Description
There are two bugs in apps/backend/src/routes/connect.ts that are currently
present in the codebase:
Bug 1 — randomBytes is used but never imported (runtime crash)
At the bottom of the file, generateState() calls randomBytes:
function generateState(): string {
return randomBytes(32).toString('hex');
}However, the top of the file only imports from fastify:
import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';There is no import { randomBytes } from 'crypto'. This means any request
to GET /connect/github will throw a ReferenceError: randomBytes is not defined
at runtime and crash the connect flow entirely.
Bug 2 — parseGoogleState is used in the GitHub connect callback
The helper function used to decode the OAuth state in the GitHub callback is
named parseGoogleState, but it is exclusively used in the GitHub OAuth flow —
Google connect does not exist in this file at all:
const decodedState = parseGoogleState(state); // called inside /github/callback
This is misleading to any developer reading or maintaining this code and could
cause confusion about which flow the function belongs to.
Expected Behaviour
GET /connect/github should generate a valid state without crashing.- The state-parsing helper should be named accurately to reflect its use in the
GitHub connect flow (e.g. parseOAuthState or parseConnectState).
Proposed Fix
Bug 1 — Add the missing import at the top of the file:
import { randomBytes } from 'crypto';Bug 2 — Rename parseGoogleState to parseOAuthState (or parseConnectState)
and update the single call site in /github/callback to match.
Files to Touch
apps/backend/src/routes/connect.ts
Description
There are two bugs in
apps/backend/src/routes/connect.tsthat are currentlypresent in the codebase:
Bug 1 —
randomBytesis used but never imported (runtime crash)At the bottom of the file,
generateState()callsrandomBytes:However, the top of the file only imports from
fastify:There is no
import { randomBytes } from 'crypto'. This means any requestto
GET /connect/githubwill throw aReferenceError: randomBytes is not definedat runtime and crash the connect flow entirely.
Bug 2 —
parseGoogleStateis used in the GitHub connect callbackThe helper function used to decode the OAuth state in the GitHub callback is
named
parseGoogleState, but it is exclusively used in the GitHub OAuth flow —Google connect does not exist in this file at all:
This is misleading to any developer reading or maintaining this code and could
cause confusion about which flow the function belongs to.
Expected Behaviour
GET /connect/githubshould generate a valid state without crashing.GitHub connect flow (e.g.
parseOAuthStateorparseConnectState).Proposed Fix
Bug 1 — Add the missing import at the top of the file:
Bug 2 — Rename
parseGoogleStatetoparseOAuthState(orparseConnectState)and update the single call site in
/github/callbackto match.Files to Touch
apps/backend/src/routes/connect.ts