GitHub OAuth Token Scope Silently Overwritten Between Login and Connect Flows

[Ridanshi]

Summary

GitHub OAuth tokens stored during authentication and GitHub-connect flows overwrite each other despite requiring different permission scopes.

As a result, users can silently lose GitHub follow permissions after re-authentication.

---

Affected Files

• apps/backend/src/routes/auth.ts
• apps/backend/src/routes/connect.ts

---

Root Cause

Both flows upsert into the same token record:

(userId, 'github')

but store different OAuth scopes.

Login flow (auth.ts)

Stores:

read:user user:email

Connect flow (connect.ts)

Stores:

user:follow

Whichever flow runs last overwrites the previously stored token.

---

Realistic Failure Scenario

1. User connects GitHub for follow functionality.
2. Backend stores token with user:follow.
3. User later logs in again using GitHub OAuth.
4. Login flow overwrites token with lower-privilege scope.
5. Follow actions now fail because the token lacks user:follow.

This failure is silent during login and only surfaces later during follow operations.

---

Impact

Users unexpectedly lose follow capability after re-authentication.

This creates:

• broken follow flows,
• confusing reconnect loops,
• inconsistent OAuth behavior,
• and invalid token capability assumptions.

The issue is especially difficult to debug because:

• authentication still succeeds,
• token storage succeeds,
• failures occur only later during GitHub API usage.

---

Proposed Fix

Separate authentication tokens from follow-capable tokens.

Possible approaches:

Option 1

Store separate platform keys:

github_auth
github_follow

Option 2

Merge scopes intelligently and retain the most permissive token.

Option 3

Store scope metadata explicitly and validate capability before overwriting.

---

Acceptance Criteria

• Login flow no longer removes follow capability.
• Follow-capable tokens remain persistent after re-authentication.
• Token scope ownership is explicit and deterministic.
• Existing OAuth login behavior remains unchanged.

---

Severity

Medium

This is a significant OAuth lifecycle/data-integrity flaw affecting persistent GitHub integrations.

[Ridanshi]

Hi @Harxhit
I’d like to work on this issue. The OAuth token overwrite behavior and scope-management inconsistency are clear, and I already have a structured approach in mind for separating authentication and follow-capable token handling safely.

Could you please assign this issue to me?

[Nightkilller]

Hi @Ridanshi,

I would like to work on this issue under GSSoC'26.

I reviewed the reported behavior and understand that the authentication and GitHub-connect flows currently persist tokens using the same (userId, 'github') record despite requiring different OAuth scopes. This can cause a follow-capable token to be silently overwritten by a lower-privilege authentication token, resulting in broken follow functionality after re-authentication.

My plan is to:

• Review the token persistence logic in both auth.ts and connect.ts.
• Evaluate the existing token model and implement a deterministic strategy for handling different GitHub token capabilities.
• Ensure follow-capable permissions are not lost during subsequent authentication flows.
• Make token scope ownership explicit and maintainable, either through separate token records or clear scope-aware storage logic as appropriate for the current architecture.
• Add tests covering:
  • initial GitHub connect flow
  • re-authentication after connecting GitHub
  • preservation of follow capability across login cycles
  • expected behavior for different scope combinations
• Verify that existing OAuth login behavior remains unchanged.

I will keep the implementation focused on token scope handling and include the necessary test coverage to prevent future regressions.

Please assign this issue to me. Thank you!

[Harxhit]

@Ridanshi I have assigned this issue to you.

[Ridanshi]

Implemented the OAuth token scope-isolation fix and opened PR #274 for review.

The update separates authentication and follow-capable GitHub tokens into deterministic independent records, prevents silent scope overwrites during re-authentication, preserves follow functionality across login cycles, and adds comprehensive regression coverage for token lifecycle and scope-handling behavior.

Fixes #225.