Bug description
The hybrid follow engine integrates OAuth-based background actions, WebView flows and shared session handling across multiple platforms. Cross-session token confusion may occur when using for concurrent authentication or quick account switching which may lead to follow/connect actions being performed with the wrong linked account context.
Increased risk during:
- multiple accounts use
(1) expired token refresh flows
- parallel oAuth callbacks *
WebView authentication failed
cc: @Dev-Card
Areas affected:
apps/backend/
apps/mobile/
packages/shared/
How to reproduce:
- Speedily verify multiple platform accounts
- Silent-follow/connect operations in parallel
- Intercept/Retry OAuth Callback Flow (3)
- Follow execution, watch token/session binding behavior
Expected behavior:
- OAuth tokens should be scoped tightly per active session
- subsequent operations should verify ownership of the account prior to execution
- broken OAuth flows should clear stale session state
concurrent callbacks must not overwrite active token bindings
Actual conduct:
The current hybrid follow architecture could lead to stale or overwritten OAuth session context during concurrent flows, potentially leading to follow/connect actions being performed with unintended account binding.
Possible effects:
Wrong execution of follow
- cross-account session pollution
- social actions not authorized
- inconsistent linking state of accounts
Proposed fix:
- Strict OAuth state validation within session
- check callback nonce
per-provider token isolation
- session management for transactional oauth
- callback handlers replay protection *
Proposed tags:
security.
oauth
sophisticated
gssoc'
back end
Bug description
The hybrid follow engine integrates OAuth-based background actions, WebView flows and shared session handling across multiple platforms. Cross-session token confusion may occur when using for concurrent authentication or quick account switching which may lead to follow/connect actions being performed with the wrong linked account context.
Increased risk during:
(1) expired token refresh flows
WebView authentication failed
cc: @Dev-Card
Areas affected:
How to reproduce:
Expected behavior:
concurrent callbacks must not overwrite active token bindings
Actual conduct:
The current hybrid follow architecture could lead to stale or overwritten OAuth session context during concurrent flows, potentially leading to follow/connect actions being performed with unintended account binding.
Possible effects:
Wrong execution of follow
Proposed fix:
per-provider token isolation
Proposed tags:
security.
oauth
sophisticated
gssoc'
back end