Update default expiration time for CLI auth from 2 minutes to 10 minutes and improve null checks in route handlers

Author: mantrakp04

apps/backend/src/app/api/latest/auth/cli/poll/route.tsx

@@ -69,24 +69,32 @@ export const POST = createSmartRouteHandler({
       return createResponse('expired');
     }
 
-    if (cliAuth.usedAt) {
+    if (cliAuth.usedAt !== null) {
       return createResponse('used');
     }
 
-    if (!cliAuth.refreshToken) {
+    if (cliAuth.refreshToken === null) {
       return createResponse('waiting');
     }
 
-    // Mark as used
-    await prisma.$executeRaw(Prisma.sql`
+    // Atomically mark as used, claiming the row only if no one else has.
+    // This prevents a TOCTOU race where two concurrent polls could both
+    // read usedAt = null and both receive the same refresh token.
+    const claimed = await prisma.$queryRaw<{ refreshToken: string }[]>(Prisma.sql`
       UPDATE ${sqlQuoteIdent(schema)}."CliAuthAttempt"
       SET
         "usedAt" = NOW(),
         "updatedAt" = NOW()
       WHERE "tenancyId" = ${tenancy.id}::UUID
         AND "id" = ${cliAuth.id}::UUID
+        AND "usedAt" IS NULL
+      RETURNING "refreshToken"
     `);
 
-    return createResponse('success', cliAuth.refreshToken);
+    if (claimed.length === 0) {
+      return createResponse('used');
+    }
+
+    return createResponse('success', claimed[0].refreshToken);
   },
 });

apps/backend/src/app/api/latest/auth/cli/route.tsx

@@ -25,7 +25,7 @@ export const POST = createSmartRouteHandler({
       tenancy: adaptSchema.defined(),
     }).defined(),
     body: yupObject({
-      expires_in_millis: yupNumber().max(1000 * 60 * 60 * 24).default(1000 * 60 * 2), // Default: 2 minutes, max: 24 hours
+      expires_in_millis: yupNumber().max(1000 * 60 * 60 * 24).default(1000 * 60 * 10), // Default: 10 minutes, max: 24 hours
       anon_refresh_token: yupString().optional(),
     }).default({}),
   }),
@@ -41,7 +41,7 @@ export const POST = createSmartRouteHandler({
   async handler({ auth: { tenancy }, body: { expires_in_millis, anon_refresh_token } }) {
     let anonRefreshToken: string | null = null;
 
-    if (anon_refresh_token) {
+    if (anon_refresh_token != null) {
       const refreshTokenRows = await globalPrismaClient.$queryRaw<RefreshTokenRow[]>(Prisma.sql`
         SELECT "tenancyId", "projectUserId", "expiresAt"
         FROM "ProjectUserRefreshToken"
@@ -57,7 +57,7 @@ export const POST = createSmartRouteHandler({
         throw new StatusError(400, "Anon refresh token does not belong to this project");
       }
 
-      if (refreshTokenObj.expiresAt && refreshTokenObj.expiresAt < new Date()) {
+      if (refreshTokenObj.expiresAt != null && refreshTokenObj.expiresAt < new Date()) {
         throw new StatusError(400, "The provided anon refresh token has expired");
       }
 

docker/server/.env.example

@@ -2,9 +2,6 @@
 
 NEXT_PUBLIC_STACK_API_URL=http://localhost:8102
 NEXT_PUBLIC_STACK_DASHBOARD_URL=http://localhost:8101
-STACK_API_URL=http://localhost:8102
-STACK_DASHBOARD_URL=http://localhost:8101
-STACK_CLI_PUBLISHABLE_CLIENT_KEY=
 
 STACK_DATABASE_CONNECTION_STRING=postgres://postgres:password@host.docker.internal:8128/stackframe
 

packages/stack-cli/src/lib/auth.ts

@@ -1,8 +1,8 @@
 import { readConfigValue } from "./config.js";
 import { AuthError } from "./errors.js";
 
-export const DEFAULT_API_URL = process.env.STACK_API_URL ?? "https://api.stack-auth.com";
-export const DEFAULT_DASHBOARD_URL = process.env.STACK_DASHBOARD_URL ?? "https://app.stack-auth.com";
+export const DEFAULT_API_URL = "https://api.stack-auth.com";
+export const DEFAULT_DASHBOARD_URL = "https://app.stack-auth.com";
 export const DEFAULT_PUBLISHABLE_CLIENT_KEY = process.env.STACK_CLI_PUBLISHABLE_CLIENT_KEY ?? "pck_9bbqvqsbh0gdb6smk11d71qg4ktc4rz8ya7cc69yndm7g";
 
 type Flags = {