Merge pull request #2954 from Infisical/fix/addressed-reported-migration-related-ui-issues

fix: resolved conditions permission not getting added from new policy…

backend/src/ee/routes/v1/saml-router.ts

@@ -84,7 +84,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                 samlConfig.audience = `spn:${ssoConfig.issuer}`;
               }
             }
-            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
+            if (
+              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
+              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
+            ) {
               samlConfig.wantAssertionsSigned = false;
             }
 
@@ -123,7 +126,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               `email: ${email} firstName: ${profile.firstName as string}`
             );
 
-            throw new Error("Invalid saml request. Missing email or first name");
+            throw new BadRequestError({
+              message:
+                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
+            });
           }
 
           const userMetadata = Object.keys(profile.attributes || {})

backend/src/ee/services/license/license-service.ts

@@ -246,8 +246,7 @@ export const licenseServiceFactory = ({
   };
 
   const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
     const plan = await getPlan(orgId, projectId);
     return plan;
   };

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -6,7 +6,8 @@ export enum SamlProviders {
   AZURE_SAML = "azure-saml",
   JUMPCLOUD_SAML = "jumpcloud-saml",
   GOOGLE_SAML = "google-saml",
-  KEYCLOAK_SAML = "keycloak-saml"
+  KEYCLOAK_SAML = "keycloak-saml",
+  AUTH0_SAML = "auth0-saml"
 }
 
 export type TCreateSamlCfgDTO = {

backend/src/server/plugins/serve-ui.ts

@@ -21,6 +21,9 @@ export const registerServeUI = async (
   server.route({
     method: "GET",
     url: "/runtime-ui-env.js",
+    schema: {
+      hide: true
+    },
     handler: (_req, res) => {
       const appCfg = getConfig();
       void res.type("application/javascript");
@@ -43,12 +46,19 @@ export const registerServeUI = async (
       wildcard: false
     });
 
-    server.get("/*", (request, reply) => {
+    server.route({
-      if (request.url.startsWith("/api")) {
+      method: "GET",
-        reply.callNotFound();
+      url: "/*",
-        return;
+      schema: {
+        hide: true
+      },
+      handler: (request, reply) => {
+        if (request.url.startsWith("/api")) {
+          reply.callNotFound();
+          return;
+        }
+        void reply.sendFile("index.html");
       }
-      void reply.sendFile("index.html");
     });
   }
 };

docs/documentation/platform/scim/azure.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow Azure to provision/deprovision users for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/scim/jumpcloud.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow JumpCloud to provision/deprovision users and user groups for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/scim/okta.mdx

@@ -15,7 +15,7 @@ Prerequisites:
 
 <Steps>
     <Step title="Create a SCIM token in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SCIM Configuration and
+        In Infisical, head to your Organization Settings > Security > SCIM Configuration and
         press the **Enable SCIM provisioning** toggle to allow Okta to provision/deprovision users and user groups for your organization.
         
         ![SCIM enable provisioning](/images/platform/scim/scim-enable-provisioning.png)

