You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the new _get_headers_ implementation, the variables headers and payload are used in the token fetch requests.post call but never defined or constructed in that scope. This will result in a NameError at runtime.
The new /start public endpoint does not enforce any authentication or permission checks. Verify if this route should be protected or rate-limited to prevent unauthorized or abusive use.
@cors_preflight("POST,OPTIONS")@API.route("/<string:definition_key>/start", methods=["POST", "OPTIONS"])classProcessByDefinitionKeyResource(Resource):
"""Resource for process resource by definition key."""@staticmethod@profiletime@API.response(201, "Created:- Request has been fulfilled and resulted in new resource being created.")@API.response(400, "BAD_REQUEST:- Invalid request.")@API.response(401, "UNAUTHORIZED:- Authorization header not provided or invalid token.")@API.response(403, "FORBIDDEN:- Authorization will not help.")# @API.expect(post_request_model)defpost(definition_key: str):
"""Creates a new process instance using the specified definition key."""payload=request.get_json()
tenant_key=request.args.get("tenantKey", default=None)
camunda_start_task=BPMService.post_process_start_tenant(
process_key=definition_key,
payload=payload,
token=None,
tenant_key=tenant_key
)
returncamunda_start_task
Ensure payload and headers are always defined before use, not only inside the multi-tenancy branch. Move their initialization above the try block so that the non-tenant code path does not reference undefined variables.
Why: Removing the extra = corrects the viewport directive syntax, which is critical for proper responsive rendering.
Medium
Avoid duplicate key
Rename or remove the duplicate tenantName property to avoid overriding the earlier definition. Use a unique key (e.g., captureTenantName) for the tenant capture field.
Why: Renaming submit avoids collision with doSubmit and clarifies purpose, improving maintainability with minimal impact.
Low
General
Return explicit HTTP 201 response
Return a Flask response with an explicit status code (e.g., 201) and JSON content instead of relying on the raw return value. Use jsonify() or make_response() to set the HTTP status.
Wrap the call to BPMService.post_process_start_tenant in a try/except block and return a tuple of the JSON body with an explicit HTTP status code. This ensures errors are caught and that clients always receive a valid (201 or 500) response.
-return camunda_start_task+try:+ result = BPMService.post_process_start_tenant(+ process_key=definition_key, payload=payload, token=None, tenant_key=tenant_key+ )+ return result, 201+except Exception as e:+ current_app.logger.error(f"Failed to start process: {e}")+ return {"error": "Failed to start process"}, 500
Suggestion importance[1-10]: 6
__
Why: Wrapping BPMService.post_process_start_tenant in try/except improves robustness by returning explicit status codes, though implementation details (e.g., imports) may need adjustment.
Low
Remove duplicate locale key
Remove the duplicate locale entry to prevent one from silently overriding the other at load time. Keep only a single consistent key format (e.g. locale_pt_BR).
Why: Removing one of the duplicate locale entries (locale_pt-BR) prevents inconsistent overrides and keeps the file clean.
Low
General
Ensure default credential fallback
When multi-tenancy is enabled and no tenant‐key is provided, fall back to the default client credentials rather than allowing a None value. This prevents passing None to the token endpoint.
Why: Providing a default in config.get avoids passing None to the token endpoint, a useful but minor enhancement in credential handling.
Low
Normalize Camunda endpoint URL
Normalize URL concatenation to guarantee a single slash between PUBLIC_PROCESS_START_URL and PROCESS_KEY. This avoids malformed endpoints when the base URL does or does not end with a slash.
There are two identical tenantName keys which will cause one to override the other. Rename the custom usage or remove the duplicate to prevent unexpected overrides.
tenantName=Tenant Name
...
-tenantName=Tenant Name+customTenantName=Tenant Name
Suggestion importance[1-10]: 8
__
Why: The duplicate tenantName keys at lines 2 and 436 will override one another in the properties lookup, risking unexpected behavior.
Medium
Handle BPMService errors gracefully
Wrap the external BPMService call in a try/except to catch network or service errors and return an appropriate HTTP error response instead of propagating raw exceptions.
Why: Wrapping the BPMService.post_process_start_tenant call in a try/except improves resilience by returning a controlled HTTP error instead of propagating raw exceptions.
Low
Validate HTTP response status
Check for non-2xx responses and log an error or take recovery actions instead of treating all statuses as informational.
