Batch 7.0: Fix Zoho OAuth Token Endpoint Bug #74

Closed
opened 2026-05-17 18:53:54 -05:00 by null · 0 comments
Owner

Batch 7.0 — Fix Zoho OAuth Token Endpoint Bug

Phase: 7 — Zoho CRM Integration
Agent: Neo (backend)
Priority: P1 High — critical bug, Zoho integration will fail in production without this

Problem

The refresh token POST currently goes to {ZOHO_API_DOMAIN}/oauth/v2/token but Zoho requires the token endpoint to be on the accounts server (accounts.zoho.com for US, accounts.zoho.eu for EU), NOT the API domain (www.zohoapis.com). This is a bug that will prevent token refresh from working.

Tasks

  • Add ZOHO_ACCOUNTS_DOMAIN env var (default: https://accounts.zoho.com)
  • Change getZohoAccessToken() to use accounts domain, not API domain
  • Remove unnecessary redirect_uri from refresh token request
  • Add retry logic (1 retry with backoff) on token refresh failure
  • Update Dockerfile and .env.example with new env var
  • Test with ZOHO_ENABLED=false first (verify no regressions)

Files to modify

  • server/index.js — Token endpoint fix, remove redirect_uri, add retry
  • Dockerfile — Add ZOHO_ACCOUNTS_DOMAIN env var
  • .env.example — Add ZOHO_ACCOUNTS_DOMAIN

Acceptance criteria

  • Token refresh URL uses ZOHO_ACCOUNTS_DOMAIN, not ZOHO_API_DOMAIN
  • No redirect_uri in refresh token request body
  • Retry on failure (1 attempt, exponential backoff)
  • App starts fine with ZOHO_ENABLED=false
  • No regressions in form submission
## Batch 7.0 — Fix Zoho OAuth Token Endpoint Bug **Phase:** 7 — Zoho CRM Integration **Agent:** Neo (backend) **Priority:** P1 High — critical bug, Zoho integration will fail in production without this ### Problem The refresh token POST currently goes to `{ZOHO_API_DOMAIN}/oauth/v2/token` but Zoho requires the token endpoint to be on the **accounts server** (`accounts.zoho.com` for US, `accounts.zoho.eu` for EU), NOT the API domain (`www.zohoapis.com`). This is a bug that will prevent token refresh from working. ### Tasks - Add `ZOHO_ACCOUNTS_DOMAIN` env var (default: `https://accounts.zoho.com`) - Change `getZohoAccessToken()` to use accounts domain, not API domain - Remove unnecessary `redirect_uri` from refresh token request - Add retry logic (1 retry with backoff) on token refresh failure - Update Dockerfile and `.env.example` with new env var - Test with `ZOHO_ENABLED=false` first (verify no regressions) ### Files to modify - `server/index.js` — Token endpoint fix, remove redirect_uri, add retry - `Dockerfile` — Add ZOHO_ACCOUNTS_DOMAIN env var - `.env.example` — Add ZOHO_ACCOUNTS_DOMAIN ### Acceptance criteria - Token refresh URL uses `ZOHO_ACCOUNTS_DOMAIN`, not `ZOHO_API_DOMAIN` - No `redirect_uri` in refresh token request body - Retry on failure (1 attempt, exponential backoff) - App starts fine with `ZOHO_ENABLED=false` - No regressions in form submission
null added the
security
backend
phase-7
labels 2026-05-17 18:53:54 -05:00
null added the
P1 High
label 2026-05-17 18:55:32 -05:00
null closed this issue 2026-05-17 19:25:30 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#74
No description provided.