Skip to content

[SILO-529] chore: update byoa page with integration screen changes #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danciaclara merged 1 commit into from
Sep 15, 2025
Merged

[SILO-529] chore: update byoa page with integration screen changes #143

danciaclara merged 1 commit into from
Sep 15, 2025

Conversation

@Prashant-Surya
Copy link
Member

@Prashant-Surya Prashant-Surya commented Sep 15, 2025
edited by coderabbitai bot
Loading

Description

  • Use /integrations page instead of /applications page
  • Add detailed documentation on Webhook payload

Type of Change

  • Improvement (change that would cause existing functionality to not work as expected)

References:

SILO-529

Summary by CodeRabbit

  • Documentation
    • Updated settings path to /settings/integrations/ and renamed “Is Mentionable” to “Enable App Mentions”.
    • Clarified OAuth flow (redirect includes code and app_installation_id) and updated samples to use the official OAuth helper with improved error handling and token expiry handling.
    • Added webhook payload structure, event types, and full processing examples (TypeScript/Python), plus key fields to note.
    • Revised token refresh guidance: re-fetch bot tokens via installation ID; separated user token refresh examples.
    • Updated app installation guidance to reflect array responses and clarified bot user ID terminology.

@vercel
Copy link

vercel bot commented Sep 15, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
developer-docs Error Error Sep 15, 2025 7:22am

@coderabbitai
Copy link

coderabbitai bot commented Sep 15, 2025
edited
Loading

Walkthrough

The documentation page api-reference/byoa/build-plane-app.mdx was updated to reflect new settings paths, renamed UI labels, revised OAuth flows using a Plane OAuth API wrapper, updated token handling (bot and user), clarified app installation data shapes, and added webhook payload structure with Python/TypeScript examples.

Changes

Cohort / File(s) Summary
Docs: OAuth, tokens, and webhooks refresh
api-reference/byoa/build-plane-app.mdx		 Updated settings path and label names; reworked OAuth samples to use plane.oauth.api.OAuthApi in Python/TypeScript; clarified redirect params (code, app_installation_id); switched bot token handling to client-credentials without refresh tokens; separated user token refresh via auth code; treated app installation responses as arrays; added webhook payload structure and full processing examples; added guards/error handling; minor textual clarifications.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User
  participant App as Third-Party App
  participant Plane as Plane OAuth API

  rect rgba(227,242,253,0.5)
  note over App,Plane: Client Credentials (Bot) flow
  App->>Plane: get_bot_token(app_installation_id)
  Plane-->>App: bot_access_token + expires_in
  App->>Plane: get_app_installations(token, app_installation_id)
  Plane-->>App: [installation] (array)
  end

  rect rgba(232,245,233,0.5)
  note over U,Plane: Authorization Code (User) flow
  U->>App: Redirect with code + app_installation_id
  App->>Plane: exchange_code_for_token(code)
  Plane-->>App: user_access_token (+ refresh_token)
  end
Loading 
sequenceDiagram
  autonumber
  participant Plane as Plane Webhooks
  participant App as App Webhook Endpoint
  participant Store as Secrets/Config

  Plane-->>App: Webhook payload (event, app_installation_id, workspace, app_bot)
  App->>Store: Load credentials/config for installation
  alt Known installation
    App->>App: Validate signature and parse payload
    App-->>Plane: 2xx response
  else Missing installation
    App-->>Plane: 4xx/5xx error
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • pushya22
  • danciaclara

Poem

I twitch my ears at OAuth’s tune,
Tokens hop—refresh by noon.
Webhooks thump with tidy grace,
Arrays in fields find their place.
Mentions bloom, a renamed cheer—
I nibble docs; the path is clear. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title "[SILO-529] chore: update byoa page with integration screen changes" succinctly names the primary change—updating the BYOA documentation to reflect integration/settings screen changes—and includes the tracking ticket, making it easy to trace. It is specific to the changes described in the raw summary and PR objectives (switching settings paths and updating webhook/OAuth docs) and avoids vague language. The phrasing is concise and appropriate for a changelog entry a teammate would scan.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/byoa-changes

