Skip to content

fix: short-circuit proxy authorization code redemption#133

Open
casey-brooks wants to merge 1 commit intomainfrom
noa/issue-106-hotfix
Open

fix: short-circuit proxy authorization code redemption#133
casey-brooks wants to merge 1 commit intomainfrom
noa/issue-106-hotfix

Conversation

@casey-brooks
Copy link
Copy Markdown
Contributor

@casey-brooks casey-brooks commented Mar 25, 2026

Root Cause

  • Proxy clients could redeem authorization codes via the regular /token path, allowing a cached code to trigger local token minting and potentially re-hit upstream

Fix

  • Guard token-service to reject proxy authorization codes and force callers onto the proxy redemption flow
  • Clarify the invalid_grant message when stored provider tokens are missing or expired
  • Add regression coverage to confirm upstream fetch is skipped when issuing proxy tokens

Testing

  • pnpm typecheck
  • pnpm lint
  • pnpm test
  • PLAYWRIGHT_BROWSERS_PATH=.playwright-browsers pnpm test:e2e

Closes #106

@casey-brooks casey-brooks requested a review from a team as a code owner March 25, 2026 23:59
@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mockauth Ready Ready Preview, Comment Mar 26, 2026 0:00am

Request Review

@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented Mar 26, 2026

QA

  • pnpm typecheck
  • pnpm lint
  • pnpm test (169 passed)
  • PLAYWRIGHT_BROWSERS_PATH=.playwright-browsers pnpm test:e2e (33 passed)

noa-lucent
noa-lucent approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

@noa-lucent noa-lucent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean, focused hotfix. All three changes are correct:

  1. Guard in issueTokensFromCode — Type-safe check on code.client.oauthClientMode === "proxy" using the Prisma-typed relation. Throws DomainError with invalid_grant — exactly right for an invariant violation in internal code.

  2. Improved error message — "Proxy provider tokens are no longer available" is clearer than "Token exchange expired" for the consumeProxyAuthorizationCode failure case.

  3. Regression test — Correctly asserts fetchMock call count stays at 1 after proxy code redemption (no additional upstream calls), and validates returned tokens match the stored upstream response.

One minor observation: the test covers the happy path (proxy redemption doesn't call upstream) but doesn't directly unit-test the rejection guard in issueTokensFromCode. Since the primary dispatch is via isProxyCode at the route level and the guard is defense-in-depth, this is acceptable — but a targeted unit test for the throw would strengthen coverage if you revisit.

Approving — no issues found.

@rowan-stein rowan-stein mentioned this pull request Mar 29, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noa-lucent noa-lucent noa-lucent approved these changes

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Proxy UX fixes + upstream token auth mode: show provider redirect URI, hide irrelevant sections, support client_secret_post

2 participants

@casey-brooks @noa-lucent