Scope WorkOS Vault object names by owner

RhysSullivan · RhysSullivan · commit 99b9406dae0a · 2026-06-10T23:51:08.000-07:00
diff --git a/packages/plugins/workos-vault/src/sdk/plugin.ts b/packages/plugins/workos-vault/src/sdk/plugin.ts
@@ -72,6 +72,7 @@ export const workosVaultPlugin = definePlugin((options?: WorkOSVaultPluginOption
       makeWorkOSVaultCredentialProvider({
         client,
         store: ctx.storage,
+        owner: ctx.owner,
         objectPrefix: options?.objectPrefix,
       }),
     ];
diff --git a/packages/plugins/workos-vault/src/sdk/secret-store.test.ts b/packages/plugins/workos-vault/src/sdk/secret-store.test.ts
@@ -251,7 +251,7 @@ const makeProvider = (
 ): ReturnType<typeof makeWorkOSVaultCredentialProvider> => {
   const deps = makeFakeStorageDeps(binding);
   const store = makeWorkosVaultStore(deps);
-  return makeWorkOSVaultCredentialProvider({ client, store });
+  return makeWorkOSVaultCredentialProvider({ client, store, owner: binding });
 };
 
 const id = (value: string) => ProviderItemId.make(value);
@@ -392,7 +392,7 @@ const makePartitionedBacking = () => {
   };
   const rows = new Map<string, Row>();
   const partKey = (owner: string, subject: string, collection: string, key: string) =>
-    `${owner} ${subject} ${collection} ${key}`;
+    `${owner} ${subject} ${collection} ${key}`;
   const subjectFor = (owner: Owner, binding: OwnerBinding) =>
     owner === "org" ? "" : String(binding.subject ?? "");
   const toEntry = (row: Row): PluginStorageEntry => ({
@@ -483,10 +483,12 @@ describe("WorkOS Vault — credential owner partitioning", () => {
       const creator = makeWorkOSVaultCredentialProvider({
         client,
         store: makeWorkosVaultStore(backing.depsFor(userBinding("subject-a"))),
+        owner: userBinding("subject-a"),
       });
       const other = makeWorkOSVaultCredentialProvider({
         client,
         store: makeWorkosVaultStore(backing.depsFor(userBinding("subject-b"))),
+        owner: userBinding("subject-b"),
       });
 
       // user A pastes the org connection's API key
@@ -502,6 +504,7 @@ describe("WorkOS Vault — credential owner partitioning", () => {
         store: makeWorkosVaultStore(
           backing.depsFor({ tenant: Tenant.make("tenant-a"), subject: null }),
         ),
+        owner: { tenant: Tenant.make("tenant-a"), subject: null },
       });
       expect(yield* automation.get(id("connection:org:exa_search_api:workspaceexa:token"))).toBe(
         "exa_secret",
@@ -516,10 +519,12 @@ describe("WorkOS Vault — credential owner partitioning", () => {
       const userA = makeWorkOSVaultCredentialProvider({
         client,
         store: makeWorkosVaultStore(backing.depsFor(userBinding("subject-a"))),
+        owner: userBinding("subject-a"),
       });
       const userB = makeWorkOSVaultCredentialProvider({
         client,
         store: makeWorkosVaultStore(backing.depsFor(userBinding("subject-b"))),
+        owner: userBinding("subject-b"),
       });
 
       yield* userA.set!(id("connection:user:notion:personal:token"), "private_secret");
@@ -537,10 +542,12 @@ describe("WorkOS Vault — credential owner partitioning", () => {
       const creator = makeWorkOSVaultCredentialProvider({
         client,
         store: makeWorkosVaultStore(backing.depsFor(userBinding("subject-a"))),
+        owner: userBinding("subject-a"),
       });
       const other = makeWorkOSVaultCredentialProvider({
         client,
         store: makeWorkosVaultStore(backing.depsFor(userBinding("subject-b"))),
+        owner: userBinding("subject-b"),
       });
 
       yield* creator.set!(id("oauth:org:slack:workspace"), "access_tok");
@@ -551,3 +558,100 @@ describe("WorkOS Vault — credential owner partitioning", () => {
     }),
   );
 });
+
+// ---------------------------------------------------------------------------
+// Object-name partition isolation. A logical item id
+// (connection:/oauth:/oauth-client:) carries no tenant and no subject, so two
+// parties that pick the same integration + connection name produce a
+// byte-identical id. The vault object keyspace is GLOBAL (one WorkOS
+// environment), so the object name must encode the partition for two parties'
+// objects to stay distinct. These tests use ONE shared fake client (the global
+// keyspace) with per-party metadata stores (each party's own DB partition), and
+// assert each party reads back its OWN secret — i.e. identical ids in different
+// partitions never resolve to the same object.
+// ---------------------------------------------------------------------------
+
+const orgBindingFor = (tenant: string): OwnerBinding => ({
+  tenant: Tenant.make(tenant),
+  subject: null,
+});
+
+describe("WorkOS Vault — object-name partition isolation", () => {
+  it.effect("the same org item id in two tenants does not share a vault object", () =>
+    Effect.gen(function* () {
+      const client = makeFakeClient(); // one global vault keyspace
+      const tenantOne = makeProvider(client, orgBindingFor("org-1"));
+      const tenantTwo = makeProvider(client, orgBindingFor("org-2"));
+
+      // Both orgs connect the same integration under the same default name, so
+      // the logical item id is identical across tenants.
+      const sharedId = id("connection:org:websets:workspacewebsets:token");
+      yield* tenantOne.set!(sharedId, "org-1-key");
+      yield* tenantTwo.set!(sharedId, "org-2-key");
+
+      expect(yield* tenantOne.get(sharedId)).toBe("org-1-key");
+      expect(yield* tenantTwo.get(sharedId)).toBe("org-2-key");
+    }),
+  );
+
+  it.effect("the same personal item id for two users does not share a vault object", () =>
+    Effect.gen(function* () {
+      const client = makeFakeClient();
+      const userA = makeProvider(client, userBinding("subject-a"));
+      const userB = makeProvider(client, userBinding("subject-b"));
+
+      const sharedId = id("connection:user:dealcloud:personaldealcloud:token");
+      yield* userA.set!(sharedId, "a-token");
+      yield* userB.set!(sharedId, "b-token");
+
+      expect(yield* userA.get(sharedId)).toBe("a-token");
+      expect(yield* userB.get(sharedId)).toBe("b-token");
+    }),
+  );
+
+  // WorkOS Vault accepts createObject names of ANY length, but an object whose
+  // name exceeds 200 characters is permanently unreadable — every read 400s,
+  // by name AND by id (verified against the live vault 2026-06-10: 200 reads
+  // fine, 201 never does). createObject succeeding says nothing about the name
+  // being usable. Ids whose scoped name would exceed the limit swap the
+  // encoded tail for a sha256 digest; the fake mirrors the real API (creates
+  // always succeed, reads reject names over 200), so an over-long generated
+  // name fails this roundtrip instead of silently surfacing
+  // `connection_value_missing` in prod.
+  it.effect("a long item id roundtrips through a capped (hashed-tail) object name", () =>
+    Effect.gen(function* () {
+      const client = makeFakeClient({ rejectReadNamesLongerThan: 200 });
+      const longId = id(
+        "oauth:user:microsoft_graph_v1_0_sharepoint_files_excel_outlook_combined_curated:" +
+          "personalmicrosoftgraphv10sharepointfilesexceloutlookcombinedcurated:refresh",
+      );
+      const siblingId = id(
+        "oauth:user:microsoft_graph_v1_0_sharepoint_files_excel_outlook_combined_curated:" +
+          "personalmicrosoftgraphv10sharepointfilesexceloutlookcombinedcurated",
+      );
+
+      const userA = makeProvider(client, {
+        tenant: Tenant.make("org_01KP6XMWC2WGC2960Y63FGP7BM"),
+        subject: Subject.make("user_01KP6XM1ZPVQVTPJ77F0YV4EAX"),
+      });
+      const userB = makeProvider(client, {
+        tenant: Tenant.make("org_01KP6XMWC2WGC2960Y63FGP7BM"),
+        subject: Subject.make("user_01KP6XRGC9ZF41ZZF5CXWVCPCC"),
+      });
+
+      yield* userA.set!(longId, "a-refresh-token");
+      yield* userA.set!(siblingId, "a-access-token");
+      yield* userB.set!(longId, "b-refresh-token");
+
+      // resolves (name under the limit), hashed siblings stay distinct, and
+      // identical long ids in two partitions stay isolated
+      expect(yield* userA.get(longId)).toBe("a-refresh-token");
+      expect(yield* userA.get(siblingId)).toBe("a-access-token");
+      expect(yield* userB.get(longId)).toBe("b-refresh-token");
+
+      // a second write lands on the same capped name (update, not duplicate)
+      yield* userA.set!(longId, "a-refresh-token-2");
+      expect(yield* userA.get(longId)).toBe("a-refresh-token-2");
+    }),
+  );
+});
diff --git a/packages/plugins/workos-vault/src/sdk/secret-store.ts b/packages/plugins/workos-vault/src/sdk/secret-store.ts
