Skip to content

feat(auth): workspace-scoped connections and dev tooling#2

Open
Askir wants to merge 3 commits intomainfrom
askir/workspace-connections
Open

feat(auth): workspace-scoped connections and dev tooling#2
Askir wants to merge 3 commits intomainfrom
askir/workspace-connections

Conversation

@Askir
Copy link
Collaborator

@Askir Askir commented Feb 25, 2026
edited
Loading

Summary

  • Workspace-scoped Nango connections: Connections are now tagged with workspace-id and user-id instead of using endUserId. All workspace members share access to connections within their workspace.
  • Consolidated API routes: Connection endpoints moved under /api/workspaces/[workspaceId]/connections (GET list, POST create session) and /api/connections/credentials (GET fetch creds with workspace membership check via tags).
  • WORKSPACE_ID injection: Cloud dev machines now receive WORKSPACE_ID as an env var (DB insert moved before secrets). The dev-ui passes it through ApiContext to the integration provider.
  • Local dev tooling: scripts/dev-auth.sh starts ngrok + auth-server with the ngrok URL injected as PUBLIC_URL, which gets set as OPFLOW_SERVER_URL on new cloud machines.

API Routes (auth-server)

GET  /api/integrations                                             — list integrations
GET  /api/workspaces/[workspaceId]/connections                     — list workspace connections
POST /api/workspaces/[workspaceId]/connections                     — create connect session
GET  /api/connections/credentials?integration_id=X&connection_id=Y — fetch credentials

Local Development

1. Start local auth-server with ngrok tunnel

# Prerequisites: ngrok installed, docker compose up (postgres), .env.local configured
./scripts/dev-auth.sh

This starts ngrok on port 3000, extracts the public URL, and runs the auth-server with PUBLIC_URL set. New cloud machines will receive the ngrok URL as OPFLOW_SERVER_URL.

2. Build and push a custom dev image

To test core SDK changes (e.g., CloudIntegrationProvider) on cloud machines:

# Build 0pflow, pack tarball, build+push Docker image with custom tag
cd packages/core
pnpm build
rm -f docker/0pflow-*.tgz && npm pack --pack-destination docker/
cd docker
FLY_API_TOKEN="<token>" flyctl deploy --build-only --push \
  --image-label <your-tag> --build-arg OPFLOW_SOURCE=local

Then add to packages/auth-server/.env.local:

CLOUD_DEV_IMAGE=registry.fly.io/opflow-cloud-dev-image:<your-tag>

3. Create a workspace against local auth-server

# In another terminal (CLI talks to localhost, not ngrok)
OPFLOW_SERVER_URL=http://localhost:3000 pnpm --filter 0pflow exec 0pflow cloud run

Askir and others added 3 commits February 25, 2026 15:19
@Askir @claude
feat(auth): workspace-scoped connections via Nango tags
98e498a 
Replace per-user connection isolation (end_user.id) with workspace-scoped
access using Nango connection tags (workspace-id, user-id). All members
of a workspace now share access to its OAuth connections.

- Add workspace membership validation helper
- Add listConnectionsByTags using Nango REST API (SDK doesn't support tag filtering)
- Require workspace_id on connect-session creation, tag connections accordingly
- New GET /api/connections?workspace_id=X endpoint for workspace-scoped listing
- Update credentials endpoint to authorize via workspace-id tag + membership
- Remove old per-integration/per-user connections endpoint
- Update IntegrationProvider interface: endUserId -> workspaceId
- Update CloudIntegrationProvider and LocalIntegrationProvider

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Askir @claude
refactor(auth): consolidate connection routes under /workspaces and /…
65c4bd6 
…connections

- GET/POST /api/workspaces/[workspaceId]/connections for list + create
- GET /api/connections/credentials?integration_id&connection_id for fetching creds
- Remove /api/nango/connect-session (Nango implementation detail leaked in URL)
- Remove /api/credentials/[integrationId] (odd parameterization)
- Remove /api/connections?workspace_id (workspace now in path)
- Update CloudIntegrationProvider to use new routes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Askir @claude
feat(cloud-dev): pass WORKSPACE_ID to cloud machines, add dev-auth sc…
ced7c4d 
…ript

- Move DB insert before secrets in create route so WORKSPACE_ID can be
  included as a machine env var
- Inject PUBLIC_URL as OPFLOW_SERVER_URL on new machines for local dev
- Pass workspaceId through dev-ui ApiContext to integration provider
- Add scripts/dev-auth.sh for local auth-server development with ngrok

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Askir