Skip to content

fix(oauth): isolate follow token from auth token to prevent scope overwrite#274

Open
Ridanshi wants to merge 1 commit into
Dev-Card:mainfrom
Ridanshi:fix/oauth-scope-overwrite
Open

fix(oauth): isolate follow token from auth token to prevent scope overwrite#274
Ridanshi wants to merge 1 commit into
Dev-Card:mainfrom
Ridanshi:fix/oauth-scope-overwrite

Conversation

@Ridanshi
Copy link
Copy Markdown
Contributor

@Ridanshi Ridanshi commented May 23, 2026

Problem

The GitHub login flow and GitHub connect/follow flow both persisted OAuth tokens into the same OAuthToken record keyed by:

(userId, 'github')

despite requiring different permission scopes.

Login flow (auth.ts)

Stored tokens with:

read:user user:email

Connect flow (connect.ts)

Stored tokens with:

user:follow

Because both flows used Prisma upsert on the same (userId, platform) key, whichever flow executed last silently overwrote the previous token.

In practice:

  • reconnecting GitHub follow destroyed login-scoped tokens,
  • re-authentication destroyed follow-scoped tokens,
  • and users silently lost GitHub follow capability after logging in again.

Root Cause

OAuthToken is uniquely keyed by:

@@unique([userId, platform])

Both flows persisted tokens using:

platform = 'github'

This created a deterministic overwrite lifecycle where:

  • auth tokens and follow tokens competed for the same record,
  • OAuth scope ownership became ambiguous,
  • and follow functionality broke later during GitHub API calls.

The issue was difficult to diagnose because:

  • authentication continued succeeding,
  • token persistence succeeded,
  • failures only surfaced later during follow operations.

Fix

Implemented deterministic scope-safe token isolation.

Scope Handling Strategy

The authentication flow and follow-capable flow now use separate platform keys:

Flow Platform Key Scope
Login (auth.ts) github read:user user:email
Connect (connect.ts) github_follow user:follow

This completely prevents cross-flow token overwrites.

No schema migration was required because:

  • platform is already a free-form string,
  • and the existing unique constraint naturally supports separate capability-specific records.

Changes

apps/backend/src/routes/connect.ts

  • introduced: 
    GITHUB_FOLLOW_PLATFORM = 'github_follow'
  • follow-capable tokens now persist using: 
    platform = 'github_follow'
  • updated all related upsert logic to use the dedicated follow token key

apps/backend/src/routes/follow.ts

  • GitHub follow token lookups now resolve: 
    github -> github_follow
  • non-GitHub platforms remain unchanged
  • existing follow behavior preserved

apps/backend/src/routes/auth.ts

  • no changes required
  • authentication flow continues using: 
    platform = 'github'

Backward Compatibility

  • Existing authentication tokens remain fully valid
  • No data migration required
  • No existing records are deleted or modified
  • Users with older overwritten follow tokens may reconnect GitHub once to repopulate the dedicated follow token record

The updated structure also creates a clean pattern for future scope-specific OAuth integrations:

{platform}_{purpose}

Tests

Added comprehensive regression coverage in:

apps/backend/src/__tests__/oauth-scope.test.ts

Coverage includes:

  • GitHub connect token persistence
  • isolation between auth and follow tokens
  • repeated login cycles
  • repeated reconnect cycles
  • follow capability preservation after re-authentication
  • encrypted token persistence
  • GitHub follow lookup behavior
  • backward compatibility behavior
  • non-GitHub platform handling
  • missing follow token behavior

Result

  • Follow-capable GitHub tokens are no longer overwritten by login flows
  • OAuth scope ownership is now explicit and deterministic
  • Re-authentication no longer removes follow capability
  • Existing authentication behavior remains unchanged
  • Future OAuth scope expansion is now safer and easier to maintain

Fixes #225

@Ridanshi
fix(oauth): isolate follow token from auth token to prevent scope ove…
3c39690 
…rwrite

The GitHub connect flow (user:follow scope) and the GitHub login flow
(read:user user:email scope) both performed an upsert against the same
OAuthToken record keyed on (userId, 'github').  Whichever executed last
silently replaced the other's access token.  The practical effect: every
re-authentication destroyed the user's GitHub follow capability.

Fix (no schema migration required):
- Introduce GITHUB_FOLLOW_PLATFORM = 'github_follow' constant in connect.ts
- connect.ts callback: write the follow-capable token to platform='github_follow'
  instead of platform='github'.  The auth flow (auth.ts) continues writing
  to 'github' — the two records now have independent keys and can never
  overwrite each other.
- follow.ts: resolve the GitHub token lookup to 'github_follow' so the follow
  route reads from the correct record.  All non-GitHub platforms are unaffected.

Backward compatibility:
- Existing 'github' auth token records remain intact and continue to be
  used by the login flow.
- Users with a pre-existing 'github' follow token will need to re-run the
  connect flow (one-time action) to populate the new 'github_follow' record.
  The existing record is not deleted or modified.

Tests added (oauth-scope.test.ts):
- Connect callback writes to github_follow, never to github
- Scope and encrypted token stored correctly in the follow record
- Follow route looks up github_follow, never the auth token
- Follow route returns 400+requiresAuth when github_follow is absent (no fallback)
- Non-GitHub platforms use their own name unchanged
- Repeated connect cycles only touch github_follow
- Follow succeeds after a connect cycle
- Follow survives a simulated re-login cycle
- Encrypted token persistence: raw token is never stored verbatim
- Follow route decrypts before calling GitHub API
@Ridanshi Ridanshi mentioned this pull request May 23, 2026
Open
@ShantKhatri
Copy link
Copy Markdown
Contributor

ShantKhatri commented May 23, 2026

@Ridanshi Allow some time to review this PR.

@Harxhit Harxhit added the gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking. label May 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub OAuth Token Scope Silently Overwritten Between Login and Connect Flows

3 participants

@Ridanshi @ShantKhatri @Harxhit