feedback

Author: brendan-kellam

packages/web/src/ee/features/oauth/server.test.ts

@@ -212,10 +212,21 @@ describe('verifyAndRotateRefreshToken', () => {
         });
     });
 
-    test('returns invalid_grant and revokes all tokens when refresh token is not found (theft detection)', async () => {
+    test('returns invalid_grant immediately if token does not have the correct prefix', async () => {
+        const result = await verifyAndRotateRefreshToken({
+            rawRefreshToken: 'invalid_prefix_token',
+            clientId: 'test-client-id',
+            resource: null,
+        });
+
+        expect(result).toMatchObject({ error: 'invalid_grant' });
+        expect(prisma.oAuthRefreshToken.findUnique).not.toHaveBeenCalled();
+        expect(prisma.oAuthToken.deleteMany).not.toHaveBeenCalled();
+        expect(prisma.oAuthRefreshToken.deleteMany).not.toHaveBeenCalled();
+    });
+
+    test('returns invalid_grant when refresh token is not found without revoking other tokens', async () => {
         prisma.oAuthRefreshToken.findUnique.mockResolvedValue(null);
-        prisma.oAuthToken.deleteMany.mockResolvedValue({ count: 1 });
-        prisma.oAuthRefreshToken.deleteMany.mockResolvedValue({ count: 1 });
 
         const result = await verifyAndRotateRefreshToken({
             rawRefreshToken: 'sbor_used',
@@ -224,8 +235,8 @@ describe('verifyAndRotateRefreshToken', () => {
         });
 
         expect(result).toMatchObject({ error: 'invalid_grant' });
-        expect(prisma.oAuthToken.deleteMany).toHaveBeenCalledWith({ where: { clientId: 'test-client-id' } });
-        expect(prisma.oAuthRefreshToken.deleteMany).toHaveBeenCalledWith({ where: { clientId: 'test-client-id' } });
+        expect(prisma.oAuthToken.deleteMany).not.toHaveBeenCalled();
+        expect(prisma.oAuthRefreshToken.deleteMany).not.toHaveBeenCalled();
     });
 
     test('returns invalid_grant if client_id does not match', async () => {

packages/web/src/ee/features/oauth/server.ts

@@ -153,17 +153,15 @@ export async function verifyAndRotateRefreshToken({
     clientId: string;
     resource: string | null;
 }): Promise<{ token: string; refreshToken: string; expiresIn: number } | { error: string; errorDescription: string }> {
+    if (!rawRefreshToken.startsWith(OAUTH_REFRESH_TOKEN_PREFIX)) {
+        return { error: 'invalid_grant', errorDescription: 'Refresh token is invalid.' };
+    }
+
     const hash = hashSecret(rawRefreshToken.slice(OAUTH_REFRESH_TOKEN_PREFIX.length));
 
     const existing = await prisma.oAuthRefreshToken.findUnique({ where: { hash } });
 
     if (!existing) {
-        // Token not found — either never existed or already rotated.
-        // Treat as potential theft: revoke all tokens for this client to be safe.
-        await prisma.$transaction([
-            prisma.oAuthToken.deleteMany({ where: { clientId } }),
-            prisma.oAuthRefreshToken.deleteMany({ where: { clientId } }),
-        ]);
         return { error: 'invalid_grant', errorDescription: 'Refresh token is invalid or has already been used.' };
     }
 

packages/web/src/withAuthV2.test.ts

@@ -196,23 +196,28 @@ describe('getAuthenticatedUser', () => {
     });
 
     test('should return undefined if an OAuth Bearer token is present but the token does not exist', async () => {
+        mocks.hasEntitlement.mockReturnValue(true);
         prisma.oAuthToken.findUnique.mockResolvedValue(null);
         setMockHeaders(new Headers({ 'Authorization': 'Bearer sboa_oauthtoken' }));
         const user = await getAuthenticatedUser();
         expect(user).toBeUndefined();
+        expect(prisma.oAuthToken.findUnique).toHaveBeenCalled();
     });
 
     test('should return undefined if an OAuth Bearer token is present but the token is expired', async () => {
+        mocks.hasEntitlement.mockReturnValue(true);
         prisma.oAuthToken.findUnique.mockResolvedValue({
             ...MOCK_OAUTH_TOKEN,
             expiresAt: new Date(Date.now() - 1000), // expired 1 second ago
         });
         setMockHeaders(new Headers({ 'Authorization': 'Bearer sboa_oauthtoken' }));
         const user = await getAuthenticatedUser();
         expect(user).toBeUndefined();
+        expect(prisma.oAuthToken.findUnique).toHaveBeenCalled();
     });
 
     test('should not check API key when a sboa_ Bearer token is present', async () => {
+        mocks.hasEntitlement.mockReturnValue(true);
         prisma.oAuthToken.findUnique.mockResolvedValue(MOCK_OAUTH_TOKEN);
         setMockHeaders(new Headers({ 'Authorization': 'Bearer sboa_oauthtoken' }));
         await getAuthenticatedUser();