fix(auth): bind OAuth callback to loopback + harden keychain storage

[atom2ueki]

Summary

Fixes three security findings against the OAuth login path and the keychain-backed token store. All three came out of the security review on the SDK as it ships to third-party iOS/macOS app developers — anything weak here propagates into every consumer app.

1. OAuth callback server bound to all interfaces (High)

The local callback server inherited an INADDR_ANY / in6addr_any bind from SwiftWebServer 0.1.0, so during a login flow the server was reachable from any host on the same network. On a hostile LAN that's a reliable login-denial primitive (forge a callback faster than the browser, the single-shot server tears down before the legit callback lands) and a stretched code-injection race.

Fix: Bumped the dependency to SwiftWebServer 0.2.0 (released today: https://github.com/atom2ueki/SwiftWebServer/releases/tag/0.2.0), which adds a host: parameter to listen(). Now passing host: "localhost" in LocalCallbackServer.startListening() so the bind is constrained to dual-stack loopback (127.0.0.1 + ::1) per RFC 8252 §7.3. The browser can still reach the callback whether it resolves localhost to v4 or v6 first.

Defense in depth: the route handler now compares the incoming state query parameter against the value generated for the in-flight handshake. Mismatched callbacks return HTTP 400 without burning the single-shot resume — a forged or stale callback can no longer kill the legitimate one. The legit browser callback (which carries the genuine state) still wins.

2. KeychainTokenStorage silent fallback (Low)

KeychainTokenStorage.init silently fell back to a hardcoded global service name "com.codingplan.auth" when both servicePrefix and Bundle.main.bundleIdentifier were nil. In CLI tools, test harnesses, and app-extension hosts where Bundle.main is the host shell, two unrelated tools could end up sharing each other's credentials.

Fix: KeychainTokenStorage.init now throws AuthError.storageError when neither a prefix nor a bundle id is available. The failure surface moves from "first save/load returns the wrong creds" to "construction fails fast." AuthService.init lost its default storage so the failure is visible at the call site rather than buried in a default expression.

3. Adjacent improvements

• isResolvedPortBindFailure now matches both IPv4 and IPv6 bind-failure messages so the existing port-race retry loop still triggers when the dual-stack listen loses the race on either family after the INADDR_ANY reservation closed.
• LocalCallbackServerTests.reserveLocalPort now binds the conflicting reservation to INADDR_LOOPBACK instead of INADDR_ANY. With SO_REUSEADDR, an INADDR_ANY reservation does not prevent a more-specific loopback bind at the same port, so the test would otherwise stop observing the conflict it asserts on.

Breaking changes

This is a 0.x SDK; both breaks are intentional security posture improvements.

• KeychainTokenStorage.init(servicePrefix:accessGroup:) is now throws. Existing callers add try. Apps with a Bundle.main.bundleIdentifier (the normal case) keep working unchanged once they add the keyword.
• AuthService.init(storage:) no longer has a default value. Callers must pass storage explicitly. The DocC example was already showing explicit construction, so this matches the documented usage.

Test plan

• swift build clean.
• swift test — 49 tests, 0 failures, against the published SwiftWebServer 0.2.0.
• Bind-failure regression test continues to fail-the-bind as intended.
• Manual smoke: actual OAuth login on a real iOS/macOS app (recommended before tagging a release of this SDK).

Notes

This is one clean commit on top of the latest main (1c6a72f). No Package.resolved change is committed (gitignored in this repo). Ready to merge.

[atom2ueki]

@claude review this PR

[claude]

Claude finished @atom2ueki's task in 1m 59s —— View job

---

PR Review: fix(auth): bind OAuth callback to loopback + harden keychain storage

• Gather context and understand request
• Read changed files
• Analyze security claims and correctness
• Post review feedback

---

Summary: The three security fixes are sound and the implementation is correct. A few items worth addressing before merging — one medium gap (no tests for the new state validation), one stale comment, and a minor docs nit. Nothing that blocks merge if the manual smoke test is green, but the test gap in particular is worth closing for a security-critical path.

---

Findings

Medium — State validation logic has no test coverage

LocalCallbackServer.swift:185-188 — the new expectedState defense-in-depth is the most important addition in this PR, but LocalCallbackServerTests.swift has no tests for it. Three cases should be covered:

• Request with missing state → HTTP 400, continuation NOT consumed
• Request with wrong state → HTTP 400, continuation NOT consumed
• Request with correct state → continues normally

Without these, a future refactor of the makeServer() handler could silently break the "doesn't consume the continuation on mismatch" guarantee, defeating the whole point of the fix. Fix this →

Minor — Stale version in WebServerBox comment

LocalCallbackServer.swift:19:

// Reason: SwiftWebServer 0.1.0 does not yet declare itself Sendable.