docs/documentation/platform/sso/auth0-saml.mdx

@@ -0,0 +1,93 @@
+---
+title: "Auth0 SAML"
+description: "Learn how to configure Auth0 SAML for Infisical SSO."
+---
+
+<Info>
+  Auth0 SAML SSO feature is a paid feature. If you're using Infisical Cloud,
+  then it is available under the **Pro Tier**. If you're self-hosting Infisical,
+  then you should contact sales@infisical.com to purchase an enterprise license
+  to use it.
+</Info>
+
+<Steps>
+   <Step title="Prepare the SAML SSO configuration in Infisical">
+        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Auth0, then click **Connect** again.
+
+        Next, note the **Application Callback URL** and **Audience** to use when configuring the Auth0 SAML application.
+
+        ![Auth0 SAML initial configuration](../../../images/sso/auth0-saml/init-config.png)
+
+   </Step>
+   <Step title="Create a SAML application in Auth0">
+        2.1. In your Auth0 account, head to Applications and create an application.
+        
+        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application.png)
+        
+        Select **Regular Web Application** and press **Create**.
+        
+        ![Auth0 SAML app creation](../../../images/sso/auth0-saml/create-application-2.png)
+        
+        2.2. In the Application head to Settings > Application URIs and add the **Application Callback URL** from step 1 into the **Allowed Callback URLs** field.
+        
+        ![Auth0 SAML allowed callback URLs](../../../images/sso/auth0-saml/auth0-config.png)
+        
+        2.3. In the Application head to Addons > SAML2 Web App and copy the **Issuer**, **Identity Provider Login URL**, and **Identity Provider Certificate** from the **Usage** tab.
+        
+        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-2.png)
+        
+        2.4. Back in Infisical, set **Issuer**, **Identity Provider Login URL**, and **Certificate** to the corresponding items from step 2.3.
+        
+        ![Auth0 SAML Infisical config](../../../images/sso/auth0-saml/infisical-config.png)
+        
+        2.5. Back in Auth0, in the **Settings** tab, set the **Application Callback URL** to the **Application Callback URL** from step 1
+        and update the **Settings** field with the JSON under the picture below (replacing `<audience-from-infisical>` with the **Audience** from step 1).
+        
+        ![Auth0 SAML config](../../../images/sso/auth0-saml/auth0-config-3.png)
+        
+        ```json
+        {
+        "audience": "<audience-from-infisical>",
+        "mappings": {
+            "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email",
+            "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName",
+            "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastName"
+        },
+        "signatureAlgorithm": "rsa-sha256",
+        "digestAlgorithm": "sha256",
+        "signResponse": true
+        }
+        ```
+
+        Click **Save**.
+    </Step>
+    <Step title="Enable SAML SSO in Infisical">
+        Enabling SAML SSO allows members in your organization to log into Infisical via Auth0.
+
+        ![Auth0 SAML enable](../../../images/sso/auth0-saml/enable-saml.png)
+    </Step>
+    <Step title="Enforce SAML SSO in Infisical">
+        Enforcing SAML SSO ensures that members in your organization can only access Infisical
+        by logging into the organization via Auth0.
+
+        To enforce SAML SSO, you're required to test out the SAML connection by successfully authenticating at least one Auth0 user with Infisical;
+        Once you've completed this requirement, you can toggle the **Enforce SAML SSO** button to enforce SAML SSO.
+    </Step>
+
+</Steps>
+
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
+<Note>
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
+</Note>

docs/documentation/platform/sso/azure.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Microsoft Entra ID for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Azure / Entra, then click **Connect** again.
 
       Next, copy the **Reply URL (Assertion Consumer Service URL)** and **Identifier (Entity ID)** to use when configuring the Azure SAML application.
 

docs/documentation/platform/sso/google-saml.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Google SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+        In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Google, then click **Connect** again.
 
         Next, note the **ACS URL** and **SP Entity ID** to use when configuring the Google SAML application.
 

docs/documentation/platform/sso/jumpcloud.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure JumpCloud SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select JumpCloud, then click **Connect** again.
 
       Next, copy the **ACS URL** and **SP Entity ID** to use when configuring the JumpCloud SAML application.
 

docs/documentation/platform/sso/keycloak-saml.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Keycloak SAML for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Manage**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Keycloak, then click **Connect** again.
       
       ![Keycloak SAML organization security section](../../../images/sso/keycloak/org-security-section.png)
       

docs/documentation/platform/sso/okta.mdx

@@ -12,7 +12,7 @@ description: "Learn how to configure Okta SAML 2.0 for Infisical SSO."
 
 <Steps>
    <Step title="Prepare the SAML SSO configuration in Infisical">
-      In Infisical, head to your Organization Settings > Authentication > SAML SSO Configuration and select **Set up SAML SSO**.
+      In Infisical, head to Organization Settings > Security and click **Connect** for SAML under the Connect to an Identity Provider section. Select Okta, then click **Connect** again.
       
       Next, copy the **Single sign-on URL** and **Audience URI (SP Entity ID)** to use when configuring the Okta SAML 2.0 application.
       ![Okta SAML initial configuration](../../../images/sso/okta/init-config.png)

docs/documentation/platform/sso/overview.mdx

@@ -28,6 +28,7 @@ Infisical supports these and many other identity providers:
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)
 - [Keycloak SAML](/documentation/platform/sso/keycloak-saml)
 - [Google SAML](/documentation/platform/sso/google-saml)
+- [Auth0 SAML](/documentation/platform/sso/auth0-saml)
 - [Keycloak OIDC](/documentation/platform/sso/keycloak-oidc)
 - [Auth0 OIDC](/documentation/platform/sso/auth0-oidc)
 - [General OIDC](/documentation/platform/sso/general-oidc)

docs/mint.json

@@ -248,6 +248,7 @@
             "documentation/platform/sso/jumpcloud",
             "documentation/platform/sso/keycloak-saml",
             "documentation/platform/sso/google-saml",
+            "documentation/platform/sso/auth0-saml",
             "documentation/platform/sso/keycloak-oidc",
             "documentation/platform/sso/auth0-oidc",
             "documentation/platform/sso/general-oidc"

frontend/src/pages/auth/LoginPage/components/InitialStep/InitialStep.tsx

@@ -48,7 +48,8 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
     const redirectUrl = `/api/v1/sso/redirect/saml2/organizations/${orgSlug}${
       callbackPort ? `?callback_port=${callbackPort}` : ""
     }`;
-    navigate({ to: redirectUrl });
+
+    window.location.assign(redirectUrl);
   };
 
   const redirectToOidc = (orgSlug: string) => {
@@ -56,7 +57,8 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
     const redirectUrl = `/api/v1/sso/oidc/login?orgSlug=${orgSlug}${
       callbackPort ? `&callbackPort=${callbackPort}` : ""
     }`;
-    navigate({ to: redirectUrl });
+
+    window.location.assign(redirectUrl);
   };
 
   useEffect(() => {

frontend/src/pages/organization/AccessManagementPage/components/OrgGroupsTab/components/OrgGroupsSection/OrgGroupsSection.tsx

@@ -27,7 +27,7 @@ export const OrgGroupsSection = () => {
     if (!subscription?.groups) {
       handlePopUpOpen("upgradePlan", {
         description:
-          "You can manage users more efficiently with groups if you upgrade your Infisical plan."
+          "You can manage users more efficiently with groups if you upgrade your Infisical plan to an Enterprise license."
       });
     } else {
       handlePopUpOpen("group");

frontend/src/pages/organization/AppConnections/GithubOauthCallbackPage/route.tsx

@@ -5,9 +5,9 @@ import { z } from "zod";
 import { GitHubOAuthCallbackPage } from "./GithubOauthCallbackPage";
 
 const GitHubOAuthCallbackPageQueryParamsSchema = z.object({
-  code: z.string().catch(""),
+  code: z.coerce.string().catch(""),
   state: z.string().catch(""),
-  installation_id: z.coerce.string().catch("")
+  installation_id: z.coerce.string().optional().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/organization/SettingsPage/components/OrgAuthTab/SSOModal.tsx

@@ -25,7 +25,8 @@ enum AuthProvider {
   AZURE_SAML = "azure-saml",
   JUMPCLOUD_SAML = "jumpcloud-saml",
   KEYCLOAK_SAML = "keycloak-saml",
-  GOOGLE_SAML = "google-saml"
+  GOOGLE_SAML = "google-saml",
+  AUTH0_SAML = "auth0-saml"
 }
 
 const ssoAuthProviders = [
@@ -33,7 +34,8 @@ const ssoAuthProviders = [
   { label: "Azure / Entra SAML", value: AuthProvider.AZURE_SAML },
   { label: "JumpCloud SAML", value: AuthProvider.JUMPCLOUD_SAML },
   { label: "Keycloak SAML", value: AuthProvider.KEYCLOAK_SAML },
-  { label: "Google SAML", value: AuthProvider.GOOGLE_SAML }
+  { label: "Google SAML", value: AuthProvider.GOOGLE_SAML },
+  { label: "Auth0 SAML", value: AuthProvider.AUTH0_SAML }
 ];
 
 const schema = z
@@ -191,6 +193,15 @@ export const SSOModal = ({ popUp, handlePopUpClose, handlePopUpToggle, hideDelet
           issuer: "Issuer",
           issuerPlaceholder: window.origin
         };
+      case AuthProvider.AUTH0_SAML:
+        return {
+          acsUrl: "Application Callback URL",
+          entityId: "Audience",
+          entryPoint: "Identity Provider Login URL",
+          entryPointPlaceholder: "https://xxx.auth0.com/samlp/xxx",
+          issuer: "Issuer",
+          issuerPlaceholder: "urn:xxx-xxx.us.auth0.com"
+        };
       default:
         return {
           acsUrl: "ACS URL",

frontend/src/pages/project/AccessControlPage/components/GroupsTab/components/GroupsSection/GroupsSection.tsx

@@ -33,7 +33,7 @@ export const GroupsSection = () => {
     if (!subscription?.groups) {
       handlePopUpOpen("upgradePlan", {
         description:
-          "You can manage users more efficiently with groups if you upgrade your Infisical plan."
+          "You can manage users more efficiently with groups if you upgrade your Infisical plan to an Enterprise license."
       });
     } else {
       handlePopUpOpen("group");

frontend/src/pages/project/AccessControlPage/components/ProjectRoleListTab/components/ProjectRoleList/ProjectRoleList.tsx

@@ -25,7 +25,7 @@ import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@a
 import { usePopUp } from "@app/hooks";
 import { useDeleteProjectRole, useGetProjectRoles } from "@app/hooks/api";
 import { TProjectRole } from "@app/hooks/api/roles/types";
-import { RoleModal } from "@app/pages/organization/RoleByIDPage/components";
+import { RoleModal } from "@app/pages/project/RoleDetailsBySlugPage/components/RoleModal";
 
 export const ProjectRoleList = () => {
   const navigate = useNavigate();

frontend/src/pages/project/IdentityDetailsByIDPage/components/IdentityProjectAdditionalPrivilegeSection/IdentityProjectAdditionalPrivilegeModifySection.tsx

