Bug: ZOHO_CLIENT_ID missing from credential check in forwardToZoho #57

Closed
opened 2026-05-17 17:24:39 -05:00 by null · 0 comments
Owner

Problem

In server/index.js, the guard condition for skipping Zoho forwarding (around line ~293) only checks ZOHO_CLIENT_SECRET and ZOHO_REFRESH_TOKEN:

if (!ZOHO_CLIENT_SECRET || !ZOHO_REFRESH_TOKEN) {
  log.warn('[Zoho] Skipping forwarding - ZOHO_CLIENT_SECRET or ZOHO_REFRESH_TOKEN not configured')
  return
}

But ZOHO_CLIENT_ID defaults to empty string '' (falsy in a boolean context but NOT caught by the check). If someone enables Zoho and provides ZOHO_CLIENT_SECRET and ZOHO_REFRESH_TOKEN but forgets ZOHO_CLIENT_ID, the code will proceed to call getZohoAccessToken() with an empty client_id, which will fail silently.

Fix

Add ZOHO_CLIENT_ID to the guard:

if (!ZOHO_CLIENT_ID || !ZOHO_CLIENT_SECRET || !ZOHO_REFRESH_TOKEN) {
  log.warn('[Zoho] Skipping forwarding - ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, or ZOHO_REFRESH_TOKEN not configured')
  return
}

Also consider normalizing the defaults: all three should default to null or all to empty string, not a mix.

Severity

Low — Zoho is currently disabled. But this will bite when it's enabled.

## Problem In `server/index.js`, the guard condition for skipping Zoho forwarding (around line ~293) only checks `ZOHO_CLIENT_SECRET` and `ZOHO_REFRESH_TOKEN`: ```js if (!ZOHO_CLIENT_SECRET || !ZOHO_REFRESH_TOKEN) { log.warn('[Zoho] Skipping forwarding - ZOHO_CLIENT_SECRET or ZOHO_REFRESH_TOKEN not configured') return } ``` But `ZOHO_CLIENT_ID` defaults to empty string `''` (falsy in a boolean context but NOT caught by the check). If someone enables Zoho and provides `ZOHO_CLIENT_SECRET` and `ZOHO_REFRESH_TOKEN` but forgets `ZOHO_CLIENT_ID`, the code will proceed to call `getZohoAccessToken()` with an empty client_id, which will fail silently. ## Fix Add `ZOHO_CLIENT_ID` to the guard: ```js if (!ZOHO_CLIENT_ID || !ZOHO_CLIENT_SECRET || !ZOHO_REFRESH_TOKEN) { log.warn('[Zoho] Skipping forwarding - ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, or ZOHO_REFRESH_TOKEN not configured') return } ``` Also consider normalizing the defaults: all three should default to `null` or all to empty string, not a mix. ## Severity Low — Zoho is currently disabled. But this will bite when it's enabled.
null added the
P3 Low
bug
backend
labels 2026-05-17 17:30:44 -05:00
null closed this issue 2026-05-17 17:47:03 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#57
No description provided.