This should read 0.2.0 (or be removed if 0.2.0 adds Sendable conformance — worth checking before tagging the release).

Minor (Docs nit) — try! in the overview example

CodingPlanAuth.md:29:

private let service = AuthService(storage: try! KeychainTokenStorage())

Using try! in a stored property initializer in an @Observable class will crash at startup if Bundle.main.bundleIdentifier is nil. Since the property is the very first thing shown to every new adopter, consider using a lazy var + try or adding a prose note explaining why try! is acceptable here (iOS/macOS apps always have a bundle id). Fix this →

Informational — resolveListenPort reserve socket still uses INADDR_ANY

LocalCallbackServer.swift:244-245 — the port-discovery socket briefly binds to INADDR_ANY:0. Since listen() is never called on it, nothing can actually connect, so the attack surface is essentially zero. Just noting it for completeness; the PR description doesn't call this out and it's a standard port-reservation idiom.

---

What's correct

• Loopback bind (host: "localhost") is correctly placed and the dual-stack rationale (v4 + v6 in one call) is accurate. RFC 8252 §7.3 ✓
• State check semantics — returning 400 without calling resume or Task { await target?.resume(with:) } correctly preserves the single-shot continuation so the real browser callback still wins. ✓
• IPv6 bind-failure prefix addition in isResolvedPortBindFailure is correct; dual-stack listen can lose the race on either family after the reservation closes. ✓
• reserveLocalPort test fix to INADDR_LOOPBACK is technically sound. The comment explains the SO_REUSEADDR / more-specific-bind interaction correctly. ✓
• KeychainTokenStorage.init now throws — fail-fast at construction is the right design. The previous silent fallback to a hardcoded global name was the root cause of the credential-sharing risk. ✓
• AuthService.init no longer has a default — forces callers to construct storage explicitly; matches what the DocC example was already showing. ✓
• Breaking changes are explicitly documented in the PR body with migration guidance. ✓

---

Checklist

Loopback bind (RFC 8252 §7.3)	✅ Correct
State CSRF guard	✅ Logic correct, ⚠️ no tests
Retry loop dual-stack fix	✅ Correct
Test port reservation fix	✅ Correct
KeychainTokenStorage fail-fast	✅ Correct
AuthService storage default removed	✅ Correct
Manual smoke test	⬜ Not yet (noted in PR)

[Copilot]

Pull request overview

This PR hardens the OAuth local callback server and keychain-backed token storage to address security findings in the SDK’s login and credential persistence paths.

Changes:

• Bind the local OAuth callback server to loopback only (host: "localhost") and add state validation to reject forged/stale callbacks without consuming the single-shot resume.
• Make KeychainTokenStorage fail fast by throwing when neither an explicit servicePrefix nor a bundle identifier is available; require explicit storage construction in AuthService.
• Update bind-failure detection for both IPv4/IPv6 and adjust the port-conflict test to reserve loopback rather than INADDR_ANY.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
Tests/CodingPlanAuthTests/Infrastructure/LocalCallbackServerTests.swift	Ensures the bind-conflict test reserves loopback to match the server’s new loopback-only bind behavior.
Sources/CodingPlanAuth/Infrastructure/Storage/KeychainTokenStorage.swift	Makes the keychain storage initializer throwing to prevent silent global-service fallback in bundle-id-less hosts.
Sources/CodingPlanAuth/Infrastructure/Server/LocalCallbackServer.swift	Binds callback server to loopback and adds expected-state checking; expands bind-failure detection to IPv6.
Sources/CodingPlanAuth/Infrastructure/OAuth/OAuth2PKCEFlow.swift	Plumbs OAuth state into the callback server for defense-in-depth validation.
Sources/CodingPlanAuth/Documentation.docc/CodingPlanAuth.md	Updates DocC sample to compile with the new throwing KeychainTokenStorage initializer.
Sources/CodingPlanAuth/Application/AuthService.swift	Removes default storage parameter and updates docs to reflect explicit, throwing storage construction.
Package.swift	Bumps SwiftWebServer dependency to a version that supports host-bound listening.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[atom2ueki]

Re: @claude review — fix-up pushed in 02327cc.

