starred/food402
1
0
Fork 0
mirror of https://github.com/rersozlu/food402.git synced 2026-04-25 07:15:49 +03:00
Code Issues Projects Releases Packages Wiki Activity

[PR #6] [MERGED] fix: prevent session expiry drift and strengthen cid verification #6

New issue
Closed
opened 2026-02-27 15:56:47 +03:00 by kerem · 0 comments
kerem commented 2026-02-27 15:56:47 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/rersozlu/food402/pull/6
Author: @rersozlu
Created: 2/2/2026
Status: Merged
Merged: 2/2/2026
Merged by: @rersozlu

Base: masterHead: fix/refresh-token-security

📝 Commits (5)

  • 2155e3c fix: strengthen refresh token security with client binding and rollback
  • 946367c fix: prevent session expiry drift and strengthen cid verification
  • 412cf67 test: add coverage for sca anti-drift and cid mismatch
  • 2aa037b feat: add agent instructions for MCP food ordering
  • 584edfa Merge pull request #7 from rersozlu/feat/agent-instructions

📊 Changes

6 files changed (+666 additions, -58 deletions)

View changed files

📝 remote/src/auth/oauth-provider.ts (+196 -40)
📝 remote/src/server.ts (+31 -3)
📝 remote/src/session/store.ts (+73 -12)
📝 remote/src/session/types.ts (+6 -0)
remote/test/oauth-provider.test.ts (+329 -0)
📝 src/index.ts (+31 -3)

📄 Description

Summary

  • Add sca (session_created_at) JWT claim to preserve original session creation time, preventing the 30-day expiry window from drifting forward on each token refresh
  • Strengthen KV path to require cid in JWT AND verify it matches session.clientId, rejecting legacy JWTs even when session exists in KV
  • Add comprehensive test coverage for the new security checks

Test plan

  • TypeScript compiles without errors
  • All 8 unit tests pass (node --test --import tsx remote/test/oauth-provider.test.ts)
  • Manual testing with Claude.ai remote MCP connection

🤖 Generated with Claude Code

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/rersozlu/food402/pull/6 **Author:** [@rersozlu](https://github.com/rersozlu) **Created:** 2/2/2026 **Status:** ✅ Merged **Merged:** 2/2/2026 **Merged by:** [@rersozlu](https://github.com/rersozlu) **Base:** `master` ← **Head:** `fix/refresh-token-security` --- ### 📝 Commits (5) - [`2155e3c`](https://github.com/rersozlu/food402/commit/2155e3c9317dbc758c0ac553db0c427a552ef714) fix: strengthen refresh token security with client binding and rollback - [`946367c`](https://github.com/rersozlu/food402/commit/946367c96c8c249a058656e994f065cf06bdde78) fix: prevent session expiry drift and strengthen cid verification - [`412cf67`](https://github.com/rersozlu/food402/commit/412cf673193b41cdadf6823047db383e4c5a0a1c) test: add coverage for sca anti-drift and cid mismatch - [`2aa037b`](https://github.com/rersozlu/food402/commit/2aa037bd98963be72211f2f3b4c1ec9aeffb6903) feat: add agent instructions for MCP food ordering - [`584edfa`](https://github.com/rersozlu/food402/commit/584edfa3bdea3123644cc26c42601af838cea602) Merge pull request #7 from rersozlu/feat/agent-instructions ### 📊 Changes **6 files changed** (+666 additions, -58 deletions) <details> <summary>View changed files</summary> 📝 `remote/src/auth/oauth-provider.ts` (+196 -40) 📝 `remote/src/server.ts` (+31 -3) 📝 `remote/src/session/store.ts` (+73 -12) 📝 `remote/src/session/types.ts` (+6 -0) ➕ `remote/test/oauth-provider.test.ts` (+329 -0) 📝 `src/index.ts` (+31 -3) </details> ### 📄 Description ## Summary - Add `sca` (session_created_at) JWT claim to preserve original session creation time, preventing the 30-day expiry window from drifting forward on each token refresh - Strengthen KV path to require `cid` in JWT AND verify it matches `session.clientId`, rejecting legacy JWTs even when session exists in KV - Add comprehensive test coverage for the new security checks ## Test plan - [x] TypeScript compiles without errors - [x] All 8 unit tests pass (`node --test --import tsx remote/test/oauth-provider.test.ts`) - [x] Manual testing with Claude.ai remote MCP connection 🤖 Generated with [Claude Code](https://claude.ai/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-02-27 15:56:47 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feat/migrate-to-registertool-api
feat/remote-mcp-server
chore/npm-publish-updates
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/food402#6
No description provided.