Skip to content

Fix (oauth2): enforce owner-scoped PAT deletion#32

Closed
KevinRoebert wants to merge 1 commit intoayaka-notes:server-profrom
KevinRoebert:server-pro
Closed

Fix (oauth2): enforce owner-scoped PAT deletion#32
KevinRoebert wants to merge 1 commit intoayaka-notes:server-profrom
KevinRoebert:server-pro

Conversation

@KevinRoebert
Copy link

@KevinRoebert KevinRoebert commented Mar 11, 2026

Summary

This PR fixes an authorization gap in PAT deletion by enforcing token ownership at deletion time.

Changes

  • Updated removeToken to require both tokenId and userId.
  • Scoped delete query to:
    • _id = tokenId
    • user_id = userId
    • type = personal_access_token
  • Added invalid tokenId handling with ObjectId.isValid(...) to avoid deletion attempts on malformed IDs.
  • Updated delete controller flow to:
    • pass user._id into removeToken(...)
    • return 404 Token not found when no owned token is deleted (deletedCount !== 1)

Security Impact

  • Prevents users from deleting PATs they do not own via token ID alone.

@Musicminion
Copy link
Member

Musicminion commented Mar 12, 2026

Thanks for your contribution !

@Musicminion Musicminion changed the title fix(oauth2): enforce owner-scoped PAT deletion Fix (oauth2): enforce owner-scoped PAT deletion Mar 12, 2026
@Musicminion
Copy link
Member

Musicminion commented Mar 12, 2026
edited
Loading

We will merge this in #33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KevinRoebert @Musicminion