fix(ui): block browser forwarding of CLI OAuth callback states by mosure · Pull Request #6 · aberration-technology/agent_feed

mosure · 2026-05-04T03:00:54Z

Prevent the browser-side OAuth callback handoff from forwarding attacker-controlled CLI OAuth state to the edge, which could enable session token exfiltration via malicious redirect URIs.
Ensure browser forwarding only occurs for trusted feed:-encoded OAuth state that does not indicate a CLI client.

Tightened forwardRawGithubOauthCallback in crates/agent_feed_ui/src/reel.ts to decode the state value and refuse forwarding when it is not a decodable feed: payload or when the decoded client ends with -cli.
Added decodeFeedOauthStateClient helper to safely parse the feed: hex-encoded JSON state and extract the client field, failing closed on malformed values.
Updated UI snapshot/assertion expectations in crates/agent_feed_ui/src/lib.rs to reflect the new guard logic and helper function.

Ran the UI unit test suite with cargo test -p agent_feed_ui --ignore-rust-version, iterating until expectations matched the updated output.
Final automated test run succeeded: all UI tests passed (29 passed; 0 failed).

fix(ui): block forwarding cli oauth state from browser callback

808ae9a

mosure added codex aardvark labels May 4, 2026 — with ChatGPT Codex Connector

mosure added codex aardvark labels May 4, 2026

Provide feedback