apunkt/rowboat
1
0
Fork 0
mirror of https://github.com/rowboatlabs/rowboat.git synced 2026-06-12 19:55:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: clear stale DCR registration when bound port differs from start port

Browse source
This commit is contained in:
Gagancreates 2026-05-22 00:08:21 +05:30
parent 4fd613dc5f
commit 12a9eefb69
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
apps/x/apps/main/src/oauth-handler.ts
View file

@ -396,6 +396,16 @@ export async function connectProvider(provider: string, credentials?: { clientId
// Server is bound. Any throw between here and `activeFlow = ...` would
// leak the port — `cancelActiveFlow` only closes it once activeFlow is set.
try {
// TOCTOU guard: resolveStartPort probed the registered port and found it
// free, but the port could have been grabbed between probe and real bind,
// causing fallback to a different port. The cached client_id is registered
// for the old port — clear it so getProviderConfiguration re-registers
// with the actual bound port.
if (!isStaticClient && boundPort !== startPort) {
console.log(`[OAuth] ${provider}: bound port ${boundPort} differs from start port ${startPort}, clearing stale DCR registration`);
await getClientRegistrationRepo().clearClientRegistration(provider);
}
const redirectUri = buildRedirectUri(boundPort);
const config = await getProviderConfiguration(provider, redirectUri, credentials);