fix: prevent expired OAuth device codes in authentication flow#8
Merged
Conversation
Problem: - /auth/check endpoint was creating new OAuth device auth instances on every request - Each new instance generated a different device code - Old device codes expired after ~15 minutes - Frontend polling kept trying expired codes, causing authentication errors on refresh Solution: - Store and reuse OAuth auth instance across check requests - Return authenticated status immediately if tokens are valid - Clear auth instance after successful authentication - Handle expired device codes gracefully without throwing errors - User authentication now persists correctly on page refresh Changes: - auth-service.ts: Added pendingAuth storage and reuse logic - github.ts: Updated VerificationResponse type to support authenticated status - Improved error handling for expired codes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The authentication system was creating new OAuth device auth instances on every
/auth/checkrequest, which caused several issues:/auth/checkrequest created a different device codeRoot Cause
The
checkDeviceFlowAuth()function was callingcreateOAuthDeviceAuth()on every poll, instead of reusing the original auth instance from login. Since device codes expire after 15 minutes, and a new code was generated on each check, the original code the user authorized would expire before verification could complete.Solution
This PR implements proper OAuth instance lifecycle management to persist device authentication:
initiateDeviceFlow()and stored inpendingAuthcheckDeviceFlowAuth()now reuses the stored instance instead of creating new onespendingAuthandpendingVerificationChanges
src/services/auth-service.tspendingAuthvariable to store OAuth instance across requestsinitiateDeviceFlow()to store and clear auth instance appropriatelycheckDeviceFlowAuth()to reuse stored auth instanceclearTokens()to clear pending auth statesrc/types/github.tsVerificationResponsetype to support'authenticated'statusBenefits
✅ Device authentication persists across polling requests
✅ Users stay authenticated on page refresh
✅ No more expired device code errors
✅ Single OAuth flow per login session
✅ Better error handling and logging
✅ Improved user experience with persistent authentication
Testing