* feat: implement SSRF protection with URL validation across plugins
* refactor SSRF protection to focus on cloud metadata endpoints and improve configuration options
* remove legacy whitelist functionality and streamline SSRF validation process
* enhance SSRF protection by adding configurable blocked schemes and validation checks
* enhance SSRF protection by integrating configurable options across services
* replace dns.lookup with dns.lookup from dns module for improved clarity
* refactor: enhance SSRF protection by merging request options and improving IP format normalization
* Fix: update comments for clarity and enhance IP normalization in SSRF protection
* enhance SSRF protection by validating URL and applying protection options in GraphqlQueryService
* enhance SSRF protection with detailed validation for redirects and URL schemes
* fix(grpcv2): use loadSync for filesystem proto loading to prevent server crash
protobufjs has an unfixed bug (protobufjs/protobuf.js#1098) where
async Root.load() calls resolveAll() outside its try-catch in the
finish() callback. When resolveAll() throws (e.g. unresolvable types),
the error becomes an uncaught exception that crashes the Node.js
process — the Promise never resolves/rejects.
Switch from protoLoader.load() to protoLoader.loadSync() for all
filesystem-based proto loading. With loadSync, resolveAll() errors
propagate as normal synchronous throws caught by existing try-catch
blocks. This is consistent with loadProtoFromRemoteUrl() which
already uses loadSync.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(grpcv2): add filesystem proto discovery with lightweight scanning
Add discoverServiceNames and discoverMethodsForServices to support
two-phase service discovery from filesystem proto files. Uses
protobufjs.parse() for lightweight name scanning (~30KB/file) and
only loads full gRPC definitions for selected services, preventing
OOM on large proto directories.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(DynamicSelector): add multi-select and autoFetch for grpcv2 filesystem services
Add isMulti and autoFetch props to DynamicSelector. autoFetch triggers
service discovery on mount without requiring a manual button click,
and skips cache persistence to avoid false "Unsaved Changes" prompts.
Multi-select renders services as chips with custom styles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(data-sources): handle non-array elements in resolveKeyValuePair
resolveKeyValuePair assumed all array option elements are sub-arrays
(like metadata key-value pairs). Options like selected_services contain
plain strings, causing arr.map crash during test connection. Guard with
Array.isArray check and fall back to resolveValue for scalar elements.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(grpcv2): require service selection for filesystem mode in query manager
Filesystem mode without selected services would fall back to full
proto discovery (loading every file), defeating the purpose of the
two-phase discovery. Now shows an error asking the user to select
services in the datasource config instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(grpcv2): require selected services for filesystem test connection
Test connection in filesystem mode now validates that at least one
service is selected and uses a selected service for the connectivity
check instead of picking an arbitrary one from the proto directory.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(grpcv2): simplify filesystem test connection to validate proto parsing
Test connection for filesystem mode now just validates that proto files
can be parsed and services discovered — no service selection required.
Removes the meaningless waitForReady check which only tested TCP
connectivity without validating anything about the proto definitions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(grpcv2): remove filesystem branch from discoverServices
Filesystem mode never flows through discoverServices — it uses the
two-phase discoverServiceNames + discoverMethodsForServices path.
Remove the dead branch and add a comment documenting the filesystem
flow for clarity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs(grpcv2): add comment documenting test connection behavior per mode
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(grpcv2): add TCP connectivity check for filesystem mode test connection
Filesystem mode now falls through to checkFirstServiceConnection (waitForReady)
like reflection and URL modes, instead of returning early after proto parsing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* cleanup(DynamicForm): remove unused snake_case prop aliases for isMulti and autoFetch
No plugin manifest uses is_multi or auto_fetch — the gRPC v2 manifest
(the only consumer of these props) uses camelCase exclusively, and there
is no transformation layer in the pipeline.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(DynamicSelector): suppress noAccessError flash during loading
The no-access warning and red border briefly flashed on page reload
because validateSelectedValue ran with an empty array before the
fetch completed. Gate both on !isLoading so they only appear after
data is actually loaded.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(DynamicSelector): skip cache validation for autoFetch on unrelated prop changes
When autoFetch is enabled, cache is never persisted to options (to avoid
"Unsaved Changes"). So every time selectedDataSource changes for
unrelated reasons (e.g. title edit), the cache-checking useEffect finds
no cache and calls validateSelectedValue([]), falsely triggering the
no-access warning. Skip this effect for autoFetch since it has its own
dedicated fetch/validation lifecycle.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(grpcv2): remove QueryResult wrapping from plugin invokeMethod returns
grpcv2 plugin methods (discoverServiceNames, discoverMethodsForServices)
were returning QueryResult-wrapped responses which got double-wrapped by
DataSourcesService.invokeMethod, causing GRPCv2Component to crash with
"servicesData.services.map is not a function" when opening filesystem
proto queries.
Plugin invokeMethod now returns raw data (arrays) instead of QueryResult
objects. The server's invokeMethod always wraps with { status: 'ok', data }
consistently. DynamicSelector adds an Array.isArray guard for plugins
that return raw arrays vs { data: [...] }.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(DynamicSelector): skip access validation for autoFetch fields
autoFetch fields (e.g. gRPC services) are discovered from proto files,
not OAuth-scoped resources — "no access" warnings don't apply.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(grpcv2): unify service discovery into single getServiceDefinitions entry point
Consolidate discoverServices, discoverServiceNames, and discoverMethodsForServices
into two clear methods: listServices (lightweight name scan for DS config) and
getServiceDefinitions (full method discovery for query editor, all modes).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(grpcv2): prevent OOM on filesystem test connection and query fallback
Filesystem test connection no longer parses proto files — just counts
them with fast-glob and checks TCP connectivity via a raw gRPC client.
Query execution fallback after server restart now uses the lightweight
protobufjs.parse() scanner instead of the heavy protoLoader.loadSync()
path. Removes two dead functions (discoverServicesIndividually,
discoverServicesUsingFilesystem).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: update version to 3.20.95-lts across all components
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
* Feat: Dynamic Selector (#14685)
* feat: introduce the dynamic-selector abstracted component with support for caching dependent dropdowns
* feat: introduce fx toggle option to enable fx editor in the dynamic-selector component
* feat: set `fxEnabled` prop default to `false` in DynamicSelector.
* fix(DynamicForm): fix fxEnabled prop handling to support snake_case
* refactor: rename variables and clean code
* refactor: rename cache key from `__default` to `nonDependentCache` in DynamicSelector.
* feat: Simplify dynamic selector data handling by removing transformation logic.
* refactor: simplify DynamicSelector error log by removing data source ID.
* fix: Throw an error when multi-user authentication is enabled but no user ID is found.
* refactor: rename iteration variables for improved readability
* perf: memoize composite dependency key calculation using `useMemo` hook.
* refactor: simplify `isFxMode` state initialization by removing dynamic value checks and `useEffect`
* refactor: remove unused `responsePath` prop from `DynamicForm` component
* refactor(DynamicForm): remove unused `rest` prop from `getElementProps`.
* fix(DynamicForm): fix support for snake and camel case props
* feat: Add support for passing arguments when invoking data source methods.
* Feat/googlesheets-v2 plugin (#2)
* GoogleSheets v2
* Changes in Operations
* feat: introduce the dynamic-selector abstracted component with support for caching dependent dropdowns
* feat: introduce fx toggle option to enable fx editor in the dynamic-selector component
* feat: set `fxEnabled` prop default to `false` in DynamicSelector.
* Error Standarization
* fix(DynamicForm): fix fxEnabled prop handling to support snake_case
* refactor: rename variables and clean code
* refactor: rename cache key from `__default` to `nonDependentCache` in DynamicSelector.
* feat: Simplify dynamic selector data handling by removing transformation logic.
* refactor: simplify DynamicSelector error log by removing data source ID.
* fix: Throw an error when multi-user authentication is enabled but no user ID is found.
* refactor: rename iteration variables for improved readability
* perf: memoize composite dependency key calculation using `useMemo` hook.
* refactor: simplify `isFxMode` state initialization by removing dynamic value checks and `useEffect`
* refactor: remove unused `responsePath` prop from `DynamicForm` component
* refactor(DynamicForm): remove unused `rest` prop from `getElementProps`.
* fix(DynamicForm): fix support for snake and camel case props
* feat: Add support for passing arguments when invoking data source methods.
