Skip to content

[BUG] Worker share-link re-mint invalidates previously copied floom.dev/s URLs #2144

Description

@federicodeponte

Summary

Worker standalone share links created by POST /workers/{id}/share-link are create-or-rotate. Calling the endpoint again invalidates the previously copied https://floom.dev/s/<token> URL, so users who already pasted the link see a 404 later.

This made the Gmail Inbox Cleaner launch link appear broken: an earlier verified URL later returned 404 after a newer share-link POST minted a replacement token.

Reproduction

Using cloud worker gmail-inbox-cleaner-public in workspace cloud-ws_d8cff133674548:

  1. Mint a worker share link:
    POST https://workeros-api.floom.dev/api/workers/gmail-inbox-cleaner-public/share-link
  2. Open the returned https://floom.dev/s/<token>.
  3. Confirm it returns HTTP 200 and renders Gmail Inbox Cleaner (public template).
  4. Mint the share link again for the same worker.
  5. Re-open the first copied URL.

Actual

The first URL returns HTTP 404 from both:

  • https://floom.dev/s/<old-token>
  • https://workeros-api.floom.dev/api/s/<old-token> with {"detail":"Short link not found"}

The newest URL works. Verified current behavior with a fresh latest token:

  • page: HTTP 200, final URL under /app/s/<token>, contains Gmail Inbox Cleaner and gmail-inbox-cleaner-public
  • API: HTTP 200, returns entity_type=worker
  • repeated delayed checks at ~0s, ~20s, ~80s, and ~200s stayed HTTP 200 as long as the link was not re-minted

Expected

One of these product behaviors:

  • POST /workers/{id}/share-link returns the existing active URL unless the user explicitly revokes/regenerates it, or
  • the UI/CLI labels the action as “regenerate link” and warns that existing copied URLs stop working, or
  • old tokens remain valid until explicit revoke.

For public worker templates, the current create-or-rotate behavior is risky because users naturally click/copy/share multiple times while preparing launch materials, invalidating links already pasted into posts, docs, or emails.

Related

This is the worker-share version of the same class of issue tracked for batch approval share links in #1965.

Verification Already Run

Worker bundle itself is not the blocker:

  • npx -y @floomhq/floom@latest workers validate /tmp/gmail-inbox-cleaner-audit-isolated passed
  • python3 -m py_compile run.py passed in isolated bundle
  • isolated smoke test confirmed test mode makes no Gmail mutations
  • PYTHONPATH=apps/api python3 -m pytest apps/api/tests/test_standalone_share_public.py apps/api/tests/test_share_link_revoke.py tests/test_gmail_inbox_manager_plus.py -q passed: 10 tests

OpenCode/Gemini audit also inspected the isolated bundle. Its Gmail OAuth-scope warning was a false positive for Floom's manifest model: Composio access is constrained via connections[].allowed_tools; narrower OAuth requires a separate Composio auth config.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions