fix(api): enforce oidc nonce binding in authorization code flow

[markwylde]

Summary

• persist nonce from /authorize into pending_auth and auth_codes
• emit nonce claim in user id_token during authorization code exchange
• keep /token standards-compliant by sourcing nonce from stored authorization state (not token request input)
• add API-level nonce persistence/claim tests
• add an end-to-end test-suite spec covering /authorize -> /authorize/finalize -> /token nonce behavior

Changes

• API
  • schema + migration for pending_auth.nonce and auth_codes.nonce
  • wire nonce through authorize and authorize finalize flows
  • include stored auth-code nonce in ID token claim generation
  • extend API tests for token schema/claims and persistence paths
• Test suite
  • new Playwright API spec: tests/api/oidc-nonce-code-flow.spec.ts

Validation

• npm run tidy
• npm run build
• npm run test -w @DarkAuth/api -- src/controllers/token.test.ts src/models/noncePersistence.test.ts
• cd packages/test-suite && PW_REPORTER=dot PW_ARTIFACTS=off npx playwright test tests/api/oidc-nonce-code-flow.spec.ts --reporter=dot

[Copilot]

Pull request overview

This pull request implements OIDC nonce binding in the authorization code flow, enhancing security by preventing replay attacks. The nonce parameter is now persisted from the initial /authorize request through the pending authorization state and authorization code, ultimately being included in the ID token claims during token exchange. Critically, the implementation ensures that nonce values cannot be injected or overridden at the /token endpoint, maintaining the integrity of the OIDC flow.

Changes:

• Added database schema migration for nonce column in pending_auth and auth_codes tables
• Wired nonce persistence through the complete authorization code flow (authorize → authorize/finalize → token)
• Refactored ID token claim generation into a reusable buildUserIdTokenClaims helper function
• Added comprehensive test coverage including unit tests, model tests, and end-to-end security validation

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
packages/api/drizzle/0008_oidc_nonce_binding.sql	SQL migration adding nonce columns to pending_auth and auth_codes tables
packages/api/drizzle/meta/_journal.json	Migration journal entry for the nonce binding migration
packages/api/src/db/schema.ts	Schema definitions for nonce columns in both tables
packages/api/src/models/authorize.ts	Updated createPendingAuth to accept and persist nonce parameter
packages/api/src/models/authCodes.ts	Updated createAuthCode to accept and persist nonce parameter
packages/api/src/controllers/user/authorize.ts	Capture nonce from authorization request and pass to pending auth
packages/api/src/controllers/user/authorizeFinalize.ts	Propagate nonce from pending auth to authorization code
packages/api/src/controllers/user/token.ts	Refactored ID token generation and include stored nonce in claims
packages/api/src/models/noncePersistence.test.ts	Unit tests verifying nonce persistence in both models
packages/api/src/controllers/token.test.ts	Unit tests for nonce handling in token schema and ID token claims
packages/test-suite/tests/api/oidc-nonce-code-flow.spec.ts	End-to-end test validating complete nonce flow and security properties

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.