* feat: Integrate the dynamic-selector component to the googlesheetsv2 datasource
---------
Co-authored-by: Pratush Sinha <pratushsinha619@gmail.com>
Co-authored-by: Pratush <pratush@Pratushs-MacBook-Pro.local>
* fix: correct FxButton import path
* Bug fixes
* ui-fixes
* authenticate button
* authenticate button design
* bug fixes
* Pass ENV ID to DyanamicForm
* refresh token fixed
* added helper
* query error from invoke method
* Fix/Googlesheets v2 bug fixes (#15043)
* fix: reduce font size of googlesheets authorize description
* fix: update labels
* fix: replace legacy googlesheets with v2 in commonly used
* fix: address review comments
* save button (#15035)
* save button
* sheet required
* conditional connect
* authUrl Fixes
* authUrl Query Fix
* dependency fixed (#15083)
* chore: bump version to 3.20.80-lts across all modules
---------
Co-authored-by: Pratush Sinha <pratushsinha619@gmail.com>
Co-authored-by: Pratush <pratush@Pratushs-MacBook-Pro.local>
Co-authored-by: Ganesh Kumar <ganesh8056234@gmail.com>
Co-authored-by: Rudhra Deep Biswas <rudra21ultra@gmail.com>
Co-authored-by: abhijeet760 <abhijeet@tooljet.com>
Co-authored-by: Rudhra Deep Biswas <98055396+rudeUltra@users.noreply.github.com>
Co-authored-by: Sahil Dewangan <123866478+sahil7303@users.noreply.github.com>
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
* POstgresql query level timeout implementation
* for query without parameters query level timeout has been updated
* Query level timeout at Run Query endpoint
* label for timeout is updated
* Timeout is applied at run query level
* Method name has been modified
* ref updated
* Error message modified
* Abort controller is abstracted
---------
Co-authored-by: gsmithun4 <gsmithun4@gmail.com>
- Updated `AbilityGuard` to utilize `TransactionLogger` for logging execution time and errors.
- Enhanced `ResponseInterceptor` to include transaction metadata in logs.
- Modified `QueryAuthGuard`, `ValidateQueryAppGuard`, and `ValidateQuerySourceGuard` to log completion times and transaction IDs.
- Introduced `TransactionLogger` service for structured logging with transaction context.
- Added transaction ID and route information to request context in `RequestContextMiddleware`.
- Updated `JwtStrategy` to log validation completion times.
- Refactored logging configuration in `AppModuleLoader` to support pretty printing in non-production environments.
- Removed console logs in favor of structured logging for better traceability.
* ee commit
* merge commit
* feat: updated openapi operation component
* updated query operation sepctype
* fix: updated query dropdown style
* feat: config dropdown update
* feat: add Gmail plugin with API integration and initial setup
* refactor: enhance type definitions
* refactor: clean up code and refactor variable names
* fix: update Gmail OAuth scope to allow full access to Gmail
* feat: standardize error handling for Gmail plugin
* fix: include oauth_type handling in Gmail plugin for cloud environment
* fix: update spec_url for Gmail operations
* refactor: remove unused fields in gmail manifest.json
* fix: update Content-Type header to application/x-www-form-urlencoded for token requests
* feat: add environment variable prefix for Gmail in OAuth handling
* fix: remove encryption requirement for client_id in Gmail manifest
* fix: update Gmail plugin to use form data for token requests and simplify response handling
* fix: add Gmail to OAuth data sources in DataSourceManager
* fix: encode path parameters in Gmail plugin URL construction
* fix: add back margin to Client ID label in CommonOAuthFields component
* fix: adjust width of input field in RenderParameterFields for better alignment
* fix: set response type to 'json' in requestOptions for Gmail service
---------
Co-authored-by: Devanshu Gupta <devanshuguptaknp@gmail.com>
* feat: Add new gRPC v2 plugin
- Enhanced DataSourcesController to support invoking methods on data sources.
- Introduced InvokeDataSourceMethodDto for method invocation requests.
- Added WhitelistPluginGuard to restrict method invocation based on data source kind.
- Updated IDataSourcesController and IDataSourcesService interfaces to include invoke method functionality.
- Implemented invokeMethod in DataSourcesService to handle method calls for gRPC v2.
- Added method whitelisting for gRPC v2 in the service layer.
* refactor: invokeMethod to use method dispatch pattern
* fix: improve error handling in testConnection method
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* refactor: update types and interface
* fix: remove unnecessary border styles for improved UI consistency
* refactor: simplify error handling
- Introduced a new SCSS file for styling the gRPC v2 query editor components.
