feat: add Jiminny provider#5944
Conversation
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 2/5
- There is a concrete security risk in
packages/providers/providers.yaml: unvalidatedregionis used to build the request host, which can redirect authenticated traffic to attacker-controlled domains. - Given the high severity/confidence (7/10, 9/10) and user-impact potential (credential/token exposure or unintended outbound calls), this is not a low-risk merge in its current state.
- This should be straightforward to reduce by strict allowlisting/validation of supported regions before host construction.
- Pay close attention to
packages/providers/providers.yaml- host interpolation fromregionmust be constrained to trusted domains.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/providers/providers.yaml">
<violation number="1" location="packages/providers/providers.yaml:9170">
P1: Unvalidated `region` is interpolated into the request host, allowing authenticated traffic to be sent to an arbitrary domain.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9f675f7a56
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Without validation, an arbitrary region value is interpolated directly into the proxy base_url hostname. A pattern allowlist ensures only the two supported TLDs are accepted.
|
Fixed in e7edf7d — added |
hassan254-prog
left a comment
There was a problem hiding this comment.
Thanks for the contribution. You’ll need to complete this pr with the relevant docs and logo for the new provider. Please use this example as a reference to create the required docs.
| - communication | ||
| auth_mode: API_KEY | ||
| proxy: | ||
| base_url: https://app.jiminny.${connectionConfig.region}/customer/api/v1 |
There was a problem hiding this comment.
| base_url: https://app.jiminny.${connectionConfig.region}/customer/api/v1 | |
| base_url: https://app.jiminny.${connectionConfig.region}/customer/api |
The version should be appended to the verification endpoint.
| apiKey: | ||
| type: string | ||
| title: API Key | ||
| description: Your Jiminny API key. Generate one in Jiminny under Org Settings → General → API Key (requires Admin or Owner role). |
There was a problem hiding this comment.
| description: Your Jiminny API key. Generate one in Jiminny under Org Settings → General → API Key (requires Admin or Owner role). | |
| description: Your Jiminny API key. |
The rest should be described in the docs.
| pattern: '^(eu|com)$' | ||
| example: eu | ||
| default_value: com | ||
| order: 1 |
There was a problem hiding this comment.
| order: 1 |
Adds all required documentation per contributor guidelines: - Quickstart page (api-integrations/jiminny.mdx) - Connect guide explaining region + API key setup - PreBuiltTooling and PreBuiltUseCases snippets - Provider logo SVG - docs.json nav entry - providers.yaml: fix docs URL to api-integrations path, add docs_connect Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move /v1 from base_url to verification endpoint path - Remove redundant order field from region config - Shorten apiKey description (detail belongs in docs) - Add example JWT and pattern for apiKey field Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| - | - | JSON Web Token | dc2cd3a | packages/providers/providers.yaml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
hassan254-prog
left a comment
There was a problem hiding this comment.
Few comments otherwise looks good to merge.
| description: The region your Jiminny account is hosted in (eu for app.jiminny.eu, com for app.jiminny.com) | ||
| pattern: '^(eu|com)$' | ||
| example: eu | ||
| default_value: com |
There was a problem hiding this comment.
| default_value: com |
|
|
||
| const res = await nango.get({ | ||
| endpoint: '/api/users/@me', | ||
| endpoint: '/me', |
There was a problem hiding this comment.
| endpoint: '/me', | |
| endpoint: '/v1/me', |
same as the endpoint above.
| 2. Select your **Region** (`eu` or `com`) from the dropdown. | ||
| 3. Enter your **API Key** in the API Key field. | ||
| 4. Submit the form to complete authentication. | ||
|
|
There was a problem hiding this comment.
Would be nice to include the form screenshot here.
There was a problem hiding this comment.
I would love to, but we don't actually have access to Jiminny. A potential customer has provided us just with the key and we are using their docs to build the integration directly.
|
Please fix the broken link. |
Co-authored-by: Hassan_Wari <85742599+hassan254-prog@users.noreply.github.com>
- Remove broken docs link in jiminny.mdx (CI mintlify check was failing) - Update quickstart example endpoints /me → /v1/me (curl + Node SDK) - Remove default_value from region connection_config
Summary
Adds Jiminny (https://jiminny.com) as a new API_KEY provider.
Auth: Bearer token via
Authorization: Bearer ${apiKey}Regions: EU (
app.jiminny.eu) and US (app.jiminny.com) — selectable viaconnection_config.regionVerification:
GET /v1/activities?limit=1— read-only, returns 200 with empty list for accounts with no callsCategories: productivity, support
Jiminny is a conversation intelligence platform (call recording, AI summaries, sentiment analysis) used by sales and CS teams.
API reference: https://jiminny.github.io/customer-api-docs/