fix: OAuth callback updates platform token state#242
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d1ff016d70
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| await db.platformCredential.upsert({ | ||
| where: { key: 'predgg_refresh_token' }, | ||
| update: { value: tokenData.refresh_token }, | ||
| create: { key: 'predgg_refresh_token', value: tokenData.refresh_token }, | ||
| }); |
There was a problem hiding this comment.
Restrict platform credential updates to admins
This callback is the same public pred.gg login flow used outside the admin reconnect banner (for example the Player Scouting login link calls /auth/predgg), and /auth is mounted without requireAuth/requirePlatformAdmin. With this upsert, any user who completes a normal pred.gg OAuth login can overwrite the global predgg_refresh_token used by background/admin syncs and mark platformTokenState as ok, so the platform credential can silently become tied to an arbitrary non-admin user's account or be broken when that user revokes/expires it. Gate this persistence/state update behind the internal admin session or use a separate admin-only callback/flow.
Useful? React with 👍 / 👎.
Tras reconectar pred.gg, el banner seguía mostrando «Token caducado» porque el callback OAuth solo guardaba cookies de sesión pero no actualizaba
PlatformCredentialniplatformTokenState.Ahora el callback, tras un OAuth exitoso:
PlatformCredential(para que los syncs automáticos funcionen)platformTokenState.status = 'ok'inmediatamente