fix(device-agent): atomic getdel for auth code + encode URL params

tofikwest · claude · tofikwest · commit 5eab49693f4c · 2026-03-05T14:31:32.000-05:00
- Use Redis GETDEL for atomic get+delete to prevent TOCTOU race on
  auth code exchange
- URL-encode callback_port and state params to prevent parameter
  injection

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/apps/portal/src/app/(public)/auth/page.tsx b/apps/portal/src/app/(public)/auth/page.tsx
@@ -31,7 +31,7 @@ export default async function Page({
 
   const deviceAuthRedirect =
     isDeviceAuth && callbackPort && state
-      ? `/auth/device-callback?callback_port=${callbackPort}&state=${state}`
+      ? `/auth/device-callback?callback_port=${encodeURIComponent(callbackPort)}&state=${encodeURIComponent(state)}`
       : undefined;
 
   const defaultSignInOptions = (
diff --git a/apps/portal/src/app/api/device-agent/exchange-code/route.ts b/apps/portal/src/app/api/device-agent/exchange-code/route.ts
@@ -36,8 +36,8 @@ export async function POST(req: Request) {
     const { code } = parsed.data;
     const kvKey = `device-auth:${code}`;
 
-    // Fetch and immediately delete (single-use)
-    const stored = await kv.get<StoredAuthCode>(kvKey);
+    // Atomic get+delete to prevent race condition (TOCTOU)
+    const stored = await kv.getdel<StoredAuthCode>(kvKey);
 
     if (!stored) {
       return NextResponse.json(
@@ -46,9 +46,6 @@ export async function POST(req: Request) {
       );
     }
 
-    // Delete immediately to prevent replay
-    await kv.del(kvKey);
-
     return NextResponse.json({
       session_token: stored.sessionToken,
       user_id: stored.userId,
