fix: strip whitespace from instance configuration values on save

rucoder · rucoder · commit 058f7a28e4d8 · 2026-03-09T17:11:19.000+01:00
Trailing whitespace in OAuth credentials (e.g. GITHUB_CLIENT_ID) causes
authentication failures. When a user accidentally pastes a value with
leading/trailing spaces into the God Mode admin UI, the spaces are
persisted to the database as-is. For OAuth client IDs this results in
the identity provider rejecting the request (e.g. GitHub returns 404
because the client_id has a URL-encoded space appended).

Strip whitespace from all configuration values before persisting them
in InstanceConfigurationEndpoint.patch().

Signed-off-by: Mikhail Malyshev &lt;mike.malyshev@gmail.com&gt;
diff --git a/apps/api/plane/license/api/views/configuration.py b/apps/api/plane/license/api/views/configuration.py
@@ -45,7 +45,9 @@ def patch(self, request):
 
         bulk_configurations = []
         for configuration in configurations:
-            value = request.data.get(configuration.key, configuration.value)
+            value = str(
+                request.data.get(configuration.key, configuration.value)
+            ).strip()
             if configuration.is_encrypted:
                 configuration.value = encrypt_data(value)
             else:
diff --git a/apps/api/plane/tests/unit/views/__init__.py b/apps/api/plane/tests/unit/views/__init__.py
diff --git a/apps/api/plane/tests/unit/views/test_instance_configuration.py b/apps/api/plane/tests/unit/views/test_instance_configuration.py
@@ -0,0 +1,132 @@
+# Copyright (c) 2023-present Plane Software, Inc. and contributors
+# SPDX-License-Identifier: AGPL-3.0-only
+# See the LICENSE file for details.
+
+import pytest
+from django.utils import timezone
+
+from rest_framework.test import APIClient
+
+from plane.db.models import User
+from plane.license.models import Instance, InstanceAdmin, InstanceConfiguration
+
+
+@pytest.fixture
+def instance_admin(db):
+    """Create an instance, an admin user, and link them via InstanceAdmin."""
+    user = User.objects.create(
+        email="admin@plane.so",
+        first_name="Admin",
+        last_name="User",
+    )
+    user.set_password("admin-password")
+    user.save()
+
+    instance = Instance.objects.create(
+        instance_name="test",
+        instance_id="test-instance-id",
+        current_version="1.2.3",
+        last_checked_at=timezone.now(),
+        is_setup_done=True,
+    )
+
+    InstanceAdmin.objects.create(
+        instance=instance,
+        user=user,
+        role=20,
+    )
+
+    return user
+
+
+@pytest.fixture
+def admin_client(instance_admin):
+    """Return an authenticated API client for the instance admin."""
+    client = APIClient()
+    client.force_authenticate(user=instance_admin)
+    return client
+
+
+@pytest.mark.unit
+class TestInstanceConfigurationWhitespaceTrimming:
+    """Test that instance configuration values are trimmed on save."""
+
+    @pytest.mark.django_db
+    def test_patch_strips_trailing_whitespace(self, admin_client):
+        """Values with trailing whitespace should be stripped when saved."""
+        InstanceConfiguration.objects.create(
+            key="GITHUB_CLIENT_ID",
+            value="",
+            category="GITHUB",
+            is_encrypted=False,
+        )
+
+        response = admin_client.patch(
+            "/api/instances/configurations/",
+            {"GITHUB_CLIENT_ID": "Ov23li2Dep2t79q18nxD "},
+            format="json",
+        )
+
+        assert response.status_code == 200
+        config = InstanceConfiguration.objects.get(key="GITHUB_CLIENT_ID")
+        assert config.value == "Ov23li2Dep2t79q18nxD"
+
+    @pytest.mark.django_db
+    def test_patch_strips_leading_whitespace(self, admin_client):
+        """Values with leading whitespace should be stripped when saved."""
+        InstanceConfiguration.objects.create(
+            key="GITHUB_CLIENT_ID",
+            value="",
+            category="GITHUB",
+            is_encrypted=False,
+        )
+
+        response = admin_client.patch(
+            "/api/instances/configurations/",
+            {"GITHUB_CLIENT_ID": "  Ov23li2Dep2t79q18nxD"},
+            format="json",
+        )
+
+        assert response.status_code == 200
+        config = InstanceConfiguration.objects.get(key="GITHUB_CLIENT_ID")
+        assert config.value == "Ov23li2Dep2t79q18nxD"
+
+    @pytest.mark.django_db
+    def test_patch_strips_both_sides(self, admin_client):
+        """Values with whitespace on both sides should be fully trimmed."""
+        InstanceConfiguration.objects.create(
+            key="GOOGLE_CLIENT_ID",
+            value="",
+            category="GOOGLE",
+            is_encrypted=False,
+        )
+
+        response = admin_client.patch(
+            "/api/instances/configurations/",
+            {"GOOGLE_CLIENT_ID": "  some-client-id  "},
+            format="json",
+        )
+
+        assert response.status_code == 200
+        config = InstanceConfiguration.objects.get(key="GOOGLE_CLIENT_ID")
+        assert config.value == "some-client-id"
+
+    @pytest.mark.django_db
+    def test_patch_preserves_clean_values(self, admin_client):
+        """Values without whitespace should be saved unchanged."""
+        InstanceConfiguration.objects.create(
+            key="GITHUB_CLIENT_ID",
+            value="",
+            category="GITHUB",
+            is_encrypted=False,
+        )
+
+        response = admin_client.patch(
+            "/api/instances/configurations/",
+            {"GITHUB_CLIENT_ID": "Ov23li2Dep2t79q18nxD"},
+            format="json",
+        )
+
+        assert response.status_code == 200
+        config = InstanceConfiguration.objects.get(key="GITHUB_CLIENT_ID")
+        assert config.value == "Ov23li2Dep2t79q18nxD"
