fix: Handle trailing space on code challenge method (outline#12068)

* fix: Handle trailing space on code challenge method

* Add tests for codeChallengeMethod whitespace trimming

Addresses review feedback: adds test coverage for the trim behavior
in saveAuthorizationCode, verifying trailing whitespace is stripped
and whitespace-only input is treated as absent.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tommoor

app/scenes/Login/OAuthAuthorize.tsx

@@ -87,10 +87,11 @@ function Authorize() {
     redirect_uri: redirectUri,
     response_type: responseType,
     code_challenge: codeChallenge,
-    code_challenge_method: codeChallengeMethod,
+    code_challenge_method: rawCodeChallengeMethod,
     state,
     scope,
   } = Object.fromEntries(params);
+  const codeChallengeMethod = rawCodeChallengeMethod?.trim();
   const [scopes] = useState(() => inputScopes(scope));
   const { error: clientError, data: response } = useRequest<{
     data: OAuthClient;

server/utils/oauth/OAuthInterface.test.ts

@@ -221,6 +221,72 @@ describe("OAuthInterface", () => {
     });
   });
 
+  describe("#saveAuthorizationCode", () => {
+    it("should trim trailing whitespace from codeChallengeMethod", async () => {
+      const user = await buildUser();
+      const oAuthClient = await buildOAuthClient({ teamId: user.teamId });
+
+      const code = {
+        authorizationCode: randomUUID(),
+        expiresAt: new Date(Date.now() + 60_000),
+        redirectUri: oAuthClient.redirectUris[0],
+        scope: [Scope.Read],
+        codeChallenge: "abc123",
+        codeChallengeMethod: "S256  ",
+      };
+
+      await OAuthInterface.saveAuthorizationCode(
+        code,
+        {
+          id: oAuthClient.clientId,
+          databaseId: oAuthClient.id,
+          grants: OAuthInterface.grants,
+        },
+        user
+      );
+
+      const result = await OAuthInterface.getAuthorizationCode(
+        code.authorizationCode
+      );
+      expect(result).not.toBe(false);
+      if (result) {
+        expect(result.codeChallengeMethod).toBe("S256");
+      }
+    });
+
+    it("should treat whitespace-only codeChallengeMethod as absent", async () => {
+      const user = await buildUser();
+      const oAuthClient = await buildOAuthClient({ teamId: user.teamId });
+
+      const code = {
+        authorizationCode: randomUUID(),
+        expiresAt: new Date(Date.now() + 60_000),
+        redirectUri: oAuthClient.redirectUris[0],
+        scope: [Scope.Read],
+        codeChallenge: undefined,
+        codeChallengeMethod: "   ",
+      };
+
+      await OAuthInterface.saveAuthorizationCode(
+        code,
+        {
+          id: oAuthClient.clientId,
+          databaseId: oAuthClient.id,
+          grants: OAuthInterface.grants,
+        },
+        user
+      );
+
+      const result = await OAuthInterface.getAuthorizationCode(
+        code.authorizationCode
+      );
+      expect(result).not.toBe(false);
+      if (result) {
+        expect(result.codeChallengeMethod).toBeNull();
+      }
+    });
+  });
+
   describe("#validateScope", () => {
     it("should return empty array for empty scope", async () => {
       const result = await OAuthInterface.validateScope(user, client, []);

server/utils/oauth/OAuthInterface.ts

@@ -288,7 +288,7 @@ export const OAuthInterface: RefreshTokenModel &
       scope,
       redirectUri,
       codeChallenge,
-      codeChallengeMethod,
+      codeChallengeMethod: codeChallengeMethod?.trim() || undefined,
       oauthClientId: client.databaseId,
       userId: user.id,
       grantId: (user as GrantUser).grantId || crypto.randomUUID(),