Skip to content

fix(oauth): await callback completion before returning success#510

Open
shaun0927 wants to merge 5 commits into
rowboatlabs:devfrom
shaun0927:fix/oauth-await-callback-success
Open

fix(oauth): await callback completion before returning success#510
shaun0927 wants to merge 5 commits into
rowboatlabs:devfrom
shaun0927:fix/oauth-await-callback-success

Conversation

@shaun0927

@shaun0927 shaun0927 commented Apr 17, 2026

Copy link
Copy Markdown

Summary

This is a narrow follow-up to #509 (and adjacent to the earlier OAuth callback work in #431 / #432).

The callback server still returned an Authorization Successful page before the asynchronous callback validation / token-exchange path had actually completed. That could leave users looking at a success page while the flow failed in an unhandled rejection afterward.

This patch makes the callback response follow the actual callback outcome: it now awaits onCallback(url) and returns an error page if callback processing throws.

Related issues

Changes

  • apps/x/apps/main/src/auth-server.ts
    • make the HTTP callback handler await onCallback(url)
    • return the existing success page only after callback processing succeeds
    • return an error page when callback processing throws
    • keep the existing full-callback-URL behavior intact

Why this scope

I kept the change in auth-server.ts only so it corrects the false-success / unhandled-rejection path without changing the broader OAuth flow or provider-specific logic.

Testing

  1. cd apps/x && pnpm install && pnpm run deps
  2. cd apps/main && npm run build
  3. Re-ran the source-backed failure harness against the patched branch:
{
  "status": 200,
  "bodyIncludesSuccess": false,
  "bodyIncludesFailure": true,
  "events": []
}

arkml and others added 5 commits April 10, 2026 00:00
@arkml
Merge pull request rowboatlabs#479 from rowboatlabs/dev
70ca18a 
Dev
@ramnique
Merge pull request rowboatlabs#480 from rowboatlabs/dev
41bbec6 
feat(oauth): switch Google OAuth from PKCE to authorization code flow…
@ramnique
Merge pull request rowboatlabs#481 from rowboatlabs/dev
c5e984e 
Dev
@arkml
Merge pull request rowboatlabs#490 from rowboatlabs/dev
2133d72 
Dev
@shaun0927
Prevent false OAuth success pages before callback validation completes
b9599f2 
The callback server was acknowledging success before the asynchronous validation/token-exchange path had actually finished, which could leave users looking at a success page while the flow failed in an unhandled rejection. The handler now awaits callback completion and returns an error page when callback processing fails.

Constraint: Needs to remain compatible with the existing full-callback-URL OAuth flow added in prior fixes
Rejected: Catch-and-log callback errors without changing the response body | preserves the misleading success UX and hides failure state from users
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep the auth callback response coupled to actual callback completion; do not move async failures back onto an unobserved path
Tested: pnpm install; pnpm run deps; apps/main npm run build; source-backed auth callback failure validation JSON
Not-tested: Live provider OAuth round-trip against real credentials
@shaun0927 shaun0927 mentioned this pull request Apr 17, 2026
Open
@shaun0927 shaun0927 changed the base branch from main to dev April 17, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth callback handler still returns success before async validation completes

3 participants

@shaun0927 @arkml @ramnique