Stored GitHub authorization scopes can become stale and diverge from actual granted permissions

[Ridanshi]

Summary

GitHub integration state stores authorization scopes independently of the currently granted GitHub token.

When permissions change, stored scope information can become outdated and no longer reflect actual capabilities.

Affected Files

• auth.ts
• connect.ts
• githubService.ts

Root Cause

Scope information is persisted separately from token validation.

Subsequent permission changes on GitHub are not always reflected in stored integration state.

This creates discrepancies between recorded and actual permissions.

Reproduction

1. Connect a GitHub account.
2. Modify granted scopes through GitHub.
3. Return to DevCard.
4. Inspect stored scope information.
5. Compare against actual token permissions.
6. Observe mismatches.

Expected Behavior

Stored scopes should accurately reflect current token permissions.

Actual Behavior

Scope information can become stale.

Why This Is Difficult To Detect

The issue appears only after permission changes occur outside the application.

Production Impact

• Incorrect capability checks
• Broken integrations
• Misleading UI state
• Authorization inconsistencies

Suggested Fix

Refresh scope metadata from the active token and validate permissions periodically.

Severity

Medium

[Ridanshi]

I investigated this issue and would like to work on it.

The current GitHub integration flow appears capable of persisting scope information that no longer matches actual token permissions.

I plan to:

• review scope persistence logic
• ensure stored metadata remains consistent with granted permissions
• preserve existing integration behavior
• add regression coverage for permission-change scenarios

Please assign this issue to me.