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@makeplane
Copy link

makeplane bot commented Sep 15, 2025

Pull Request Linked with Plane Work Items

Comment Automatically Generated by Plane

@Prashant-Surya Prashant-Surya marked this pull request as ready for review September 15, 2025 07:24
coderabbitai[bot]
coderabbitai bot reviewed Sep 15, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
api-reference/byoa/build-plane-app.mdx (3)

175-205: TypeScript OAuth token requests: Content-Type is x-www-form-urlencoded but payload is JSON.

Axios will send JSON here, which won’t match the declared Content‑Type. Encode with URLSearchParams (or use the Node SDK for parity with Python).

Apply:

-import axios from 'axios';
+import axios from 'axios';
+import { URLSearchParams } from 'url';
 ...
-const payload = {
-  grant_type: "client_credentials",
-  app_installation_id: appInstallationId
-};
+const params = new URLSearchParams({
+  grant_type: "client_credentials",
+  app_installation_id: appInstallationId,
+});
 ...
-  payload,
+  params.toString(),
   {
     headers: {
       Authorization: `Basic ${basicAuth}`,
       "Content-Type": "application/x-www-form-urlencoded"
     }
   }
 );

Also consider swapping hardcoded client creds for environment variables and adding a brief note that this code must run server‑side (Buffer usage).

251-282: TypeScript authorization code exchange: same form‑encoding issue.

Encode the body or the request will likely fail.

Apply:

-import axios from 'axios';
+import axios from 'axios';
+import { URLSearchParams } from 'url';
 ...
-const payload = {
-  grant_type: "authorization_code",
-  code: code,
-  client_id: clientId,
-  client_secret: clientSecret,
-  redirect_uri: redirectUri
-};
+const params = new URLSearchParams({
+  grant_type: "authorization_code",
+  code,
+  client_id: clientId,
+  client_secret: clientSecret,
+  redirect_uri: redirectUri,
+});
 ...
-  payload,
+  params.toString(),
   {
     headers: {
       "Content-Type": "application/x-www-form-urlencoded"
     }
   }
 );

700-722: TS refresh token flow: fix form‑encoding.

Same encoding issue; switch to URLSearchParams.

-const refreshPayload = {
-  grant_type: "refresh_token",
-  refresh_token: refreshToken,
-  client_id: clientId,
-  client_secret: clientSecret
-};
+import { URLSearchParams } from 'url';
+const refreshParams = new URLSearchParams({
+  grant_type: "refresh_token",
+  refresh_token: refreshToken,
+  client_id: clientId,
+  client_secret: clientSecret,
+});
 ...
-  refreshPayload,
+  refreshParams.toString(),
🧹 Nitpick comments (13)
api-reference/byoa/build-plane-app.mdx (13)

52-63: Settings path and field names update look good; add CSRF 'state' recommendation in this section.

Since this is where developers configure Redirect URIs, recommend explicitly stating that OAuth requests should include and verify a cryptographically random state parameter to prevent CSRF. Add a one‑liner here pointing to the example below.

120-131: Clarify callback params and recommended handling.

The table notes code is “present but not used” for client credentials. Add:

  • Explicitly ignore code for this flow and only use app_installation_id.
  • Still validate state and match the original value to mitigate CSRF.

137-153: Python example: remove unused import and show app_installation_id source.

  • import time is unused.
  • Define where app_installation_id comes from (query param on your Redirect URI).

Apply:

-import time
 ...
-# Get bot token using app installation ID
-oauth_api = get_oauth_api()
-token_response = oauth_api.get_bot_token(app_installation_id)
+# Get bot token using app installation ID from the OAuth callback
+oauth_api = get_oauth_api()
+# e.g., app_installation_id = request.args["app_installation_id"]
+token_response = oauth_api.get_bot_token(app_installation_id)

297-309: Python installation lookup is clear; add a note on checking status === "installed".

