[feature] SC-166737/improve app proxy security by restricting where token replacements can go

[HappyPaul55]

This pull request introduces improvements to the handling of HubSpot API authentication and constants in the codebase. The main focus is on enhancing configuration flexibility and enforcing immutability for constant objects.

Authentication and configuration enhancements:

• Updated the HubSpot API configuration in manifest.json to support dynamic injection of credentials (client_id, client_secret, and api_token) into request bodies and headers via the new settingsInjection property.

Codebase consistency and safety:

• Updated the placeholders and PROPERTIES constant objects in src/services/hubspot/constants.ts to use the as const assertion, ensuring that these objects are treated as immutable and their values are inferred as literal types. [1] [2]

Summary by Sourcery

Improve app proxy security by configuring explicit credential injection points in the manifest and enforcing immutability of HubSpot constants

New Features:

• Add settingsInjection to manifest.json for dynamic injection of HubSpot credentials into request bodies and headers

Enhancements:

• Use 'as const' assertion on placeholders and PROPERTIES constants to enforce immutability and literal typing

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR enhances the HubSpot integration by enabling dynamic credential injection into API requests through a new settingsInjection configuration in manifest.json and by enforcing immutability for core constant objects with as const assertions for improved type safety.

Class diagram for updated HubSpot constants with immutability

classDiagram
  class placeholders {
    <<const>>
    API_TOKEN: "__api_token__"
    OAUTH2_ACCESS_TOKEN_PATH: "oauth2/access_token"
    OAUTH2_REFRESH_TOKEN_PATH: "oauth2/refresh_token"
  }
  class PROPERTIES {
    <<const>>
    contacts: ["firstname", "lastname", "email", "phone", "lifecyclestage"]
    companies: ["name"]
  }

Loading

File-Level Changes

Change	Details	Files
Enable dynamic injection of HubSpot API credentials	Added settingsInjection property to manifest.json for client_id and client_secret in request bodies Mapped api_token to the Authorization header	manifest.json
Enforce immutability on constant objects	Applied as const to the placeholders object Applied as const to the PROPERTIES object	src/services/hubspot/constants.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Add runtime validation for the new settingsInjection config so missing or malformed credentials are caught early with clear errors before proxy requests are made.
• Include unit tests specifically for settingsInjection to verify that tokens are only injected into the designated body fields and headers on the allowed endpoints.
• Consider exposing explicit TypeScript types (e.g. via unions or helper interfaces) derived from your as const placeholders and PROPERTIES so downstream code can only use valid values.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Add runtime validation for the new settingsInjection config so missing or malformed credentials are caught early with clear errors before proxy requests are made.
- Include unit tests specifically for settingsInjection to verify that tokens are only injected into the designated body fields and headers on the allowed endpoints.
- Consider exposing explicit TypeScript types (e.g. via unions or helper interfaces) derived from your `as const` placeholders and PROPERTIES so downstream code can only use valid values.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull Request Overview

This PR enhances security for the HubSpot app by implementing strict controls on credential injection and improving type safety for constant objects.

• Adds settingsInjection configuration to restrict where HubSpot credentials can be injected in API requests
• Applies as const assertions to constant objects for immutability and better type inference

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
manifest.json	Adds settingsInjection configuration to the proxy whitelist, restricting client_id and client_secret to request bodies and api_token to the Authorization header
src/services/hubspot/constants.ts	Applies as const assertions to placeholders and PROPERTIES objects to enforce immutability and improve type safety

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Build for commit 36b985d deployed to: https://hubspot-pr-120.ci.next.deskprodemo.com

URLs:
https://hubspot-pr-120.ci.next.deskprodemo.com/horizon-ui/app