Skip to content

fix: OAuth callback updates platform token state#242

Merged
saggacce merged 1 commit into
mainfrom
fix/oauth-callback-platform-token
May 31, 2026
Merged

fix: OAuth callback updates platform token state#242
saggacce merged 1 commit into
mainfrom
fix/oauth-callback-platform-token

Conversation

@saggacce

Copy link
Copy Markdown
Owner

Tras reconectar pred.gg, el banner seguía mostrando «Token caducado» porque el callback OAuth solo guardaba cookies de sesión pero no actualizaba PlatformCredential ni platformTokenState.

Ahora el callback, tras un OAuth exitoso:

  1. Guarda el refresh token en PlatformCredential (para que los syncs automáticos funcionen)
  2. Actualiza platformTokenState.status = 'ok' inmediatamente
  3. El banner cambia a verde en cuanto el usuario vuelve a Data Quality

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d1ff016d70

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +358 to +362
await db.platformCredential.upsert({
where: { key: 'predgg_refresh_token' },
update: { value: tokenData.refresh_token },
create: { key: 'predgg_refresh_token', value: tokenData.refresh_token },
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict platform credential updates to admins

This callback is the same public pred.gg login flow used outside the admin reconnect banner (for example the Player Scouting login link calls /auth/predgg), and /auth is mounted without requireAuth/requirePlatformAdmin. With this upsert, any user who completes a normal pred.gg OAuth login can overwrite the global predgg_refresh_token used by background/admin syncs and mark platformTokenState as ok, so the platform credential can silently become tied to an arbitrary non-admin user's account or be broken when that user revokes/expires it. Gate this persistence/state update behind the internal admin session or use a separate admin-only callback/flow.

Useful? React with 👍 / 👎.

@saggacce saggacce merged commit 75e46a2 into main May 31, 2026
3 checks passed
@saggacce saggacce deleted the fix/oauth-callback-platform-token branch May 31, 2026 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant