AntFleet

Disagreement · b7190c33-anthropic-1

OAuth refresh persists merged credentials with potentially stale fields when refresh result spreads after original cred

solo Opus
repo 5149da9d·PR #2·reviewed 2 days ago

Opus finding

OAuth refresh persists merged credentials with potentially stale fields when refresh result spreads after original cred

mediumbugmedium
  • src/agents/auth-profiles/oauth.ts:78-86
The spread order is `...cred, ...result.newCredentials, type: "oauth"`. This is generally correct (new credentials override stored ones), but `result.newCredentials` for Chutes/Qwen branches comes directly from refresh functions that may not include `provider`, `email`, `projectId`, or other fields that the stored credential carries. The spread preserves those, which is intentional. However, if `refreshChutesTokens` or `refreshQwenPortalCredentials` returns credentials missing `expires` or with malformed `access`, the merged record will silently retain old `expires` (good) or replace with bad value (bad). This is a real concern only if those functions return partial objects; without seeing them this is speculative.

Recommendation

Validate that `result.newCredentials.expires` is a finite future timestamp before persisting, and explicitly construct the persisted record with required fields rather than spreading.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