fix: prevent OAuth state replay attacks and fix preview script types

README.md

@@ -248,7 +248,7 @@ The bot supports two delivery modes:
 ### Event Organization
 
 - [x] Thread-based event grouping - Group related events (PR + commits + CI) in threads
-- [ ] **Dynamic PR anchor updates** - Update anchor message when PR metadata changes (title, state, labels, assignees, reviews, CI)
+- [x] **Dynamic PR anchor updates** - Update anchor message when PR metadata changes (title, state, labels, assignees, reviews, CI)
 - [ ] **Mentions support** - Convert GitHub @mentions to Towns @mentions when users are linked
 - [ ] **Label filters** - Filter subscriptions by PR/issue labels (`--labels bug,security`)
 - [ ] Event summaries - Digest multiple events into single update message

package.json

@@ -50,7 +50,7 @@
     "eslint-plugin-import-x": "^4.16.1",
     "eslint-plugin-prettier": "^5.5.5",
     "eslint-plugin-tsdoc": "^0.5.0",
-    "prettier": "^3.7.4",
+    "prettier": "^3.8.0",
     "prettier-plugin-ember-template-tag": "^2.1.2",
     "typescript": "~5.8.3",
     "typescript-eslint": "^8.53.0"

scripts/preview-oauth-pages.ts

@@ -25,13 +25,13 @@ const mockResults: Record<string, SubscribeResult> = {
     success: true,
     deliveryMode: "webhook",
     repoFullName: "HereNotThere/bot-github",
-    eventTypes: "pr,issues,commits,releases",
+    eventTypes: ["pr", "issues", "commits", "releases"],
   },
   "polling-success": {
     success: true,
     deliveryMode: "polling",
     repoFullName: "HereNotThere/bot-github",
-    eventTypes: "pr,issues,commits",
+    eventTypes: ["pr", "issues", "commits"],
     installUrl:
       "https://github.com/apps/towns-github-bot-test/installations/new/permissions?target_id=98539902",
   },
@@ -41,7 +41,7 @@ const mockResults: Record<string, SubscribeResult> = {
     installUrl:
       "https://github.com/apps/towns-github-bot-test/installations/new/permissions?target_id=98539902",
     repoFullName: "HereNotThere/bot-github",
-    eventTypes: "pr,issues,commits",
+    eventTypes: ["pr", "issues", "commits"],
     error: "Private repository requires GitHub App installation",
   },
   "subscription-error": {

src/services/github-oauth-service.ts

@@ -67,8 +67,8 @@ export enum TokenStatus {
  */
 export class GitHubOAuthService {
   private githubApp: GitHubApp;
-  private redirectUrl: string;
-  private encryptionKey: Buffer;
+  private readonly redirectUrl: string;
+  private readonly encryptionKey: Buffer;
   /** In-flight refresh promises to prevent concurrent refresh race conditions */
   private refreshPromises = new Map<string, Promise<string | null>>();
 
@@ -150,21 +150,15 @@ export class GitHubOAuthService {
     code: string,
     state: string
   ): Promise<OAuthCallbackResult> {
-    // Validate state and get stored data
-    const [stateData] = await db
-      .select()
-      .from(oauthStates)
-      .where(eq(oauthStates.state, state))
-      .limit(1);
+    // Atomically consume state to prevent race conditions and replay attacks
+    const stateData = await this.consumeOAuthState(state);
 
     if (!stateData) {
       throw new Error("Invalid or expired state parameter");
     }
 
-    // Check expiration
+    // Check expiration (state already deleted, just need to reject)
     if (new Date() > stateData.expiresAt) {
-      // Clean up expired state
-      await this.deleteOAuthState(state);
       throw new Error("OAuth state expired");
     }
 
@@ -222,9 +216,6 @@ export class GitHubOAuthService {
         set: tokenFields,
       });
 
-    // Clean up used state
-    await this.deleteOAuthState(state);
-
     // Validate redirect data from database
     const actionResult = RedirectActionSchema.safeParse(
       stateData.redirectAction
@@ -390,12 +381,18 @@ export class GitHubOAuthService {
   }
 
   /**
-   * Delete OAuth state record
+   * Atomically consume OAuth state record (delete and return)
+   * Prevents race conditions where two requests could both succeed
    *
    * @param state - OAuth state token
+   * @returns The deleted state record, or undefined if not found
    */
-  private async deleteOAuthState(state: string): Promise<void> {
-    await db.delete(oauthStates).where(eq(oauthStates.state, state));
+  private async consumeOAuthState(state: string) {
+    const [deleted] = await db
+      .delete(oauthStates)
+      .where(eq(oauthStates.state, state))
+      .returning();
+    return deleted;
   }
 
   /**
@@ -534,7 +531,7 @@ export class GitHubOAuthService {
    *
    * @returns Number of expired states deleted
    */
-  async cleanupExpiredStates(): Promise<number> {
+  private async cleanupExpiredStates(): Promise<number> {
     const now = new Date();
 
     try {