feat: oauth login allows 10s verification window

Author: Junyi-99

internal/api/auth/oauth.go

@@ -57,16 +57,19 @@ func (h *OAuthHandler) OAuthStatus(c *gin.Context) {
 		c.JSON(http.StatusAccepted, gin.H{"error": "not_found"})
 		return
 	}
-	if cb.Used {
+
+	// Already used and outside the 10-second reuse window
+	if cb.Used && !h.OAuthService.IsWithinReuseWindow(cb) {
 		c.JSON(http.StatusGone, gin.H{"error": "used"})
 		return
 	}
 
-	// update used to true
-	err = h.OAuthService.OAuthMakeUsed(ctx, cb)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "update_used_failed"})
-		return
+	// Mark as used (first use)
+	if !cb.Used {
+		if err := h.OAuthService.OAuthMakeUsed(ctx, cb); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "update_used_failed"})
+			return
+		}
 	}
 
 	c.JSON(http.StatusOK, gin.H{"code": cb.Code, "access_token": cb.AccessToken})

internal/models/oauth.go

@@ -1,11 +1,14 @@
 package models
 
+import "go.mongodb.org/mongo-driver/v2/bson"
+
 type OAuth struct {
 	BaseModel   `bson:",inline"`
-	Code        string `bson:"code,omitempty"` // OAuth code (authorization code) in Google's implementation is single-use, short-lived, and temporarily unique.
-	AccessToken string `bson:"access_token,omitempty"`
-	State       string `bson:"state,omitempty"`
-	Used        bool   `bson:"used,omitempty"`
+	Code        string        `bson:"code,omitempty"` // OAuth code (authorization code) in Google's implementation is single-use, short-lived, and temporarily unique.
+	AccessToken string        `bson:"access_token,omitempty"`
+	State       string        `bson:"state,omitempty"`
+	Used        bool          `bson:"used,omitempty"`
+	UsedAt      bson.DateTime `bson:"used_at,omitempty"` // Timestamp when the record was first marked as used, allows 10s reuse window
 }
 
 func (o OAuth) CollectionName() string {

internal/services/oauth.go

@@ -102,9 +102,22 @@ func (s *OAuthService) OAuthMakeUsed(ctx context.Context, cb *models.OAuth) erro
 	update := bson.M{
 		"$set": bson.M{
 			"used":       true,
+			"used_at":    bson.NewDateTimeFromTime(now),
 			"updated_at": bson.NewDateTimeFromTime(now),
 		},
 	}
 	_, err := s.oauthCollection.UpdateOne(ctx, bson.M{"_id": cb.ID}, update)
 	return err
 }
+
+// OAuthReuseWindow is the time window (10 seconds) during which a used OAuth record can still be reused
+const OAuthReuseWindow = 10 * time.Second
+
+// IsWithinReuseWindow checks if the OAuth record was used within the reuse window
+func (s *OAuthService) IsWithinReuseWindow(cb *models.OAuth) bool {
+	if !cb.Used || cb.UsedAt == 0 {
+		return false
+	}
+	usedAt := cb.UsedAt.Time()
+	return time.Since(usedAt) <= OAuthReuseWindow
+}