From 01aa677de7f4ec12c0800947c6f7e1a05979ccae Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Fri, 10 Oct 2025 20:02:44 -0700
Subject: [PATCH] Authorization codes of deleted users are now invalid

---
 apps/backend/src/oauth/model.tsx | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/apps/backend/src/oauth/model.tsx b/apps/backend/src/oauth/model.tsx
index 2bbea863c..370267a35 100644
--- a/apps/backend/src/oauth/model.tsx
+++ b/apps/backend/src/oauth/model.tsx
@@ -1,4 +1,5 @@
 import { createMfaRequiredError } from "@/app/api/latest/auth/mfa/sign-in/verification-code-handler";
+import { usersCrudHandlers } from "@/app/api/latest/users/crud";
 import { checkApiKeySet } from "@/lib/internal-api-keys";
 import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { getSoleTenancyFromProjectBranch, getTenancy } from "@/lib/tenancies";
@@ -326,8 +327,24 @@ export class OAuthModel implements AuthorizationCodeModel {
     const tenancy = await getTenancy(code.tenancyId);
 
     if (!tenancy) {
+      // this may trigger when the tenancy was deleted after the code was created
       return false;
     }
+
+    try {
+      await usersCrudHandlers.adminRead({
+        tenancy,
+        user_id: code.projectUserId,
+        allowedErrorTypes: [KnownErrors.UserNotFound],
+      });
+    } catch (error) {
+      if (error instanceof KnownErrors.UserNotFound) {
+        // this may trigger when the user was deleted after the code was created
+        return false;
+      }
+      throw error;
+    }
+
     return {
       authorizationCode: code.authorizationCode,
       expiresAt: code.expiresAt,