Tighten opaque CLI auth tokens by jahooma · Pull Request #628 · CodebuffAI/codebuff

jahooma · 2026-05-09T00:08:30Z

Summary

Resolve opaque 43-character CLI browser tokens only when they match the expected base64url token shape.
Consume opaque CLI auth tokens atomically with DELETE ... RETURNING so a browser login token is one-time-use while expired stored payloads still render the expired-code path.
Add focused Codebuff and Freebuff helper coverage for opaque-token resolution, signed payload validation, skipped lookup for structured codes, and expired stored payloads.
Update authentication docs to describe the opaque browser token flow.

bun test web/src/app/onboard/__tests__/helpers.test.ts freebuff/web/src/app/onboard/__tests__/helpers.test.ts web/src/app/api/auth/cli/code/__tests__/origin.test.ts freebuff/web/src/app/api/auth/cli/code/__tests__/origin.test.ts
bun run typecheck in web/
bun run typecheck in freebuff/web/
bunx prettier --check docs/authentication.md web/src/app/api/auth/cli/code/route.ts web/src/app/onboard/__tests__/helpers.test.ts web/src/app/onboard/_db.ts web/src/app/onboard/_helpers.ts web/src/app/onboard/page.tsx freebuff/web/src/app/api/auth/cli/code/route.ts freebuff/web/src/app/onboard/__tests__/helpers.test.ts freebuff/web/src/app/onboard/_db.ts freebuff/web/src/app/onboard/_helpers.ts freebuff/web/src/app/onboard/page.tsx
git diff --check

jahooma requested review from brandonkachen and charleslien as code owners May 9, 2026 00:08

Tighten opaque CLI auth tokens

a39327d

jahooma force-pushed the jahooma/cleanup-cli-auth-token-flow branch from a9802be to a39327d Compare May 9, 2026 00:32

jahooma merged commit 43d0008 into main May 9, 2026
35 checks passed

jahooma deleted the jahooma/cleanup-cli-auth-token-flow branch May 9, 2026 01:23