Bound OAuth state lifetime and replay#222
Conversation
WalkthroughOAuth CSRF state handling now uses a private, bounded store with TTL expiration, capacity eviction, pruning, and atomic one-time consumption. All providers implement the new consumption contract, and the OAuth callback uses it for state verification. ChangesOAuth state consumption
Estimated code review effort: 4 (Complex) | ~45 minutes Possibly related issues Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
On CodeRabbit’s OAuth-state churn finding: this is a valid residual availability concern, but intentionally outside this focused lifecycle/memory-safety PR. The deployment throttles these public routes at Cloudflare; an in-process per-IP limiter requires a separate trusted-proxy/client-IP policy, while per-session state binding currently breaks the Rust SDK callback flow because it reconstructs the client. The cap changes the prior unbounded-memory failure mode into a bounded, temporary login failure (maximum TTL 10 minutes). I’m leaving that tradeoff explicit rather than broadening this patch; application-layer throttling/session binding should be handled separately. |
f26e37c to
6dd1f7f
Compare
Summary
Session binding is intentionally out of scope: browser clients retain their encrypted session through redirects, but the official Rust SDK only retains it in memory and does not guarantee that the callback reuses the initiating session.
Tests
cargo fmt --all -- --checkcargo clippy --locked --all-targets --all-features -- -D warningscargo test --locked --all-features(220 passed, 16 ignored database tests)Summary by CodeRabbit
Security Enhancements
Bug Fixes