Skip to content

fix: address review findings in auth flow#5

Merged
Dhravya merged 2 commits intofeat/browser-auth-flowfrom
vorflux/fix-auth-review-findings
Apr 28, 2026
Merged

fix: address review findings in auth flow#5
Dhravya merged 2 commits intofeat/browser-auth-flowfrom
vorflux/fix-auth-review-findings

Conversation

@vorflux
Copy link
Copy Markdown

@vorflux vorflux Bot commented Apr 28, 2026
edited
Loading

Fixes all four issues flagged in the PR #4 review.

Changes

1. Add state token to prevent local callback forgery -- High (src/services/auth.ts)

  • Generate a random 16-byte hex nonce per auth attempt via crypto.randomBytes
  • Include the state param in the browser URL sent to app.supermemory.ai
  • Reject callbacks where state does not match with a 403 response
  • Prevents other local processes from injecting a malicious API key

2. Clear timeout on successful auth -- Medium (src/services/auth.ts)

  • Store the setTimeout handle and call clearTimeout(timer) on both the resolve and server-error paths
  • Eliminates the ~25s process hang after a successful browser login

3. Restrict credentials file permissions -- Medium (src/services/auth.ts)

  • Create ~/.codex/supermemory/ with mode 0o700 (owner-only access)
  • Write credentials.json with mode 0o600 (owner read/write only)
  • Prevents other local users from reading the raw API key

4. Fix status() to use credential store -- Low (src/cli.ts)

  • status() now calls loadCredentials() as a fallback when no env var is set
  • Displays the correct source of the API key (env var vs credentials file)
  • No longer reports "not set" after a successful browser login

Testing

  • npm test passes: 29/29 tests, 0 failures
  • Build succeeds with no errors

Session Details

  • Session: View Session
  • Requested by: Unknown
  • Address comments on this PR. Add (aside) to your comment to have me ignore it.

Vorflux AI added 2 commits April 28, 2026 19:59
fix: update tests and status command for browser auth flow
9dabed3 
- test/unit.mjs: update skill tests to assert exit(1) + stderr matching
  /Supermemory is not authenticated/ — the PR intentionally changed skills
  from exit(0)+stdout to exit(1)+stderr when unconfigured

- src/hooks/recall.ts: add mkdirSync before writeFileSync(.auth-attempted)
  so the 'only attempt auth once' guard actually works when ~/.codex/supermemory/
  doesn't exist yet. Without this fix the sentinel file was silently dropped
  and every recall invocation retried the 25s browser timeout.

- test/unit.mjs: isolate recall hook tests with HOME: tmpDir so the
  .auth-attempted file is writable; pre-create it in tests 4+5 to avoid
  the 25s auth timeout (reducing suite time from ~75s to ~25s)

- src/cli.ts: status() now reads credentials.json via loadCredentials()
  so users who authenticated via the browser flow see '✓ set' instead of
  the misleading '✗ not set'

- test/unit.mjs: add supermemory-login to install/uninstall skill coverage
fix: address review findings in auth flow
b24420e 
- Add random state token to prevent local callback forgery (CSRF)
- Clear setTimeout on successful auth to avoid 25s process hang
- Set restrictive file permissions (0o700 dir, 0o600 file) on credentials
@vorflux vorflux Bot mentioned this pull request Apr 28, 2026
Merged
7 tasks
@Dhravya Dhravya merged commit f567021 into feat/browser-auth-flow Apr 28, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dhravya