-registrationCustomSuccessMsg=Registration is successful. You will shortly receive an email with login URL and details.\ No newline at end of file+registrationCustomSuccessMsg=Registration is successful. You will shortly receive an email with login URL and details.
Suggestion importance[1-10]: 3
__
Why: Ending the file with a newline complies with POSIX conventions and avoids potential parsing issues, but has minimal functional impact.
Low
Possible issue
Fix meta viewport syntax
The meta entry has a double equals (==) which is invalid syntax. Remove the extra = so the viewport is parsed correctly.
Build and send the token‐request payload correctly by defining payload and headers before calling requests.post. This ensures the token endpoint receives the expected form data and content type.
Why: The call to requests.post uses undefined payload and headers, causing a runtime error; defining them upfront fixes a critical bug in token retrieval.
High
Validate auth and handle errors
Require and validate an Authorization header and wrap the BPM call in try/except so errors map to proper HTTP status codes. Pass the extracted token to post_process_start_tenant.
The variables headers and payload are not defined before use, causing a NameError. You should build the token request payload and headers from bpm_client_id, bpm_client_secret, and bpm_grant_type before calling requests.post. This ensures the request is formed correctly and avoids runtime errors.
Why: The call to requests.post uses undefined headers and payload, causing a runtime NameError and blocking token retrieval.
High
Check HTTP status before parsing
You should verify the HTTP status before parsing JSON to catch non-200 errors. Use response.raise_for_status() and response.json() to simplify parsing and handle unexpected responses gracefully.
Why: Adding response.raise_for_status() and using response.json() improves error detection and simplifies parsing, enhancing robustness.
Low
General
Consolidate Portuguese locale key
Defining both locale_pt_BR and locale_pt-BR will cause one entry to override the other. Consolidate to a single standard variant to ensure consistent locale loading.
Why: Both locale_pt_BR and locale_pt-BR map to the same value and one will override the other; consolidating to a single key ensures consistent locale loading.
Medium
Use unique key for tenant name
The key tenantName is defined twice and the second occurrence will override the first one, leading to potential confusion in other contexts. Rename this key to a more specific identifier for the capture-tenant-info form.
-tenantName=Tenant Name+captureTenantInfo.tenantName=Tenant Name
Suggestion importance[1-10]: 6
__
Why: The key tenantName is defined twice (lines 2 and 436), causing the first entry to be overridden; renaming the second entry avoids confusion and preserves both translations.
Low
Add endpoint error handling
The endpoint directly returns the service result without error handling or HTTP status mapping. Wrap the call in a try/except, validate the service response, and return a proper Flask response tuple with status codes and error messages on failure.
Why: Wrapping BPMService.post_process_start_tenant in try/except adds proper status mapping, but it's an optional error-handling improvement.
Low
Normalize URL concatenation
Concatenating the URL without ensuring a trailing slash on camundaUrl may produce malformed endpoints. Normalize the base URL by trimming any trailing slash and use String.format to build the final URL safely.
Why: The generic submit key can be ambiguous alongside other submit-related keys like doSubmit; prefixing it improves clarity but has low impact on functionality.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Issue Tracking
JIRA:
Issue Type: FEATURE
Changes
Screenshots (if applicable)
try it now client/tenant
Other clents/tenants
Notes
Documents: https://docs.google.com/document/d/1XU7QpgK5BpxOMpBpr02GEYu5WlI-Gmxq9JmZ6fSdlBA/edit?tab=t.0
Todo
PR Type
Enhancement
Description
Enhance BPM auth headers for multitenant clients
Add public
/startendpoint for BPM workflowsIntroduce Keycloak SPI: capture info and event listener
Add custom multitenant Keycloak theme and CSS
Update Docker and compose for providers and env
Changes diagram
Changes walkthrough 📝
10 files
Support multitenant client secrets and error handlingAdd public process start endpointAdd required action to capture tenant infoAdd event listener to trigger Camunda workflowCreate event listener provider factoryAdd multitenant registration template macroCreate custom login form templateCreate custom registration form templateAdd capture-tenant-info form templateAdd registration success template6 files
Add multitenant BPM env variablesEnhance startup script for SPI and cache argsBuild and package SPI providers in imageExpose envs for process workflow variablesAdd multitenant BPM client env variablesConfigure multitenant login theme properties1 files
Custom CSS for multitenant login theme2 files
Add event listener module POMAdd capture-tenant SPI POM1 files
Add tenant-specific messages and labels8 files