mainfrom
Conversation
Creates PRs when upstream postiz-app has updates. Runs weekly on Mondays or manually via workflow_dispatch. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Someone is attempting to deploy a commit to the Listinai Team on Vercel. A member of the Team first needs to authorize it. |
avrystroeve
force-pushed
the
fix/instagram-meta-permission-rename
branch
from
e0789d0 to
ca35c8b
Compare
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Comment on lines
33
to
34
| ]; | ||
| override maxConcurrentJob = 200; |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Meta's new use-case based permission system no longer accepts `instagram_manage_comments` and `instagram_manage_insights` as valid OAuth scopes, even though these permissions appear in their developer console. Attempting to use the newer `instagram_business_manage_*` names also fails. This removes the problematic scopes to allow Instagram connection to work. Users will lose commenting and insights features until Meta/Postiz figure out the correct scope names for the new permission system. Tested: Instagram (Facebook Business) connection now works. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
avrystroeve
force-pushed
the
fix/instagram-meta-permission-rename
branch
from
ca35c8b to
bf41e17
Compare
Remove r_basicprofile, rw_organization_admin, w_organization_social, and r_organization_social scopes that require special LinkedIn approval. Keeps only openid, profile, and w_member_social for personal posting. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Comment on lines
32
to
35
| 'w_member_social', | ||
| 'r_basicprofile', | ||
| 'rw_organization_admin', | ||
| 'w_organization_social', | ||
| 'r_organization_social', | ||
| ]; | ||
| override maxConcurrentJob = 2; // LinkedIn has professional posting limits | ||
| refreshWait = true; |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
- Add security headers (CSP, HSTS, X-Frame-Options, etc.) in next.config.js - Implement nonce-based CSP via middleware for inline scripts - Add nonce support to Facebook pixel, DubAnalytics, and PostHog - Add SRI for Plausible analytics script - Harden auth cookies with sameSite: 'lax' (allows OAuth redirects) - Keeps httpOnly and secure flags for production cookies Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
avrystroeve
had a problem deploying
to
build-pr
GitHub Actions
Failure
apps/frontend/src/utils/nonce.ts
Outdated
Comment on lines
1
to
5
| import crypto from 'crypto'; | ||
|
|
||
| export function generateNonce() { | ||
| return Buffer.from(crypto.randomBytes(16)).toString('base64'); | ||
| } |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Gemini added integrity, scriptProps, and customDomain to Plausible but these were misconfigured (customDomain pointed to Postiz, not a Plausible server). Reverting to original Plausible config. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
avrystroeve
had a problem deploying
to
build-pr
GitHub Actions
Failure
posthog.init() doesn't accept script_nonce in current version's types. Reverting to original PostHog config to fix build. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
| secure: true, | ||
| httpOnly: true, | ||
| sameSite: 'none', | ||
| sameSite: 'lax', |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Edge Runtime doesn't support Node.js 'crypto' module, causing 500 errors. Reverted middleware.ts and nonce.ts changes. Security features still active: - Security headers in next.config.js (CSP, HSTS, X-Frame-Options, etc.) - Cookie hardening with sameSite: 'lax' Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Comment on lines
+16
to
+18
| key: 'Content-Security-Policy', | ||
| value: | ||
| "default-src 'self'; script-src 'self' https://js.stripe.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'", |
There was a problem hiding this comment.
Bug: The new Content Security Policy lacks a connect-src directive, causing it to default to 'self'. This will block outgoing requests from analytics scripts like Facebook Pixel.
Severity: MEDIUM
Suggested Fix
Add the necessary domains for analytics services to a new connect-src directive in the CSP. For example: connect-src 'self' https://connect.facebook.net [POSTHOG_HOST_IF_EXTERNAL];. This will allow analytics scripts to send data while keeping the policy restrictive for other connections.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: apps/frontend/next.config.js#L16-L18
Potential issue: The new Content Security Policy (CSP) in `next.config.js` sets
`default-src 'self'` but does not define a `connect-src` directive. This causes
`connect-src` to also default to `'self'`, blocking any `fetch` or `XHR` requests to
external domains. While core application API calls use relative paths and are
unaffected, this will break analytics services. Specifically, the Facebook Pixel
integration, which loads from `/f.js`, makes calls to `connect.facebook.net` that will
be blocked. Similarly, PostHog analytics will fail if configured to use an external API
host, leading to a loss of analytics data.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Meta has renamed Instagram permissions in their new use-case based developer platform:
instagram_manage_comments→instagram_business_manage_commentsinstagram_manage_insights→instagram_business_manage_insightsThe old scope names now return "Invalid Scopes" errors when trying to connect Instagram accounts through Facebook Login for Business.
Problem
When users try to connect Instagram (Facebook Business) in Postiz, they get:
Solution
Update the scopes array in
instagram.provider.tsto use Meta's new permission naming convention.Test plan
🤖 Generated with Claude Code