• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / auth / 29352689280
72%

Build:
DEFAULT BRANCH: master
Ran 14 Jul 2026 05:16PM UTC
Jobs 1
Files 196
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

14 Jul 2026 05:10PM UTC coverage: 71.703% (+0.3%) from 71.357%
29352689280

push

github

web-flow
fix(oauth): prevent authorization-code replay race at /oauth/token (#2612)

# fix(oauth): prevent authorization-code replay race at `/oauth/token`

## What

Fixes an authorization-code replay race (TOCTOU) in the
`authorization_code` grant at `POST /oauth/token`.

## Why

`handleAuthorizationCodeGrant` read the code
(`FindOAuthServerAuthorizationByCode`) and validated
expiry/client/redirect_uri/PKCE **with no transaction or row lock**,
opening a transaction only later to issue tokens and `Destroy` the code.
Two requests with the same code can both clear validation before either
commits; `tx.Destroy`'s `DELETE` matching 0 rows still commits under
READ COMMITTED — so **both mint a full token set for one single-use
code**, violating RFC 6749 §4.1.2 / PKCE.

The authorize/consent path was hardened in #2512; token-exchange never
got the equivalent locked read-modify-write.

## Change

- Reuse `FindOAuthServerAuthorizationByIDForUpdate` (#2512's `FOR UPDATE
SKIP LOCKED` helper) to lock the row at the top of the issuing
transaction. Concurrent redemptions serialize — the loser skips the
locked row and gets `invalid_grant`. No new model code.
- Propagate `*apierrors.OAuthError` out of the transaction so
`invalid_grant` reaches the client instead of a 500.

## Impact

No schema/API changes. Behavior differs only under concurrent redemption
of the same code.

## Testing

`go build ./...` and `go vet` pass. Reproduction: N concurrent exchanges
of one fresh code behind a start barrier — before, ≥2 responses carried
`access_token`; after, exactly one succeeds and the rest return `400
invalid_grant` (`success <= 1`).

Co-authored-by: Chris Stockton <180184+cstockton@users.noreply.github.com>

7 of 8 new or added lines in 1 file covered. (87.5%)

1 existing line in 1 file now uncovered.

18072 of 25204 relevant lines covered (71.7%)

664.26 hits per line

Uncovered Changes

Lines Coverage ∆ File
1
59.47
12.39% internal/api/oauthserver/handlers.go

Coverage Regressions

Lines Coverage ∆ File
1
59.47
12.39% internal/api/oauthserver/handlers.go
Jobs
ID Job ID Ran Files Coverage
1 29352689280.1 14 Jul 2026 05:16PM UTC 196
71.7
GitHub Action Run
Source Files on build 29352689280
  • Tree
  • List 196
  • Changed 5
  • Source Changed 0
  • Coverage Changed 5
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • bdbf01eb on github
  • Prev Build on master (#29343340618)
  • Next Build on master (#29353177623)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc