From 2fb7ff72f3d09aa92db3e540b1bd0e0cd840bdb5 Mon Sep 17 00:00:00 2001
From: Ronni Skansing <rskansing@gmail.com>
Date: Sat, 28 Feb 2026 01:34:12 +0100
Subject: [PATCH] fix potential reuse of oauth on failure to mark as used

Signed-off-by: Ronni Skansing <rskansing@gmail.com>
---
 backend/service/oauthProvider.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/backend/service/oauthProvider.go b/backend/service/oauthProvider.go
index cc24657..cf2626e 100644
--- a/backend/service/oauthProvider.go
+++ b/backend/service/oauthProvider.go
@@ -479,11 +479,13 @@ func (o *OAuthProvider) ExchangeCodeForTokens(
 		return errs.Wrap(err)
 	}
 
-	// mark state token as used
+	// mark state token as used before exchanging the code — if this fails the token
+	// remains unused and could be replayed within the 10-minute expiry window, so
+	// we must abort rather than continue
 	stateID := oauthState.ID.MustGet()
 	if err := o.OAuthStateRepository.MarkAsUsed(ctx, stateID); err != nil {
-		o.Logger.Errorw("failed to mark state token as used", "error", err)
-		// continue anyway - token exchange is more important
+		o.Logger.Errorw("failed to mark state token as used, aborting token exchange to prevent replay", "error", err)
+		return errs.Wrap(err)
 	}
 
 	// get client secret