OAUTH-001C1D: bound Strava authorization codes#248
Merged
Conversation
✅ Deploy Preview for luminous-fox-7c393f ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Outcome
Bounds the untrusted Strava authorization code before credentials, provider access, or Firestore. Only a primitive string of 1–1,024 JavaScript/UTF-16 code units is admitted; invalid input returns the existing fixed authorization error with no provider or Firestore side effect.
Closes #247. Parent #88 remains open.
Security invariant
Proof
npm --prefix functions run lintunder Node 20 — PASS.strava.test.js— 41/41 PASS, including App Check/Auth precedence; malformed, empty, boxed, and oversized input; 1/1,024 boundaries; credential/provider/read/write/delete/log containment; opaque-string preservation; provider failures; successful writes/minimal result.git diff --check— PASS.79d03400fb67299279b97454dc98d33a5b4b1d02266d112d4cc521a8acee1e0f.All fetch and Firebase behavior in tests is mocked. No network/provider/production access occurred.
Migration and residual risk
Migration impact: none. No stored data or schema change.
Excluded and still tracked by #88: callback state/replay/TTL, callback history cleanup beyond #242, successful provider-response validation, App Check handoff, token/scopes/account ownership, refresh concurrency, revoke/audit, IAM/encryption, provider configuration, deployment, and live verification.
Officer handoff
Officer impact: None — this is server input containment. The existing callback UI already presents the fixed member-facing message from #242.
Officer documentation: None — no public wording, navigation, permissions, data movement, deployment, or officer task changed.
Deployment evidence: Source changed and local tests passed. Website publication: not performed.
runmprc.com: not verified because no website deployment occurred. Firebase deployment: not performed. Strava/provider configuration: not changed or verified. Production data/migration: none. Live behavior: not claimed.