Security: bind link codes to initiating user (CSRF fix)

Chris0Jeky · Chris0Jeky · commit 8fb927a8e4de · 2026-04-09T23:02:34.000+01:00
CreateForLinking now requires initiatingUserId parameter, stored in UserId field. This prevents CSRF attacks where an attacker generates a link code and tricks a victim into exchanging it, linking the attacker's GitHub to the victim's account. Addresses adversarial review finding #1 (CRITICAL).
diff --git a/backend/src/Taskdeck.Domain/Entities/OAuthAuthCode.cs b/backend/src/Taskdeck.Domain/Entities/OAuthAuthCode.cs
@@ -33,7 +33,8 @@ private set
     public Guid UserId { get; private set; }
 
     /// <summary>
-    /// The pre-serialized JWT token to return on successful exchange (login flow only).
+    /// Legacy field kept for schema compatibility. No longer populated with real JWTs --
+    /// tokens are re-issued at exchange time from the stored UserId.
     /// </summary>
     public string Token { get; private set; } = string.Empty;
 
@@ -67,6 +68,8 @@ private OAuthAuthCode() : base() { }
 
     /// <summary>
     /// Creates an auth code for the login flow (token exchange).
+    /// Token parameter is accepted for backward compatibility but is no longer stored;
+    /// JWTs are re-issued at exchange time from the UserId.
     /// </summary>
     public OAuthAuthCode(string code, Guid userId, string token, DateTimeOffset expiresAt)
         : base()
@@ -82,16 +85,21 @@ public OAuthAuthCode(string code, Guid userId, string token, DateTimeOffset expi
 
         Code = code;
         UserId = userId;
-        Token = token;
+        Token = string.Empty; // Never store actual JWT in DB — re-issue at exchange time
         Purpose = "login";
         ExpiresAt = expiresAt;
     }
 
     /// <summary>
     /// Creates an auth code for the account linking flow (provider identity exchange).
+    /// The initiatingUserId binds this code to the user who started the link flow,
+    /// preventing CSRF attacks where an attacker's GitHub is linked to a victim's account.
     /// </summary>
-    public static OAuthAuthCode CreateForLinking(string code, string providerData, DateTimeOffset expiresAt)
+    public static OAuthAuthCode CreateForLinking(string code, Guid initiatingUserId, string providerData, DateTimeOffset expiresAt)
     {
+        if (initiatingUserId == Guid.Empty)
+            throw new DomainException(ErrorCodes.ValidationError, "Initiating user ID is required for linking");
+
         if (string.IsNullOrWhiteSpace(providerData))
             throw new DomainException(ErrorCodes.ValidationError, "Provider data cannot be empty for linking");
 
@@ -101,7 +109,7 @@ public static OAuthAuthCode CreateForLinking(string code, string providerData, D
         var entity = new OAuthAuthCode
         {
             Code = code,
-            UserId = Guid.Empty,
+            UserId = initiatingUserId,
             Token = string.Empty,
             Purpose = "link",
             ProviderData = providerData,