Finding	Status	Where
Medium — no tests for expectedState	Fixed	4 new unit tests in LocalCallbackServerTests.swift driving the actual local server with URLSession. The forge-then-genuine test directly proves the genuine callback wins after a 400-rejected forgery.
Minor — stale WebServerBox 0.1.0 comment	Partly fixed	Updated to read 0.2.0. The wrapper itself will be removed in a follow-up commit on this branch once SwiftWebServer 0.3.0 lands (PR atom2ueki/SwiftWebServer#5 — @MainActor for honest Sendable conformance).
Minor — try! in DocC overview	Fixed	Replaced with a throwing init on the SwiftUI sample so misconfigured hosts surface a clear failure instead of a startup crash.
Informational — resolveListenPort reserves on INADDR_ANY	Acknowledged	No action — the reservation socket is closed before listen() runs, so the brief INADDR_ANY bind has no exposure.

Test count: 49 → 53. Will follow up with the WebServerBox removal commit once SwiftWebServer 0.3.0 ships.

[claude]

Claude finished @atom2ueki's task in 1m 52s —— View job

---

Re-review: fix-up commit 02327cc

• Gather context and understand request
• Read fix-up changes (02327cc)
• Verify: 4 new expectedState unit tests
• Verify: stale WebServerBox comment updated to 0.2.0
• Verify: try! replaced in DocC overview
• Verify: doc snippet do/catch wrapping in AuthService + KeychainTokenStorage
• Post findings

---

All four findings from the previous review are correctly addressed. Details below.

Medium — expectedState test coverage ✅ Fully resolved

Four tests added in LocalCallbackServerTests.swift:40-135, all driving the actual server via URLSession:

Test	What it proves
callbackWithMatchingStateCompletesFlow	Happy path: correct state + code → 200, start() returns the right params
callbackWithMismatchedStateRejectsAndKeepsResumeAlive	The critical security test. Forged callback → 400, genuine callback immediately after → 200, params.code == "genuine" (not "stolen") — directly proves the single-shot resume is preserved
callbackWithMissingStateRejectsWhenExpectedStateSet	No state query param → 400; server correctly stopped to avoid a hang
callbackWithoutExpectedStateAcceptsAnyState	Back-compat: unconfigured expectedState → any state accepted

Logic and cleanup in each test is correct. The callbackGET helper targets 127.0.0.1 directly, which is correct since the server is bound to localhost (IPv4 loopback).

One cosmetic note: the callbackGET comment says "Don't follow redirects" but no redirect-prevention delegate is configured on URLSession.shared. This is harmless because the tested responses are 200/400 (not 3xx), but the comment could mislead a future reader. Worth a one-line fix at some point, not a blocker.

Minor — Stale WebServerBox comment ✅ Resolved

LocalCallbackServer.swift:19 now reads SwiftWebServer 0.2.0 still does not declare itself Sendable. The @unchecked Sendable justification is accurate for 0.2.0 and the follow-up plan (remove wrapper once 0.3.0 ships @MainActor) is documented in the commit message.

Minor — try! in DocC overview ✅ Resolved

CodingPlanAuth.md:28-40: the stored-property try! pattern is replaced with an init() throws that propagates the error. The inline comment explaining why the throw is safe for normal app targets (but still surfaces for CLI/test hosts) is a nice touch for copy-paste readers.

Minor (Copilot) — do/catch in doc-comment snippets ✅ Resolved

Both AuthService.swift and KeychainTokenStorage.swift doc snippets now wrap the throwing call in do { ... } catch { ... }. Syntactically valid Swift and models the correct error-handling pattern.

---

Verdict

All review items resolved. The PR is clean from a security-correctness and test-coverage perspective. The only remaining item before tagging a release is the manual smoke test called out in the PR checklist.
| Branch: security/fix-loopback-bind

[atom2ueki]

Follow-up: SwiftWebServer 0.3.0 just shipped (https://github.com/atom2ueki/SwiftWebServer/releases/tag/0.3.0) with @MainActor isolation for honest Sendable conformance, so the WebServerBox @unchecked Sendable wrapper this SDK was carrying since 0.1.0 is no longer needed.

Pushed 9bc5530:

• Bumped Package.swift dep to from: "0.3.0".
• Deleted WebServerBox; private var server: SwiftWebServer? directly.
• makeServer() is now @MainActor (since SwiftWebServer.init/get are @MainActor); the immutable config fields it reads (responseHTML, redirectBaseURL, expectedState) are now nonisolated private let.
• Marked the registered route handler closure @Sendable — without this, Swift 6 strict concurrency was inferring it as @MainActor (since server.get is @MainActor), and SwiftWebServer's Connection traps with "BUG IN CLIENT OF libdispatch" when it invokes the handler from its background queue. @Sendable forces non-isolation, matching how Connection actually calls it. Caught this via a SIGTRAP in callbackWithoutExpectedStateAcceptsAnyState; full backtrace pointed to _swift_task_checkIsolatedSwift → dispatch_assert_queue from inside the closure.