- Styled request sections, server URL input, dropdown menus, and method buttons for better user experience.
refactor(grpcv2): enhance error handling and type safety
- Updated error handling in gRPC query service to use a new `toError` utility function for consistent error conversion.
- Improved type definitions for gRPC client and service methods to ensure better type safety.
- Refactored method existence validation and gRPC call execution to handle errors more gracefully.
fix(grpcv2): improve service discovery and proto file loading
- Enhanced service discovery logic to handle reflection and proto file clients more robustly.
- Added checks for valid service constructors and improved error messages for better debugging.
- Updated the `loadProtoFromRemoteUrl` function to handle HTTP errors more effectively.
chore(grpcv2): add utility functions for type checks
- Introduced utility functions `isRecord`, `hasProperty`, and `toError` for better type checking and error handling throughout the codebase.
* feat: add LegacyBanner component for gRPC legacy tag display
* fix: styling changes
* fix: correct text in LegacyBanner component
* feat: enhance GRPCv2 component with request handling and state management improvements
* refactor: update metadata handling in GRPCv2 component and service
* refactor: update GRPCv2 component to use raw_message instead of requestData
* fix: Styling issues and labels
* refactor: gRPC test connection checks for proto file and url
* fix: improve error handling in service discovery
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Enhanced rest api body to accept raw input instead of raw json.
* Changed content type from application/json to text/json and changed copywrite to RAW.
* Changed rest api body toggle label from 'RAW' to 'Raw'.
* Added request label for static REST API data source.
* Fixed issue where GET query failed since body was undefined.
* Integrated json_body to add backward compatibility.
* Removed console logs.
* Added support for 'text/json' type in checkIfContentTypeIsJson function.
* Made changes according to new frontend architecture in v3.
* Fixed request URL field overflow issue.
---------
Co-authored-by: Akshay Sasidharan <akshaysasidharan93@gmail.com>
* Add cookies parameter to querybuilder frontend
* Add cookies parameter to datasource page
* Add cookies to the request headers in backend
* Change return type of sanitizeCookies function
* Change empty state styling in query-builder
* Add style changes for button
* fix : rounded corners in border for key field in rest api datasource
---------
Co-authored-by: Abd-Rahman-1999 <s.rahmanabd1999@gmail.com>
* events should be synced for multi-edit
* remove console
* removes db constrainsts for layouts and handles corrupeted apps created from prev migrations
* Revert "removes db constrainsts for layouts and handles corrupeted apps created from prev migrations"
This reverts commit 10a307118b.
* removing constrainsts fro CE
* bumped the patched version ~ 2.26.3
* fixes: import/export general styles for components
* fixes: viewer crash on adding plugin as gds due to accessing camalised data
* fixes: plugin queries gds
* preserve duplicate search params on restapi
* preserve duplicate params in query manager params fields
* fixes: edge cases where undo of some components crashes thew widget
---------
Co-authored-by: Akshay Sasidharan <akshaysasidharan93@gmail.com>
* Implemented multiple access token feature
- working on refresh token case
* worked on refresh token flow
* added multiple token ability to openapi plugin too
- fixed some bugs
* changed tokenData to token_data
- fixed some issues
* added user type with user id
* changed user type
* Rewrote some function
- added switch for enabling and disable multi auth
- fixed some bugs
- refactored the code
* fixed view app issue
* Fixed public app issue
* cleaning some code
* (public_app) add a check to avoid oauth login redirect when there is no access token
* reverted all changes of openapi (temporary)
- will add multi token functionality once done with restapi
* fixed a bug
* fixed a bug
* refactored some code
* changed the switch text
* pr changes
* changed token_data back to tokenData
* cleaning code
* removed token data from datasources query
* removed some lines
* added a comment
* merge develop
* Add eslint dependencies, configs and scripts to plugins project
* run lint with Github action
* ignore tests and dist folders
* fun eslint with --fix and manual fixes, renamed __tests_ to __tests__
* add plugins packages folder to lint-staged config
* fix lint issue
* implement google sheet oauh token refresh flow
* format lint
* make use of constructor name as instanceof fails
* remove unused import
* force consent to get refresh token on googlesheets ds
