Skip to content

feat(oauth): invalidate old client secret on rotation #26958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
crackedhandle wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(oauth): invalidate old client secret on rotation #26958

crackedhandle wants to merge 1 commit into from
+33 −7

Conversation

@crackedhandle
Copy link

@crackedhandle crackedhandle commented Jan 17, 2026

fixes #26933

What this does

  • Adds previousSecret field to PlatformOAuthClient
  • When rotating secret, old secret is stored and replaced
  • Old secret is explicitly rejected by API auth strategy

Why

Allows safe OAuth client secret rotation while ensuring old secrets are immediately invalidated.
##Images
ChatGPT Image Jan 17, 2026, 03_26_51 PM

@crackedhandle crackedhandle requested a review from a team as a code owner January 17, 2026 10:00
@CLAassistant
Copy link

CLAassistant commented Jan 17, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the Medium priority Created by Linear-GitHub Sync label Jan 17, 2026
@graphite-app graphite-app bot added the community Created by Linear-GitHub Sync label Jan 17, 2026
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 17, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Since this is your first cubic review, here's how it works:

  • cubic automatically reviews your code and comments on bugs and improvements
  • Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
  • Ask questions if you need clarification on any suggestion

keithwillcode
keithwillcode requested changes Jan 19, 2026
View reviewed changes
Copy link
Contributor

@keithwillcode keithwillcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we storing the previous secret? Rotating it automatically invalidates any clients sending it still.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@keithwillcode keithwillcode keithwillcode requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

community Created by Linear-GitHub Sync Medium priority Created by Linear-GitHub Sync size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow rotating client secret

3 participants

@crackedhandle @CLAassistant @keithwillcode