Commit 8973d1b
fix: use gateway owner_id for relay OAuth nonce storage (#2473)
* fix: use gateway owner_id for relay OAuth nonce storage
The relay OAuth nonce was stored under the authenticated user's ID
(a DB user UUID) but the callback handler looked it up under
state.owner_id (the gateway owner, typically "default"). This
mismatch caused the nonce lookup to silently fail, returning
"Invalid or expired authorization" on every Slack OAuth callback.
Use self.user_id (which holds config.owner_id) in auth_channel_relay
for nonce storage so both sides use the same scope.
Also adds tracing to the callback handler's get_decrypted error path
to make future auth failures diagnosable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test: add test for nonce user scope mismatch
Verifies that a nonce stored under a DB user UUID (different from the
gateway owner_id) is not found by the callback handler, reproducing
the bug that caused "Invalid or expired authorization" on hosted
instances.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address PR review comments
- Also delete legacy caller-scoped nonce on upgrade (Copilot)
- Include redacted state param in tracing log (Gemini)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 2dc78b2 commit 8973d1b
2 files changed
Lines changed: 73 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2119 | 2119 | | |
2120 | 2120 | | |
2121 | 2121 | | |
2122 | | - | |
| 2122 | + | |
| 2123 | + | |
| 2124 | + | |
| 2125 | + | |
| 2126 | + | |
| 2127 | + | |
| 2128 | + | |
| 2129 | + | |
2123 | 2130 | | |
2124 | 2131 | | |
2125 | 2132 | | |
| |||
6644 | 6651 | | |
6645 | 6652 | | |
6646 | 6653 | | |
| 6654 | + | |
| 6655 | + | |
| 6656 | + | |
| 6657 | + | |
| 6658 | + | |
| 6659 | + | |
| 6660 | + | |
| 6661 | + | |
| 6662 | + | |
| 6663 | + | |
| 6664 | + | |
| 6665 | + | |
| 6666 | + | |
| 6667 | + | |
| 6668 | + | |
| 6669 | + | |
| 6670 | + | |
| 6671 | + | |
| 6672 | + | |
| 6673 | + | |
| 6674 | + | |
| 6675 | + | |
| 6676 | + | |
| 6677 | + | |
| 6678 | + | |
| 6679 | + | |
| 6680 | + | |
| 6681 | + | |
| 6682 | + | |
| 6683 | + | |
| 6684 | + | |
| 6685 | + | |
| 6686 | + | |
| 6687 | + | |
| 6688 | + | |
| 6689 | + | |
| 6690 | + | |
| 6691 | + | |
| 6692 | + | |
| 6693 | + | |
| 6694 | + | |
| 6695 | + | |
| 6696 | + | |
| 6697 | + | |
| 6698 | + | |
| 6699 | + | |
| 6700 | + | |
| 6701 | + | |
| 6702 | + | |
| 6703 | + | |
| 6704 | + | |
| 6705 | + | |
| 6706 | + | |
6647 | 6707 | | |
6648 | 6708 | | |
6649 | 6709 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6072 | 6072 | | |
6073 | 6073 | | |
6074 | 6074 | | |
6075 | | - | |
| 6075 | + | |
| 6076 | + | |
| 6077 | + | |
| 6078 | + | |
| 6079 | + | |
| 6080 | + | |
| 6081 | + | |
6076 | 6082 | | |
| 6083 | + | |
6077 | 6084 | | |
6078 | | - | |
| 6085 | + | |
| 6086 | + | |
| 6087 | + | |
| 6088 | + | |
6079 | 6089 | | |
6080 | 6090 | | |
6081 | 6091 | | |
| |||
0 commit comments