fix: MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf)

[mtrezza]

Issue

MFA single-use token bypass via concurrent authData login requests (GHSA-w73w-g5xw-rwhf)

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a test suite validating MFA recovery code reuse prevention under concurrent authData-only logins, and modified RestWrite's authData handling to snapshot pre-mutation values and enforce optimistic-locking constraints during database updates, translating certain update failures to a standardized error response.

Changes

Cohort / File(s)	Summary
MFA Recovery Code Reuse Test spec/vulnerabilities.spec.js	New test suite for vulnerability GHSA-w73w-g5xw-rwhf verifying that 10 concurrent authData-only logins using the same MFA recovery code result in exactly one success and nine failures, with the recovery code consumed after the winning request.
AuthData Optimistic Locking src/RestWrite.js	Modified handleAuthData to snapshot pre-mutation authData and apply optimistic-locking query predicates on array-valued authData subfields during _User updates. Translates OBJECT_NOT_FOUND errors to SCRIPT_FAILED with "Invalid auth data" message.

Sequence Diagram

sequenceDiagram
    participant Client as Client (10 Concurrent)
    participant RestWrite
    participant _User as _User DB
    
    Note over Client,_User: Concurrent Login Attempts with Same Recovery Token
    
    par Winning Request
        Client->>RestWrite: POST /login (authData.mfa.recovery)
        activate RestWrite
        RestWrite->>RestWrite: snapshot authData
        RestWrite->>RestWrite: apply mutatedAuthData (consume recovery code)
        RestWrite->>_User: UPDATE query with optimistic-lock<br/>(authData.mfa.recovery == [original_token])
        activate _User
        _User-->>RestWrite: ✓ Success (1 match, 1 updated)
        deactivate _User
        RestWrite-->>Client: 200 OK
        deactivate RestWrite
    and Losing Requests (9x)
        Client->>RestWrite: POST /login (authData.mfa.recovery)
        activate RestWrite
        RestWrite->>RestWrite: snapshot authData
        RestWrite->>RestWrite: apply mutatedAuthData
        RestWrite->>_User: UPDATE query with optimistic-lock<br/>(authData.mfa.recovery == [original_token])
        activate _User
        _User-->>RestWrite: ✗ OBJECT_NOT_FOUND<br/>(lock predicate failed)
        deactivate _User
        RestWrite->>RestWrite: translate to SCRIPT_FAILED
        RestWrite-->>Client: 400 Invalid auth data
        deactivate RestWrite
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: Password reset token single-use bypass via concurrent requests (GHSA-r3xq-68wh-gwvh) #10216: Implements optimistic-locking pattern on _User updates to prevent concurrent reuse of perishable tokens (password-reset), mirroring the MFA recovery code protection approach.
• fix: Unlinking auth provider triggers auth data validation #10045: Directly modifies RestWrite.prototype.handleAuthData logic for how authData is read and applied during user operations.
• fix: MFA recovery codes not consumed after use (GHSA-4hf6-3x24-c9m8) #10170: MFA adapter removes/consumes recovery codes on login; this PR adds concurrent-reuse prevention in RestWrite to ensure single consumption.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is entirely empty, missing all required template sections including Issue, Approach, and Tasks.	Add a comprehensive description following the template with sections for Issue (link to GHSA-w73w-g5xw-rwhf), Approach (explain the optimistic-locking fix), and completed Tasks (tests added, security check status).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically describes the main security fix: addressing an MFA single-use token bypass vulnerability via concurrent authData login requests, and references the CVE identifier.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.52%. Comparing base (2be73d9) to head (da2e484).
⚠️ Report is 2 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10326   +/-   ##
=======================================
  Coverage   92.52%   92.52%           
=======================================
  Files         192      192           
  Lines       16505    16517   +12     
  Branches      227      227           
=======================================
+ Hits        15271    15283   +12     
  Misses       1214     1214           
  Partials       20       20           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

spec/vulnerabilities.spec.js (1)

4387-4399: Assert the rejection contract too.

This still passes as long as nine requests reject, even if they reject for an unrelated reason. Asserting SCRIPT_FAILED / Invalid auth data on the losers and the original objectId on the winner would make the regression much tighter.

🧪 Suggested assertion tightening

     const succeeded = results.filter(r => r.status === 'fulfilled');
     const failed = results.filter(r => r.status === 'rejected');

     // Exactly one request should succeed; all others should fail
     expect(succeeded.length).toBe(1);
     expect(failed.length).toBe(9);
+    expect(succeeded[0].value.data.objectId).toBe(user.id);
+    failed.forEach(({ reason }) => {
+      expect(reason.data.code).toBe(Parse.Error.SCRIPT_FAILED);
+      expect(reason.data.error).toBe('Invalid auth data');
+    });

     // Verify the recovery code has been consumed

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/vulnerabilities.spec.js` around lines 4387 - 4399, Tighten the
assertions after the concurrent loginWithRecovery() calls by checking rejection
reasons and the successful winner: verify each failed result in results (where
r.status === 'rejected') has the expected error code/message (e.g.,
'SCRIPT_FAILED' or 'Invalid auth data') and that the single fulfilled result
contains the original user's objectId; keep the existing verification of
consumed recovery code via user.fetch() and recoveryCode but add checks on
results to assert the precise rejection contract and the winner's returned
objectId to prevent unrelated failures from passing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@spec/vulnerabilities.spec.js`:
- Around line 4387-4399: Tighten the assertions after the concurrent
loginWithRecovery() calls by checking rejection reasons and the successful
winner: verify each failed result in results (where r.status === 'rejected') has
the expected error code/message (e.g., 'SCRIPT_FAILED' or 'Invalid auth data')
and that the single fulfilled result contains the original user's objectId; keep
the existing verification of consumed recovery code via user.fetch() and
recoveryCode but add checks on results to assert the precise rejection contract
and the winner's returned objectId to prevent unrelated failures from passing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3201f086-ca8f-4f27-b36c-6cf821aac8c6

📥 Commits

Reviewing files that changed from the base of the PR and between 2be73d9 and da2e484.

📒 Files selected for processing (2)

• spec/vulnerabilities.spec.js
• src/RestWrite.js

[parseplatformorg]

🎉 This change has been released in version 9.7.0-alpha.8