Summary
The demo server stores OAuth sessions (including access tokens, refresh tokens, and DPoP key material) in a plain in-memory Map (demo/server/oauth/client.ts:20). There is no expiry sweep, no size cap, and no persistence.
Details
- In a long-running process this is an unbounded memory leak.
- On process restart, all sessions silently vanish and users must re-authenticate with no clear error.
- The file's own comment acknowledges this is demo-only, but the demo may be used as a production template.
Suggested Fix
- Add a TTL-based expiry sweep to
sessions (and states).
- Document clearly that these must be replaced with a persistent store (Redis, DB) before any production use.
- Consider adding a startup warning if a non-ephemeral session store is not configured.
Summary
The demo server stores OAuth sessions (including access tokens, refresh tokens, and DPoP key material) in a plain in-memory
Map(demo/server/oauth/client.ts:20). There is no expiry sweep, no size cap, and no persistence.Details
Suggested Fix
sessions(andstates).