Skip to content

OAUTH-001C1D: bound Strava authorization codes#248

Merged
daliu merged 1 commit into
mainfrom
codex/issue-247-strava-code-bound
Jul 14, 2026
Merged

OAUTH-001C1D: bound Strava authorization codes#248
daliu merged 1 commit into
mainfrom
codex/issue-247-strava-code-bound

Conversation

@daliu

@daliu daliu commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Outcome

Bounds the untrusted Strava authorization code before credentials, provider access, or Firestore. Only a primitive string of 1–1,024 JavaScript/UTF-16 code units is admitted; invalid input returns the existing fixed authorization error with no provider or Firestore side effect.

Closes #247. Parent #88 remains open.

Security invariant

  • App Check runs first and Auth second.
  • Validation runs before credential lookup, provider access, document references, Firestore operations, or timestamps.
  • Admitted strings stay opaque and code-unit-for-code-unit unchanged: no trim, normalization, coercion, parsing, grammar, or case changes.
  • Invalid values and provider details never enter public errors or logs.
  • Existing provider-failure redaction and successful server-only exchange/write/minimal result remain intact.

Proof

  • Intended old-source red: the prior code admitted a synthetic 1,025-code-unit value, completed the mocked exchange, and wrote records; the new rejection assertion failed.
  • npm --prefix functions run lint under Node 20 — PASS.
  • Focused strava.test.js — 41/41 PASS, including App Check/Auth precedence; malformed, empty, boxed, and oversized input; 1/1,024 boundaries; credential/provider/read/write/delete/log containment; opaque-string preservation; provider failures; successful writes/minimal result.
  • Full Functions suite — 25 suites passed, 2 skipped; 1,552 passed, 64 skipped.
  • git diff --check — PASS.
  • Two independent final-diff reviews — security PASS and adversarial-test PASS.
  • Final pre-commit diff SHA-256: 79d03400fb67299279b97454dc98d33a5b4b1d02266d112d4cc521a8acee1e0f.

All fetch and Firebase behavior in tests is mocked. No network/provider/production access occurred.

Migration and residual risk

Migration impact: none. No stored data or schema change.

Excluded and still tracked by #88: callback state/replay/TTL, callback history cleanup beyond #242, successful provider-response validation, App Check handoff, token/scopes/account ownership, refresh concurrency, revoke/audit, IAM/encryption, provider configuration, deployment, and live verification.

Officer handoff

Officer impact: None — this is server input containment. The existing callback UI already presents the fixed member-facing message from #242.

Officer documentation: None — no public wording, navigation, permissions, data movement, deployment, or officer task changed.

Deployment evidence: Source changed and local tests passed. Website publication: not performed. runmprc.com: not verified because no website deployment occurred. Firebase deployment: not performed. Strava/provider configuration: not changed or verified. Production data/migration: none. Live behavior: not claimed.

@netlify

netlify Bot commented Jul 14, 2026

Copy link
Copy Markdown

Deploy Preview for luminous-fox-7c393f ready!

Name Link
🔨 Latest commit 501637b
🔍 Latest deploy log https://app.netlify.com/projects/luminous-fox-7c393f/deploys/6a55e3e6102fa00008a7c75a
😎 Deploy Preview https://deploy-preview-248--luminous-fox-7c393f.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@daliu daliu merged commit 0c973e9 into main Jul 14, 2026
9 checks passed
@daliu daliu deleted the codex/issue-247-strava-code-bound branch July 14, 2026 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OAUTH-001C1D — Bound Strava authorization codes before provider access

1 participant