Skip to content

fix: use live store state for OAuth provider checks to prevent stale …#3893

Draft
akshay-gupta7 wants to merge 2 commits into
mainfrom
akshay/fix-leaking-oauth-sync
Draft

fix: use live store state for OAuth provider checks to prevent stale …#3893
akshay-gupta7 wants to merge 2 commits into
mainfrom
akshay/fix-leaking-oauth-sync

Conversation

@akshay-gupta7

Copy link
Copy Markdown
Contributor

…pushes after provider switch

Why does this PR exist?

Closes #0000

What does this pull request do?

Testing this change

Additional Notes (if any)

@changeset-bot

changeset-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 4db767a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

No compliance-relevant changes detected

11 file(s) scanned · 0 findings

This PR fixes stale Redux rootState references in Tokens Studio OAuth sync handlers, switching to store.getState() for live state reads. No new data collection, no new external service calls, no access control changes, no PII impact.

ℹ️ This check is informational.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

No compliance-relevant changes detected

12 file(s) scanned · 0 findings

All changes in this PR replace stale rootState OAuth provider checks with live store.getState() calls across theme/token effect handlers. This is a bug fix with no new data flows, no new external services, and no changes to access control logic.

ℹ️ This check is informational.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check — 2026-06-17

No compliance findings.

Internal OAuth state management refactoring — switches from stale rootState?.uiState?.api?.provider reads to live store.getState() calls across multiple effects/tokenState/*.ts files. No new external data flows, no new subprocessors, no access control changes, no personal data processing changes. notifySyncSuccess debounce change (800ms) is UX-only.


Automated compliance scan by Hyma Compliance Bot

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

⚠️ 1 finding(s) across multiple file(s)

Severity Category File Headline
🟢 LOW Access Control src/app/store/models/effects/tokenState/* OAuth provider checks now use live store state
Full finding details

[Access Control] OAuth provider checks use live store state

  • Files: Multiple effect files under src/app/store/models/effects/tokenState/
  • Implication: All StorageProviderType.TOKENS_STUDIO_OAUTH checks previously read from rootState?.uiState?.api?.provider (stale snapshot) and now use store.getState().uiState.api?.provider (live current state). This is a positive access-control fix — OAuth operations will correctly reflect the active provider and prevent stale-state authorization bypasses.
  • Recommended action: None required. This change tightens access control semantics for OAuth operations. Confirm no other access checks in the codebase still use the stale rootState pattern for OAuth provider verification.

ℹ️ This check is informational — findings do not block merging.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

⚠️ 1 finding(s) across 1 file(s)

Severity Category File Headline
🟢 LOW Access Control src/app/store/models/tokenState.tsx OAuth provider gating now reads live store state, altering when token data is transmitted to the Tokens Studio OAuth backend
Full finding details

[Access Control] OAuth provider gating now reads live store state, altering when token data is transmitted to the Tokens Studio OAuth backend

  • File: src/app/store/models/tokenState.tsx (lines ~826-1220; same pattern across the assign*/rename*/remove*/deleteTheme/updateThemeGroupName effect handlers under src/app/store/models/effects/tokenState/)
  • Implication: The condition controlling whether token/theme changes are pushed to the external Tokens Studio OAuth provider was switched from a stale rootState snapshot to a live store.getState() read, and the OAuth context (which carries provider credentials) is now resolved at push time. The stated intent is to stop "stale pushes after provider switch" — i.e., data previously could be sent to a provider the user had switched away from. This is a correctness fix on the external-transmission gating path, but it changes when and to which provider design-token data leaves the client. No new subprocessor or personal data is introduced (Tokens Studio OAuth is an existing subprocessor; payloads are design tokens, not personal data).
  • Recommended action: Before merging, confirm with engineering that the live-state read fully eliminates cross-provider data leakage (no race where api.provider updates after the change is queued but before push), and note this gating fix in the ROPA/data-flow record for the Tokens Studio OAuth sync path.

ℹ️ This check is informational — findings do not block merging.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

No compliance-relevant changes detected

11 file(s) scanned · 0 findings

Files reviewed: Multiple src/app/store/models/effects/tokenState/*.ts files and tokenState.tsx

This PR fixes OAuth provider checks to use live store state (store.getState()) rather than stale rootState snapshots. Pure bug fix for data consistency in state management — no new data flows, no external service calls, no personal data changes. The fix ensures OAuth context reads are fresh when processing effects.

ℹ️ This check is informational.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

No compliance-relevant changes detected

15 file(s) scanned · 0 findings

ℹ️ This check is informational.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

No compliance-relevant changes detected

~15 file(s) scanned · 0 findings

Note: refactors Tokens Studio OAuth provider checks to read live store state (store.getState()) instead of stale rootState. This is a reliability fix in the sync/credential-context path; no new data, credential exposure, or external call is introduced.

ℹ️ This check is informational.
🛡️ Hyma Compliance Check · automated

@anathaniel-TS

Copy link
Copy Markdown

🛡️ Hyma Compliance Check

⚠️ 1 finding across 1 in-scope area

Severity Category File Headline
🟢 LOW Access Control src/app/store/models/tokenState.tsx OAuth provider/credential checks now read live store state
Full finding details

[Access Control] OAuth provider/credential checks now read live store state

  • File: src/app/store/models/tokenState.tsx and src/app/store/models/effects/tokenState/*.ts (assign/rename/remove/deleteTheme effects)
  • Implication: Replaces stale rootState.uiState.api references with live store.getState().uiState.api when deciding whether to push changes to the Tokens Studio OAuth backend and when supplying the OAuth credential context. This is a correctness fix ensuring the current authenticated OAuth provider/token context is used for remote sync, reducing the risk of writes made with a stale credential/provider.
  • Recommended action: None required beyond normal review. Confirms remote token sync uses the current authenticated context; no new data flow or subprocessor introduced.

ℹ️ This check is informational — findings do not block merging.
🛡️ Hyma Compliance Check · automated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants