Migrate MicrosoftAPIRefreshAccessTokenService to @azure/msal-node

[neo773]

No description provided.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​graphql-codegen/​typescript-operations@​3.0.4
	@​blocknote/​server-util@​0.31.1
	@​esbuild-plugins/​node-modules-polyfill@​0.2.2
	@​graphql-codegen/​typescript-react-apollo@​3.3.7
	@​graphql-codegen/​client-preset@​4.3.3
	@​blocknote/​mantine@​0.31.1
	@​graphql-codegen/​typescript@​3.0.4
	@​babel/​preset-react@​7.26.3
	@​blocknote/​xl-docx-exporter@​0.31.1
	@​babel/​preset-typescript@​7.24.7
	@​ai-sdk/​react@​2.0.52
	@​emotion/​is-prop-valid@​1.3.0
	@​blocknote/​xl-pdf-exporter@​0.31.1
	@​ai-sdk/​provider-utils@​3.0.9
	@​calcom/​embed-react@​1.5.3
	@​floating-ui/​react@​0.24.8
	@​graphql-codegen/​cli@​3.3.1
	@​envelop/​core@​4.0.3
	@​dagrejs/​dagre@​1.1.3
	@​babel/​preset-env@​7.26.9
	@​cyntler/​react-doc-viewer@​1.17.0
	@​codesandbox/​sandpack-react@​2.18.2
	@​babel/​core@​7.28.5 ⏵ 7.28.0			+1
	@​blocknote/​react@​0.31.1
	@​emotion/​styled@​11.13.0
	@​graphiql/​plugin-explorer@​1.0.4
	@​docsearch/​react@​3.6.2
	@​hello-pangea/​dnd@​16.6.0
	@​ai-sdk/​xai@​2.0.43
	@​emotion/​react@​11.13.0
	@​ai-sdk/​anthropic@​2.0.17
	@​ai-sdk/​openai@​2.0.30
	@​e2b/​code-interpreter@​1.5.1
See 14 more rows in the dashboard

View full report

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/twenty-server/src/modules/connected-account/refresh-tokens-manager/drivers/microsoft/services/microsoft-api-refresh-tokens.service.ts">

<violation number="1" location="packages/twenty-server/src/modules/connected-account/refresh-tokens-manager/drivers/microsoft/services/microsoft-api-refresh-tokens.service.ts:5">
P1: Using `import type` for `TwentyConfigService` may break NestJS dependency injection. Type-only imports are erased at compile time, which can prevent TypeScript from emitting the design-time type metadata that NestJS needs for constructor injection. Use a regular import to match the pattern in the Google service.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Using import type for TwentyConfigService may break NestJS dependency injection. Type-only imports are erased at compile time, which can prevent TypeScript from emitting the design-time type metadata that NestJS needs for constructor injection. Use a regular import to match the pattern in the Google service.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/twenty-server/src/modules/connected-account/refresh-tokens-manager/drivers/microsoft/services/microsoft-api-refresh-tokens.service.ts, line 5:

<comment>Using `import type` for `TwentyConfigService` may break NestJS dependency injection. Type-only imports are erased at compile time, which can prevent TypeScript from emitting the design-time type metadata that NestJS needs for constructor injection. Use a regular import to match the pattern in the Google service.</comment>

<file context>
@@ -1,67 +1,53 @@
+import { ConfidentialClientApplication } from &#39;@azure/msal-node&#39;;
 
-import { TwentyConfigService } from &#39;src/engine/core-modules/twenty-config/twenty-config.service&#39;;
+import type { TwentyConfigService } from &#39;src/engine/core-modules/twenty-config/twenty-config.service&#39;;
 import {
   ConnectedAccountRefreshAccessTokenException,
</file context>

Suggested change

	import type { TwentyConfigService } from 'src/engine/core-modules/twenty-config/twenty-config.service';
	import { TwentyConfigService } from 'src/engine/core-modules/twenty-config/twenty-config.service';

✅ Addressed in d4ecb69

[neo773]

While this is not ideal, it should do for now as the serialized token cache is an complex object, and it's not backwards compatible with our current approach which only stores the raw refresh_token, this would involve creating migration strategies and the other alternative, our old approach (raw HTTP request) wasn't that good either

[github-actions]

🚀 Preview Environment Ready!

Your preview environment is available at: http://bore.pub:37734

This environment will automatically shut down when the PR is closed or after 5 hours.

[FelixMalfait]

Why do we force cache?

[neo773]

During my testing it didn't store the token in TokenCache if this was off

[charlesBochet]

@neo773
This does not explain the why here:
Per documentation: Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios.

Why do we need it?

[FelixMalfait]

Since this is risky maybe give a bit more details in your PR description, thanks!

[neo773]

I did add the info here
#16954 (comment)

TLDR;
Microsoft wants you to offload the token lifecycle to their new SDK with a cache storage layer for persisting data.
This data is a proprietary JSON blob and not compatible with our existing schema as it involves heavy changes.

[charlesBochet]

I'm sorry, I don't understand the rational behind this PR, what are we migrating? why? could you add more details?

[FelixMalfait]

LGTM but please add details before merging to make sure everything is well considered thanks!

[charlesBochet]

Codewise it works but I don't get this change, please add more details why we need this

[twenty-eng-sync]

Hey @neo773! After you've done the QA of your Pull Request, you can mark it as done here. Thank you!

[twenty-eng-sync]

Hey @neo773! After you've done the QA of your Pull Request, you can mark it as done here. Thank you!