You already surface status later—good to recommend checking it here before trusting fields.

323-329: TS installation fetch: add minimal null checks.

Accessing [0] without a check can throw on empty arrays. Suggest:

-const workspaceDetails = response.data[0];
+const [workspaceDetails] = response.data ?? [];
+if (!workspaceDetails) throw new Error('App installation not found');

336-359: Invalid JSON in fenced block (uses comments).

// Bot user ID ... makes this block non‑JSON. Use jsonc/js fence or move the note below.

Apply:

-```json
+```jsonc
 ...
-        "app_bot": "7286aaa7-9250-4851-a520-29c904fd7654", // Bot user ID for your app in this workspace
+        "app_bot": "7286aaa7-9250-4851-a520-29c904fd7654", // Bot user ID for your app in this workspace
Or remove the inline comment and add a bullet under “Key fields to note”.

---

`407-431`: **Issue comment event example: JSON comment syntax again.**

Same JSONC vs JSON concern as above; also consider including a minimal set of guaranteed fields to avoid implying strict shape guarantees.

---

`438-470`: **Issue event example: JSON comment syntax and optionality.**

Use JSONC or remove comments; consider marking `assignees`, `labels`, and nested `state` fields as optional in the prose.

---

`480-517`: **Webhook handler: add fast 2xx and async processing guidance.**

Recommend acknowledging the webhook quickly and offloading heavy work to a queue; include a one‑liner note to avoid retries/timeouts.

---

`523-570`: **Python webhook handler references undeclared Pydantic models.**

Either include minimal model definitions or link to a schema reference so users can copy/paste a working example.


I can add compact Pydantic models for the shown fields if you want them inlined here.

---

`596-621`: **Great clarification on bot token refresh; add proactive refresh tip.**

Suggest refreshing a few minutes before expiry (`expires_in`) to avoid race conditions under load.

---

`42-47`: **Anchor consistency nit.**

The first two items mix a trailing slash before the hash vs not. Standardize to one style to avoid accidental 301s or broken anchors.

---

`56-61`: **Add webhook secret & signature-verification guidance (link to existing webhook docs)**

- In api-reference/byoa/build-plane-app.mdx — under "Webhook URL Endpoint(Optional)" (≈ lines 56–61) add a short note instructing: generate and store a webhook secret at app creation (keep it out of source control), verify incoming webhook signatures and reject invalid/missing signatures, and use webhook_id for idempotent processing.
- Call out the signature header and algorithm inline and link to the canonical webhook doc instead of duplicating full examples: webhooks/intro-webhooks.mdx → "Verifying Signature" (header: X-Plane-Signature; algorithm: HMAC-SHA256; examples present).
- I can draft the brief "Verify webhooks" subsection with Node/Python HMAC examples to insert here or link to the existing examples.

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: CodeRabbit UI

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 7f8b11e1ee0c658fbd3d8b15452fb194a60bf0d2 and e620aa21794fdadd95423887e70decc7b7baeb42.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `api-reference/byoa/build-plane-app.mdx` (10 hunks)

</details>

<details>
<summary>⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)</summary>

* GitHub Check: Cursor Bugbot

</details>

<details>
<summary>🔇 Additional comments (3)</summary><blockquote>

<details>
<summary>api-reference/byoa/build-plane-app.mdx (3)</summary><blockquote>

`154-170`: **Nice: defensive check and clear parsing.**

Using a guard for empty `app_installations` and reading `expires_in` from the token response is solid.

---

`228-245`: **Python user-token exchange via SDK looks consistent.**

Clear and consistent with earlier helper usage.

---

`662-695`: **Python refresh‑token example looks consistent.**

Reads well and matches the earlier abstractions.

</blockquote></details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

@danciaclara danciaclara merged commit 9f5b268 into preview Sep 15, 2025
5 of 6 checks passed
@danciaclara danciaclara deleted the chore/byoa-changes branch September 15, 2025 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@danciaclara danciaclara danciaclara approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Prashant-Surya @danciaclara