Skip to content

feat(auth): add Zod validation for OAuth callback endpoints#593

Open
ramnnn2006 wants to merge 2 commits into
Dev-Card:mainfrom
ramnnn2006:fix/oauth-callback-zod-validation
Open

feat(auth): add Zod validation for OAuth callback endpoints#593
ramnnn2006 wants to merge 2 commits into
Dev-Card:mainfrom
ramnnn2006:fix/oauth-callback-zod-validation

Conversation

@ramnnn2006

@ramnnn2006 ramnnn2006 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds Zod validation to /auth/github/callback and /auth/google/callback so code and state are validated before any token exchange or DB calls happen. Previously there were scattered manual if (!code) checks, this replaces them with a single safeParse at the top of each handler.

Closes #539

Type of Change

  • Bug fix
  • New feature
  • Refactor (no functional change)
  • UI / Design change
  • Tests only
  • Documentation
  • Infrastructure / DevOps
  • Security

What Changed

  • Added oauthCallbackSchema to auth.validation.ts with code and state as required non-empty strings
  • Updated both callback handlers in auth.ts to use `safnual guards
  • Added auth-callback.test.ts with 14 tests covering missing/empty code, missing/empty state, no cookie, and cookie mismatch for both
    endpoints

How to Test

  1. Run pnpm -r run test — 14 new tests in `auth-callbac
  2. Hit GET /auth/github/callback with no code param — expect 400 with Invalid callback parameters
  3. Hit with valid code and state but no oauth_statevalid or missing OAuth state — possible CSRF attack`

Checklist

  • My code follows the project's coding style (`pnpm -
  • TypeScript compiles without errors (pnpm -r run typecheck).
  • I have added or updated tests for the changes I mad
  • All tests pass locally (pnpm -r run test).
  • I have updated documentation where necessary.
  • No new console.log or debug statements left in the code.
  • Breaking changes are documented in this PR descript

Screenshots / Recordings

N/A

@ramnnn2006
feat(auth): add Zod validation for OAuth callback endpoints
1c4c0ee 
Validates code and state query params in /auth/github/callback and
/auth/google/callback before any token exchange or DB work happens.
Adds oauthCallbackSchema to validators.ts and tests covering missing/
empty code, missing/empty state, and state cookie mismatch scenarios.
Copilot AI review requested due to automatic review settings June 17, 2026 09:38
@vercel

vercel Bot commented Jun 17, 2026

Copy link
Copy Markdown

@ramnnn2006 is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added backend gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking. labels Jun 17, 2026
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

Hi @ramnnn2006,

Thanks for opening this pull request.

This PR has been automatically classified based on the files modified.

Applied Labels

  • gssoc:approved
  • backend

Primary Review Area

  • backend

Reviewer

@Harxhit has been identified as the primary reviewer for this pull request.

If you have any questions regarding the affected area or implementation details, feel free to reach out to the assigned reviewer.

Thank you for your contribution!

Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds Zod-based validation for OAuth callback query parameters (GitHub + Google) and introduces tests to ensure invalid callback requests fail early with consistent 400 responses.

Changes:

  • Introduced oauthCallbackSchema to validate code and state on OAuth callbacks.
  • Updated GitHub/Google callback routes to use safeParse() and return structured validation errors.
  • Added Vitest coverage for invalid callback parameter and OAuth state-cookie scenarios.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
apps/backend/src/validations/auth.validation.ts Adds a Zod schema for OAuth callback query params.
apps/backend/src/routes/auth.ts Uses the new schema to validate callback querystrings and standardize 400 responses.
apps/backend/src/tests/auth-callback.test.ts Adds regression tests for Zod validation + state cookie enforcement.
Comments suppressed due to low confidence (1)

apps/backend/src/validations/auth.validation.ts:1

  • Schema naming is inconsistent (oAuthStartSchema vs oauthCallbackSchema). Standardizing on a single convention (e.g., oauthStartSchema/oauthCallbackSchema or oAuthStartSchema/oAuthCallbackSchema) will make imports and discoverability more predictable.
import { z } from 'zod';

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apps/backend/src/validations/auth.validation.ts Outdated
Comment on lines +17 to +20
export const oauthCallbackSchema = z.object({
code: z.string().min(1, 'Authorization code is required'),
state: z.string().min(1, 'State parameter is required'),
}); No newline at end of file
Comment thread apps/backend/src/routes/auth.ts Outdated
Comment on lines +101 to +102
app.get('/github/callback', async (request: FastifyRequest<{ Querystring: OAuthCallbackQuery }>, reply: FastifyReply) => {
//TODO: Add zod validation here
const { code, state } = request.query;
const parsed = oauthCallbackSchema.safeParse(request.query);
Comment thread apps/backend/src/routes/auth.ts Outdated
Comment on lines +102 to +106
const parsed = oauthCallbackSchema.safeParse(request.query);
if (!parsed.success) {
return reply.status(400).send({ error: 'Invalid callback parameters', details: parsed.error.flatten() });
}
const { code, state } = parsed.data;
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

CI — All Checks Passed

Backend — PASS

Check Result
Lint PASS
Test PASS
Typecheck PASS

Mobile — SKIP

Check Result
Lint -
Test -

Web — SKIP

Check Result
Build -

Last updated: Wed, 17 Jun 2026 09:42:47 GMT

@ramnnn2006
fix(auth): address review feedback on OAuth callback validation
243404a 
- rename oauthCallbackSchema to oAuthCallbackSchema to match naming convention
- add .trim() to code and state fields to reject whitespace-only values
- export OAuthCallbackQuery type from auth.validation.ts and remove duplicate local interface
@ramnnn2006

ramnnn2006 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

@Harxhit could u check , ive resolved the conflictsnow!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backend gssoc:approved Required label for every approved PR. Gives the base +50 points and enables contribution tracking.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Zod Validation for OAuth Callback Endpoints

2 participants

@ramnnn2006