@@ -201,7 +201,7 @@ export const IdentityProjectAdditionalPrivilegeModifySection = ({
         `permissions.${selectedSubject}`,
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore-error akhilmhdh: this is because of ts collision with both
-        [...rootPolicyValue, ...[]],
+        [...rootPolicyValue, {}],
         { shouldDirty: true, shouldTouch: true }
       );
     } else {

frontend/src/pages/project/MemberDetailsByIDPage/components/MemberProjectAdditionalPrivilegeSection/MembershipProjectAdditionalPrivilegeModifySection.tsx

@@ -173,7 +173,7 @@ export const MembershipProjectAdditionalPrivilegeModifySection = ({
         `permissions.${selectedSubject}`,
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore-error akhilmhdh: this is because of ts collision with both
-        [...rootPolicyValue, ...[]],
+        [...rootPolicyValue, {}],
         { shouldDirty: true, shouldTouch: true }
       );
     } else {

frontend/src/pages/project/RoleDetailsBySlugPage/components/RolePermissionsSection.tsx

@@ -98,7 +98,7 @@ export const RolePermissionsSection = ({ roleSlug, isDisabled }: Props) => {
         `permissions.${selectedSubject}`,
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore-error akhilmhdh: this is because of ts collision with both
-        [...rootPolicyValue, ...[]],
+        [...rootPolicyValue, {}],
         { shouldDirty: true, shouldTouch: true }
       );
     } else {

frontend/src/pages/secret-manager/integrations/AzureAppConfigurationOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { AzureAppConfigurationOauthCallbackPage } from "./AzureAppConfigurationO
 
 export const AzureAppConfigurationOauthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/AzureKeyVaultOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { AzureKeyVaultOauthCallbackPage } from "./AzureKeyVaultOauthCallback";
 
 export const AzureKeyVaultOauthCallbackQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/BitbucketOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { BitbucketOauthCallbackPage } from "./BitbucketOauthCallbackPage";
 
 export const BitbucketOauthCallbackQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/GcpSecretManagerOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { GcpSecretManagerOauthCallbackPage } from "./GcpSecretManagerOauthCallba
 
 export const GcpSecretManagerOAuthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/GithubOauthCallbackPage/route.tsx

@@ -6,8 +6,8 @@ import { GithubOauthCallbackPage } from "./GithubOauthCallbackPage";
 
 export const GithubOAuthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  installation_id: z.coerce.string().catch(""),
+  installation_id: z.coerce.string().optional().catch(""),
-  code: z.string().catch("")
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/GitlabAuthorizePage/GitlabAuthorizePage.tsx

@@ -72,7 +72,7 @@ export const GitlabAuthorizePage = () => {
         >
           <div className="flex flex-row items-center">
             <div className="flex items-center pb-0.5">
-              <img src="/images/integrations/Gitlab.png" height={28} width={28} alt="Gitlab logo" />
+              <img src="/images/integrations/GitLab.png" height={28} width={28} alt="Gitlab logo" />
             </div>
             <span className="ml-2.5">GitLab Integration </span>
             <a

frontend/src/pages/secret-manager/integrations/GitlabConfigurePage/GitlabConfigurePage.tsx

@@ -197,7 +197,7 @@ export const GitlabConfigurePage = () => {
         >
           <div className="flex flex-row items-center">
             <div className="flex items-center pb-0.5">
-              <img src="/images/integrations/Gitlab.png" height={28} width={28} alt="Gitlab logo" />
+              <img src="/images/integrations/GitLab.png" height={28} width={28} alt="Gitlab logo" />
             </div>
             <span className="ml-2.5">GitLab Integration </span>
             <a

frontend/src/pages/secret-manager/integrations/GitlabOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { GitLabOAuthCallbackPage } from "./GitlabOauthCallbackPage";
 
 export const GitlabOAuthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/HerokuOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { HerokuOAuthCallbackPage } from "./HerokuOauthCallbackPage";
 
 export const HerokuOAuthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/NetlifyOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { NetlifyOauthCallbackPage } from "./NetlifyOauthCallbackPage";
 
 export const NetlifyOAuthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(

frontend/src/pages/secret-manager/integrations/VercelOauthCallbackPage/route.tsx

@@ -6,7 +6,7 @@ import { VercelOauthCallbackPage } from "./VercelOauthCallbackPage";
 
 export const VercelOAuthCallbackPageQueryParamsSchema = z.object({
   state: z.string().catch(""),
-  code: z.string()
+  code: z.coerce.string().catch("")
 });
 
 export const Route = createFileRoute(