Skip to content

fix: prevent OAuth state replay attacks and fix preview script types #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shuhuiluo merged 1 commit into from
Jan 18, 2026
Merged

fix: prevent OAuth state replay attacks and fix preview script types #99

shuhuiluo merged 1 commit into from
Jan 18, 2026

Conversation

@shuhuiluo
Copy link
Collaborator

@shuhuiluo shuhuiluo commented Jan 18, 2026
edited by coderabbitai bot
Loading

  • Use atomic consumeOAuthState() to delete+return state in one operation, preventing race conditions where parallel requests could both succeed
  • Make redirectUrl and encryptionKey readonly
  • Make cleanupExpiredStates private (internal implementation)
  • Fix eventTypes in preview script mock data (string → array)
  • Bump prettier to 3.8.0

Summary by CodeRabbit

  • New Features

    • Dynamic PR anchor updates feature is now enabled.

  • Chores

    • Updated Prettier to v3.8.0.

✏️ Tip: You can customize this high-level summary in your review settings.

@shuhuiluo @claude
fix: prevent OAuth state replay attacks and fix preview script types
7458944 
- Use atomic consumeOAuthState() to delete+return state in one operation,
  preventing race conditions where parallel requests could both succeed
- Make redirectUrl and encryptionKey readonly
- Make cleanupExpiredStates private (internal implementation)
- Fix eventTypes in preview script mock data (string → array)
- Bump prettier to 3.8.0

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Jan 18, 2026
edited
Loading

Walkthrough

This PR updates project documentation, dependencies, and internal service logic. The README marks "Dynamic PR anchor updates" as implemented. Prettier is bumped from ^3.7.4 to ^3.8.0. The OAuth preview script's mock data changes eventTypes from a string to an array of strings, with corresponding public type updates. The GitHub OAuth service refactors state handling to use an atomic consumeOAuthState() method, makes class fields readonly, and changes cleanupExpiredStates to private visibility.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly addresses the main objectives of the pull request: preventing OAuth state replay attacks (via atomic consumeOAuthState) and fixing preview script types (eventTypes change from string to array).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 markdownlint-cli2 (0.18.1)
README.md

markdownlint-cli2 v0.18.1 (markdownlint v0.38.0)
Finding: README.md
Linting: 1 file(s)
Summary: 0 error(s)
Error: EACCES: permission denied, open '/markdownlint-cli2-results.json'
at async open (node:internal/fs/promises:640:25)
at async Object.writeFile (node:internal/fs/promises:1214:14)
at async Promise.all (index 0)
at async outputSummary (file:///usr/local/lib/node_modules/markdownlint-cli2/markdownlint-cli2.mjs:877:5)
at async main (file:///usr/local/lib/node_modules/markdownlint-cli2/markdownlint-cli2.mjs:1053:25)
at async file:///usr/local/lib/node_modules/markdownlint-cli2/markdownlint-cli2-bin.mjs:12:22 {
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/markdownlint-cli2-results.json'
}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@shuhuiluo shuhuiluo merged commit 7609843 into main Jan 18, 2026
2 checks passed
@shuhuiluo shuhuiluo deleted the fix/oauth-state-race-and-preview-types branch January 18, 2026 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shuhuiluo