fix(connect): validate OAuth state nonce server-side to prevent CSRF (#223)

[Ridanshi]

Summary

Closes #223.

The GitHub connect flow (/api/connect/github) accepted userId directly from the unverified state callback parameter and used Math.random() to generate the state value. An attacker could forge a callback with a crafted state, causing the server to associate the victim's account with an attacker-controlled GitHub credential.

The login flow (/auth/github, /auth/google) is addressed separately via the cookie-based double-submit CSRF fix already present on main (#481).

Changes

apps/backend/src/routes/connect.ts

• Generate a 32-byte cryptographically secure nonce on /connect/github initiation
• Store { userId } in Redis under oauth:connect-nonce:<nonce> with a 10-minute TTL
• Pass only the nonce as the state parameter — userId never travels through the callback URL
• On callback: validate nonce format (64 lowercase hex chars), look up Redis, reject unknown or expired entries, fail closed if Redis is unavailable, delete nonce immediately after first use (replay protection)
• Replace Math.random() with randomBytes(32)
• Use dedicated github_follow platform key to prevent auth-token overwrites
• Fail closed — no Redis bypass path

apps/backend/src/__tests__/connect.test.ts

• 14 tests covering the full callback security surface

apps/backend/src/__tests__/oauth-scope.test.ts

• Updated buildConnectApp and makeConnectState to match new nonce-only state format

Security properties

Property	Before	After
State entropy	~44 bits (Math.random)	256 bits (randomBytes(32))
userId source in callback	Trusted from state param	Looked up from Redis by nonce
CSRF protection	None	Server-side nonce validation
Replay protection	None	Nonce deleted on first use
Nonce expiry	None	10 minutes (Redis TTL)
Redis unavailable	N/A	Fails closed (rejects request)

Tests (connect.test.ts — 14 tests)

• Valid connect flow end-to-end with github_follow platform assertion
• Nonce stored in Redis with correct userId and TTL
• State is 64 lowercase hex chars
• Missing code parameter
• Missing state parameter
• Malformed state (too short)
• Malformed state (non-hex characters)
• Forged base64-JSON state rejected as malformed
• Unknown nonce (not in Redis)
• Expired nonce
• Forged nonce (not in Redis)
• Replay attack — second callback with same nonce is rejected
• Corrupt Redis data
• GitHub token exchange failure

Test plan

• npx vitest run src/__tests__/connect.test.ts src/__tests__/oauth-scope.test.ts src/__tests__/follow.test.ts src/__tests__/profiles.test.ts — 52/52 pass
• Pre-existing failures in event.test.ts and analytics.test.ts are unrelated to this change (upstream test infrastructure issue with request.user not being set by the jwtVerify mock)

[vercel]

@Ridanshi is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Hi @Ridanshi,

Thanks for opening this pull request.

This PR has been automatically classified based on the files modified.

Applied Labels

• backend

Primary Review Area

• backend

Reviewer

@Harxhit has been identified as the primary reviewer for this pull request.

If you have any questions regarding the affected area or implementation details, feel free to reach out to the assigned reviewer.

Thank you for your contribution!

[github-actions]

CI — Checks Failed

Backend — FAIL

Check	Result
Lint	FAIL
Test	PASS
Typecheck	PASS

Mobile — SKIP

Check	Result
Lint	-
Test	-

Web — SKIP

Check	Result
Check	-
Build	-

---

Last updated: Fri, 12 Jun 2026 20:34:06 GMT