53/53 tests pass.

[atom2ueki]

@claude review this PR

[atom2ueki]

@codex review

[claude]

Claude finished @atom2ueki's task in 2m 6s —— View job

---

PR Review: fix(auth): bind OAuth callback to loopback + harden keychain storage

• Gather context and understand request
• Read all changed files
• Analyze security + correctness of changes
• Verify 9bc5530 (@mainactor / @sendable / WebServerBox removal)
• Post review feedback

---

All prior findings have been resolved. This review covers the final commit 9bc5530 (SwiftWebServer 0.3.0 + WebServerBox removal) which hadn't been reviewed yet.

9bc5530: @mainactor / @sendable / WebServerBox removal ✅

private var server: SwiftWebServer? — The WebServerBox @unchecked Sendable shim is gone. SwiftWebServer 0.3.0's @MainActor isolation gives it honest Sendable conformance, so the wrapper's entire purpose is moot. ✅

nonisolated private let responseHTML/redirectBaseURL/expectedState — Promoting the immutable config fields to nonisolated is the correct solution for reading actor-owned data inside @MainActor makeServer(). The compiler enforces the immutability guarantee; no locks needed. ✅

@MainActor private func makeServer() -> SwiftWebServer — Required because SwiftWebServer.init and server.get are @MainActor in 0.3.0. The callsite (let server = await makeServer()) hops correctly from the actor to the main actor and back. ✅

server.get(callbackPath) { @Sendable [weak self] ... } — This is the critical correctness fix in the commit. Without @Sendable, Swift 6 infers @MainActor isolation on the closure (it inherits from server.get's @MainActor context). SwiftWebServer invokes route handlers from a per-connection background dispatch queue, so the mismatch triggers dispatch_assert_queue → SIGTRAP at runtime. @Sendable forces non-isolation, matching how Connection actually calls it. The comment documenting this reasoning is valuable. ✅

stop() → await MainActor.run { currentServer.close() } — SwiftWebServer.close() is @MainActor, so the explicit hop is required. server = nil is cleared before the await, so no other actor-isolated code can observe the stale reference during the hop. ✅

callbackPath in makeServer() — callbackPath is nonisolated let (line 22), so reading it from the @MainActor method is safe. ✅

---

Remaining cosmetic item (not a blocker)

LocalCallbackServerTests.swift:141 — the callbackGET comment still says "Don't follow redirects" but URLSession.shared has no redirect-prevention delegate configured. The tested responses are 200/400 (not 3xx), so this is harmless, but the comment could mislead a future reader who wonders what mechanism prevents redirect-following. Either remove the comment or configure a URLSession with redirectMaximum: 0 (or similar). This was flagged in the previous review pass and remains unchanged — fine to address in a follow-up. Fix this →

---

Full checklist

Loopback bind (RFC 8252 §7.3)	✅ Correct
State CSRF guard	✅ Logic correct, 4 tests covering all cases
Retry loop dual-stack fix	✅ Correct
Test port reservation fix (INADDR_LOOPBACK)	✅ Correct
KeychainTokenStorage fail-fast	✅ Correct
AuthService storage default removed	✅ Correct
@unchecked Sendable wrapper removed	✅ Correct (0.3.0 has honest @MainActor isolation)
@MainActor makeServer()	✅ Correct
@Sendable route handler closure	✅ Critical fix; correctly prevents libdispatch assert
nonisolated config fields	✅ Correct
DocC examples updated	✅ No try!, proper do/catch shown
Manual smoke test	⬜ Not yet (noted in PR checklist)

Verdict: All review items resolved across the three-commit series. The PR is clean — security-correct, test-covered, and Swift 6 strict-concurrency-clean. Ready to merge once the manual smoke test is green.
| Branch: security/fix-loopback-bind

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[atom2ueki]

Cosmetic fix pushed in 5e73c10 — dropped the misleading 'Don't follow redirects' comment in the test helper.

PR is ready from my side. Awaiting your manual smoke test of a real OAuth login on iOS/macOS before merging — that's the one thing I can't validate from here. Once you've confirmed the live flow still works, give the green light and I'll merge + tag the SDK release.