CodeCow/stack
1
0
Fork 0
mirror of https://github.com/stack-auth/stack.git synced 2026-06-13 21:01:21 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Authorization codes of deleted users are now invalid

Browse Source
This commit is contained in:
Konstantin Wohlwend 2025-10-10 20:02:44 -07:00
parent b7a2a04a16
commit 01aa677de7
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
apps/backend/src/oauth/model.tsx
View File

@ -1,4 +1,5 @@
import { createMfaRequiredError } from "@/app/api/latest/auth/mfa/sign-in/verification-code-handler";
import { usersCrudHandlers } from "@/app/api/latest/users/crud";
import { checkApiKeySet } from "@/lib/internal-api-keys";
import { validateRedirectUrl } from "@/lib/redirect-urls";
import { getSoleTenancyFromProjectBranch, getTenancy } from "@/lib/tenancies";
@ -326,8 +327,24 @@ export class OAuthModel implements AuthorizationCodeModel {
const tenancy = await getTenancy(code.tenancyId);
if (!tenancy) {
// this may trigger when the tenancy was deleted after the code was created
return false;
}
try {
await usersCrudHandlers.adminRead({
tenancy,
user_id: code.projectUserId,
allowedErrorTypes: [KnownErrors.UserNotFound],
});
} catch (error) {
if (error instanceof KnownErrors.UserNotFound) {
// this may trigger when the user was deleted after the code was created
return false;
}
throw error;
}
return {
authorizationCode: code.authorizationCode,
expiresAt: code.expiresAt,