`[BUG] OAuth Connect Callback Blocked by Header-Only Authentication Check`

[Pcmhacker-piro]

Summary

Refactor the third-party account linkage callback endpoint (/api/connect/github/callback) to verify user identity via a Redis state nonce instead of a direct HTTP header authentication check. This allows browser-level GET redirects from GitHub to authenticate without throwing a 401.

Contexts

In apps/backend/src/routes/connect.ts, the GET endpoint /github/callback is decorated with preHandler: [app.authenticate].

Because OAuth redirects are browser-initiated GET page loads, the user's browser redirects from github.com straight to /api/connect/github/callback?code=...&state=.... The client cannot programmatically inject an Authorization: Bearer <token> header into this browser-level redirect. Since fastify-jwt is registered in app.ts without any cookie extraction support, the request.jwtVerify() call in app.authenticate fails to find a token and immediately terminates the callback flow with a 401 Unauthorized error.

Tasks

• Remove preHandler: [app.authenticate] from /github/callback in apps/backend/src/routes/connect.ts.
• Extract the target user's identity by decoding the state parameter redirect value.
• Verify the temporary nonce received in the callback against the Redis store to retrieve the matching userId.
• Delete the token from Redis after validation to prevent replay attacks (one-time use).
• Use the validated userId to create or update the corresponding oAuthToken in PostgreSQL.

Acceptance Criteria

• Third-party account linking via GitHub completes successfully without 401 Unauthorized errors.
• Callback security remains intact via Redis-backed state-nonce validation.
• The oAuthToken is correctly updated or created under the correct authenticated user.

Area

backend

Difficulty

Hard

[Pcmhacker-piro]

Hi @Harxhit,

I’m interested in contributing to this project and would love to work on this issue. I have experience working on open-source contributions and would be happy to implement the required changes.

Could you please assign this issue to me? Thanks!

[VIDYANKSHINI]

Hi @Harxhit, I’d like to work on this issue.

The root cause makes sense — browser-initiated OAuth redirects cannot attach Authorization headers, so relying on preHandler: [app.authenticate] blocks the callback flow with a 401 before the GitHub code exchange completes.

My approach would be to:

remove the direct header-based auth check from /api/connect/github/callback
validate the state parameter using the existing Redis-backed nonce flow
securely resolve the associated userId from Redis
delete the nonce immediately after verification to prevent replay attacks
keep the OAuth linking flow fully backward compatible while preserving security guarantees
add regression testing for valid callback flow, invalid/expired nonce handling, and replay-attempt scenarios

I have experience working with authentication and OAuth callback flows and would be happy to implement and test this carefully.

Could you please assign this issue to me?

[Harxhit]

@VIDYANKSHINI I have assigned this issue to you.