Description
POST /session accepts an explicit id in the typed API surface, but the server-side session create path ignores it. That makes duplicate-ID hardening unreachable: creating the same explicit session id twice returns 200 twice instead of 200 then 409.
The server already exposes DuplicateIDError / 409 handling, but Session.create does not pass id through to the underlying session creation flow.
Plugins
No response
OpenCode version
0.0.0--202604082020 (reproduced on built local binary)
Steps to reproduce
- Start the built server with basic auth enabled.
POST /session with body { "id": "ses_duplicate_smoke", "title": "one" }.- Repeat the same request with the same
id.
- Observe that the second request succeeds instead of returning
409 DuplicateIDError.
Screenshot and/or share link
No response
Operating System
Ubuntu 24.04
Terminal
Ghostty
Description
POST /sessionaccepts an explicitidin the typed API surface, but the server-side session create path ignores it. That makes duplicate-ID hardening unreachable: creating the same explicit session id twice returns 200 twice instead of 200 then 409.The server already exposes
DuplicateIDError/ 409 handling, butSession.createdoes not passidthrough to the underlying session creation flow.Plugins
No response
OpenCode version
0.0.0--202604082020 (reproduced on built local binary)
Steps to reproduce
POST /sessionwith body{ "id": "ses_duplicate_smoke", "title": "one" }.id.409 DuplicateIDError.Screenshot and/or share link
No response
Operating System
Ubuntu 24.04
Terminal
Ghostty