OAuth state cookie is shared across providers and tabs, causing authentication flow corruption

[Ridanshi]

Summary

OAuth state management relies on a shared state cookie that can be overwritten by concurrent authentication attempts.

Opening multiple OAuth flows simultaneously can invalidate earlier flows and cause authentication failures.

Affected Files

• auth.ts
• oauth.ts

Root Cause

The OAuth state value is stored in a shared cookie without isolation by provider or authentication attempt.

Starting a second OAuth flow replaces the previous state value.

When the first flow returns, state validation fails because the stored value no longer matches.

Reproduction

1. Open GitHub OAuth in one tab.
2. Before completing it, open Google OAuth in another tab.
3. Complete the first OAuth flow.
4. Observe state validation failures or incorrect authentication behavior.

Expected Behavior

Independent OAuth flows should maintain isolated state values.

Actual Behavior

Concurrent authentication attempts overwrite one another.

Why This Is Difficult To Detect

Single-tab testing behaves correctly.

The issue appears only under realistic multi-tab usage.

Production Impact

• Failed logins
• Invalid OAuth callbacks
• User confusion
• Authentication instability

Suggested Fix

Scope OAuth state storage by provider and authentication attempt.

Severity

High

[Ridanshi]

I investigated this issue and would like to work on it.

The current OAuth state management appears vulnerable to multi-tab and multi-provider authentication conflicts.

I plan to:

• review state lifecycle management
• isolate concurrent authentication attempts
• preserve existing OAuth behavior
• add regression tests covering multi-tab authentication flows

Please assign this issue to me.