Skip to content

Make authorization code redemption single-use and atomic #78

New issue
New issue
Open
#84
Open
Make authorization code redemption single-use and atomic#78
#84
Labels
security:highHigh severity security issue
@markwylde

Description

@markwylde
markwylde
opened on Feb 15, 2026

Summary

Authorization codes are checked and consumed non-atomically in the token exchange flow.

Evidence

  • packages/api/src/controllers/user/token.ts loads the code, issues tokens, and only then marks the code as consumed.
  • No transaction protects the consumed check + state transition.

Security Impact

Concurrent redemption requests can race and mint multiple token sets from a single authorization code, breaking single-use guarantees.

Required Fix

  • Consume or delete the authorization code in a transaction before issuing any tokens.
  • Ensure only one request can transition a code from active to consumed.
  • Fail all subsequent redemption attempts deterministically.

Acceptance Criteria

  • Concurrent redemption attempts yield exactly one success.
  • No tokens are minted after code is already consumed.
  • Tests cover race/concurrency scenarios.

Source

Security Review dated 2026-02-15, Finding 2 (High).

Metadata

Metadata

Assignees

No one assigned

    Labels

    security:highHigh severity security issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions