fix(profile): remove OAuth token from audit/run Inngest event payload#222
Open
anshul23102 wants to merge 1 commit into
Open
fix(profile): remove OAuth token from audit/run Inngest event payload#222anshul23102 wants to merge 1 commit into
anshul23102 wants to merge 1 commit into
Conversation
bootstrapProfile was embedding the user's live GitHub OAuth provider_token in the audit/run event data. Inngest retains event payloads in its cloud infrastructure for replay and debugging, meaning every signing user's access token was persisted in a third-party service indefinitely. The fix looks up an active GitHub App installation for the user and passes only the installation ID instead. The audit function already prefers installation tokens and will find a valid auth source from the ID. If no installation exists yet, the audit is not queued here; the install webhook handler fires its own audit/run event with the installationId once the app is installed, so no audit is missed. Adds a test suite for the bootstrap audit-queuing path verifying that installationId is used, accessToken is absent, and the event is skipped correctly when no install or when audit is already complete. Closes Coder-s-OG-s#204
Contributor
|
@anshul23102 is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Hey @anshul23102 You have 4 open PRs right now. The limit is 3 at a time. Please get your existing PRs merged or closed before opening new ones:
This PR will remain open but won't be reviewed until you're under the limit. See our Contributing Guidelines for details. |
This was referenced May 25, 2026
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #204.
`bootstrapProfile` was placing the user's live GitHub OAuth `provider_token` directly in the `audit/run` Inngest event payload under the `accessToken` key. Inngest retains event payloads in its cloud infrastructure for replay and debugging. This meant every user's GitHub access token was being persisted in a third-party service for an indefinite retention period.
Root cause
```typescript
// before — token transmitted through Inngest
await inngest.send({
name: 'audit/run',
data: {
userId: profile.id,
githubHandle: profile.github_handle,
githubId,
accessToken: providerToken, // live OAuth token in event payload
},
});
```
Fix
The handler now looks up the user's active GitHub App installation and passes only the `installationId`:
```typescript
// after — installation ID only, no token in transit
const { data: install } = await service
.from('github_installations')
.select('id')
.eq('user_id', profile.id)
.is('uninstalled_at', null)
.order('installed_at', { ascending: false })
.limit(1)
.maybeSingle();
if (install?.id) {
await inngest.send({
name: 'audit/run',
data: {
userId: profile.id,
githubHandle: profile.github_handle,
githubId,
installationId: install.id, // safe to transmit
},
});
auditQueued = true;
}
```
The `audit-run` function already has a complete installation-token path. If no installation exists at bootstrap time, the audit is not queued; the install webhook handler fires its own `audit/run` with the `installationId` once the user installs the app, so no audit window is missed.
Changes
Test plan