75044c8d9b
- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only), client sends opaque linkingId, API calls retrieveLinkingToken server-side - link-account rate limiter now uses isRateLimited/registerFailedAttempt/ resetAttempts correctly (count only failures, reset on success) - linking_tokens gains expiresAt column (indexed) + opportunistic expiry purge on insert to prevent unbounded table growth - secureTokenCompare fixed: pad+slice to expected length so timing is constant regardless of submitted token length (no length leak) - autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false - Add Permissions-Policy header; restore X-Frame-Options for legacy UAs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
8 lines
234 B
SQL
8 lines
234 B
SQL
CREATE TABLE `linking_tokens` (
|
|
`id` text PRIMARY KEY NOT NULL,
|
|
`token` text NOT NULL,
|
|
`created_at` text NOT NULL,
|
|
`expires_at` text NOT NULL
|
|
);
|
|
CREATE INDEX `linking_tokens_expires_at_idx` ON `linking_tokens` (`expires_at`);
|