Root cause: The generateState() function at line 173 of apps/backend/src/routes/connect.ts calls randomBytes(32).toString('hex'), but there is no import { randomBytes } from 'crypto' anywhere in that file. In contrast, auth.ts correctly imports it at the top. This will throw a ReferenceError: randomBytes is not defined at runtime the first time any user attempts to connect their GitHub account via /api/connect/github.
Why it matters: The GitHub connect flow is a core feature. Every user who clicks "Connect GitHub" in settings will hit this error. It is a production crash, not a warning. It will also fail silently from the user's perspective since the error is swallowed by the outer try/catch, which redirects to /settings?error=server_error — misleading both the user and the on-call engineer.
Affected files/functions: apps/backend/src/routes/connect.ts, generateState() function at line 173.
Current behaviour: Calling GET /api/connect/github (while authenticated) starts the OAuth flow. When control reaches generateState(), Node throws ReferenceError: randomBytes is not defined. The catch block redirects to ?error=server_error.
Expected behaviour: randomBytes resolves correctly and the GitHub OAuth redirect proceeds normally.
Minimal fix plan:
Add import { randomBytes } from 'crypto'; as the second line of connect.ts, directly after the Fastify type import. No other changes needed.
Suggested tests: Add an integration test to src/__tests__/connect.test.ts that builds a Fastify instance decorated with a mock JWT, hits GET /api/connect/github, and asserts a 302 redirect to github.com/login/oauth/authorize. The existing stub tests in that file currently contain only expect(true).toBe(true) placeholders — this is a chance to replace those with real assertions.
Root cause: The
generateState()function at line 173 ofapps/backend/src/routes/connect.tscallsrandomBytes(32).toString('hex'), but there is noimport { randomBytes } from 'crypto'anywhere in that file. In contrast,auth.tscorrectly imports it at the top. This will throw aReferenceError: randomBytes is not definedat runtime the first time any user attempts to connect their GitHub account via/api/connect/github.Why it matters: The GitHub connect flow is a core feature. Every user who clicks "Connect GitHub" in settings will hit this error. It is a production crash, not a warning. It will also fail silently from the user's perspective since the error is swallowed by the outer try/catch, which redirects to
/settings?error=server_error— misleading both the user and the on-call engineer.Affected files/functions:
apps/backend/src/routes/connect.ts,generateState()function at line 173.Current behaviour: Calling
GET /api/connect/github(while authenticated) starts the OAuth flow. When control reachesgenerateState(), Node throwsReferenceError: randomBytes is not defined. The catch block redirects to?error=server_error.Expected behaviour:
randomBytesresolves correctly and the GitHub OAuth redirect proceeds normally.Minimal fix plan:
Add
import { randomBytes } from 'crypto';as the second line ofconnect.ts, directly after the Fastify type import. No other changes needed.Suggested tests: Add an integration test to
src/__tests__/connect.test.tsthat builds a Fastify instance decorated with a mock JWT, hitsGET /api/connect/github, and asserts a 302 redirect togithub.com/login/oauth/authorize. The existing stub tests in that file currently contain onlyexpect(true).toBe(true)placeholders — this is a chance to replace those with real assertions.