Hi Rowboat team — this looks like a residual follow-up to the earlier Google OAuth callback fixes in #432 / #431 rather than a duplicate of them.
The iss / callback-param issue appears fixed, but the local callback server still returns an “Authorization Successful” page before the async callback validation/token-exchange path has actually completed.
Related earlier work
Current code path
apps/x/apps/main/src/auth-server.ts
- the callback handler calls
onCallback(url) without await
- success HTML is returned immediately afterward
apps/x/apps/main/src/oauth-handler.ts
- validation / state checks / token exchange still happen asynchronously and can throw after the success page has already been shown
Local validation
I validated this against the current source and got:
{
"status": 200,
"bodyIncludesSuccess": true,
"events": [
"unhandledRejection:Invalid state parameter - possible CSRF attack"
]
}Why I think this matters
This seems to produce a false-success UX and can also leak failures into an unhandled-rejection path in the Electron main process.
I’m not framing this as an auth bypass — it looks more like a correctness / reliability issue that remained after the earlier OAuth fixes.
Suggested direction
await onCallback(url) in the request handler- wrap the callback path in
try/catch
- only return success HTML when callback processing actually succeeds
- return an error page if validation / token exchange fails
- add a focused regression test for async callback failure
I also have a minimal follow-up fix branch ready if that would be useful.
Hi Rowboat team — this looks like a residual follow-up to the earlier Google OAuth callback fixes in #432 / #431 rather than a duplicate of them.
The
iss/ callback-param issue appears fixed, but the local callback server still returns an “Authorization Successful” page before the async callback validation/token-exchange path has actually completed.Related earlier work
Current code path
apps/x/apps/main/src/auth-server.tsonCallback(url)withoutawaitapps/x/apps/main/src/oauth-handler.tsLocal validation
I validated this against the current source and got:
{ "status": 200, "bodyIncludesSuccess": true, "events": [ "unhandledRejection:Invalid state parameter - possible CSRF attack" ] }Why I think this matters
This seems to produce a false-success UX and can also leak failures into an unhandled-rejection path in the Electron main process.
I’m not framing this as an auth bypass — it looks more like a correctness / reliability issue that remained after the earlier OAuth fixes.
Suggested direction
await onCallback(url)in the request handlertry/catchI also have a minimal follow-up fix branch ready if that would be useful.