Skip to content

fix: atomic authorization code consumption to prevent race condition (#27441)#28856

Draft
ousamabenyounes wants to merge 1 commit intocalcom:mainfrom
ousamabenyounes:fix/issue-27441
Draft

fix: atomic authorization code consumption to prevent race condition (#27441)#28856
ousamabenyounes wants to merge 1 commit intocalcom:mainfrom
ousamabenyounes:fix/issue-27441

Conversation

@ousamabenyounes
Copy link
Copy Markdown

@ousamabenyounes ousamabenyounes commented Apr 12, 2026

What does this PR do?

OAuthService.exchangeCodeForTokens had a race condition — two concurrent requests with the same authorization code could both find it valid before either deleted it, violating RFC 6749 Section 4.1.2 (single-use codes).

Changes

  • Added consumeCode method to AccessCodeRepository that wraps findFirst + deleteMany in a Prisma interactive transaction ($transaction)
  • Updated OAuthService.exchangeCodeForTokens to call consumeCode instead of the separate findValidCode + deleteExpiredAndUsedCodes calls
  • Added unit tests verifying atomic code consumption and concurrent-request rejection

Why a transaction

Without the transaction, the following race can occur:

  1. Request A calls findValidCode → finds code → valid
  2. Request B calls findValidCode → finds code → valid (not yet deleted)
  3. Request A calls deleteExpiredAndUsedCodes → deletes code
  4. Request B proceeds with the already-found code → issues tokens

With the transaction, step 2 would either not find the code (serializable) or block until step 3 completes.

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

TZ=UTC yarn vitest run packages/features/oauth/services/OAuthService.test.ts
  • 2 tests pass: verifies consumeCode is called atomically and that a null result (consumed by concurrent request) throws invalid_grant

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • My changes generate no new warnings
  • My PR is small and focused

Generated by Claude Code
Vibe coded by ousamabenyounes

@ousamabenyounes @claude
fix: atomic authorization code consumption to prevent race condition (c…
f5273cd 
…alcom#27441)

Wrap findValidCode + deleteExpiredAndUsedCodes in a Prisma interactive
transaction via a new consumeCode method, ensuring two concurrent token
exchange requests cannot both redeem the same authorization code
(RFC 6749 Section 4.1.2: single-use codes).

Generated by Claude Code
Vibe coded by ousamabenyounes

Co-Authored-By: Claude <noreply@anthropic.com>
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 12, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the Low priority Created by Linear-GitHub Sync label Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Low priority Created by Linear-GitHub Sync size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: atomic authorization code consumption to prevent race condition

2 participants

@ousamabenyounes @CLAassistant