Race condition (TOCTOU) issue fix

[vinaygupta-sourcefuse]

Description

Previously, authorization codes could be redeemed multiple times in concurrent requests, allowing attackers to hijack legitimate sessions. The fix ensures auth codes can only be redeemed once, with proper atomic guarantees even under high concurrency.

Fixed race condition vulnerability in authorization code redemption to prevent session hijacking attacks.

Fixes # GH-2504

on second hit of auth/token endpoint it will throw the 'Code Expired Error' [as Expected]

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Intermediate change (work in progress)

Checklist:

• Performed a self-review of my own code
• npm test passes on your machine
• New tests added or existing tests modified to cover all changes
• Code conforms with the style guide
• API Documentation in code was updated
• Any dependent changes have been merged and published in downstream modules

[sonarqube-agent]

SonarQube Remediation Agent

SonarQube found 1 issue in this PR that the agent can fix for you. Est. time saved: ~5 min

1 issue found

• 🔴 Remove this use of the "void" operator. — revoked-token.repository.ts:41

• Run Remediation Agent
  Select the checkbox above to enable this action.

View Project in SonarCloud

💡 Got issues in your backlog? Let the agent fix them for you.

[sonarqubecloud]

SonarQube reviewer guide

Summary: Upgrade TypeDoc and related documentation tools while adding authorization code replay protection.

Review Focus: The core change is adding atomic setIfNotExists method to RevokedTokenRepository for preventing authorization code replay attacks. This is critical security functionality - ensure the atomic Redis operations (SET NX EX) are correctly implemented and properly handle fallback scenarios when Redis doesn't support atomic operations. Also review the race condition acceptance test to verify it adequately validates the protection mechanism.

Start review at: packages/core/src/repositories/revoked-token.repository.ts. This is the foundational security change where the atomic operation for preventing replay attacks is implemented. The method's correctness directly impacts whether concurrent requests attempting to use the same auth code are properly rejected.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
20.5% Duplication on New Code

See analysis details on SonarQube Cloud