fix: resolve security and correctness findings#2
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit dec34e7. Configure here.
| secret: betterAuthSecret, | ||
| // Resolved lazily (not at module load) so Convex's push/analyze phase | ||
| // never evaluates it without the deployment env present. | ||
| secret: resolveBetterAuthSecret(), |
There was a problem hiding this comment.
Ephemeral auth secret not stable
High Severity
When BETTER_AUTH_SECRET is unset outside development, resolveBetterAuthSecret() generates a new ephemeral secret on each createAuth() invocation. This causes a mismatch between the secret used by the Better Auth component (initialized once) and secrets used by HTTP routes, leading to unpredictable session and device token validation failures.
Reviewed by Cursor Bugbot for commit dec34e7. Configure here.
…ss-findings # Conflicts: # apps/relay/src/index.ts # packages/backend/convex/auth.ts
1 participant
Summary
Note
High Risk
Touches authentication secret handling, unauthenticated device-auth endpoints, and relay WebSocket authorization—security-sensitive paths where misconfiguration or regressions could block logins or weaken abuse protections.
Overview
Addresses several security and correctness findings across the relay, CLI shell host, backend auth, and release pipeline.
Relay now initializes WebSocket connections with explicit pre-auth state, buffers inbound frames until ticket authorization completes (instead of treating the socket as unbound), flushes them in order after bind, skips work if the socket closed during the Convex round-trip, and caps pre-auth buffering at 32 frames. A protocol parity test compares the deploy-time
protocol.tscopy against@repo/protocolso CI catches wire-format drift.CLI / PTY:
PtySessiondeferserror/exitemits on spawn failure so callers can attach listeners;shell-hostexits early when spawn already failed and resolves exit if the session closed during setup, avoiding hangs. A regression test covers the late-listener case.Backend:
BETTER_AUTH_SECRETresolution moves to lazy evaluation increateAuth; outside development, missing config uses an ephemeral random secret (fail-closed) instead of a known default or a module-load throw that breaks Convex deploy. Fixed-window rate limits on unauthenticated device-code request/poll mutations are backed by a newrateLimittable andenforceRateLimithelper.Release / install: CLI releases attach
checksums.txt;install.shverifies SHA-256 against that file before extracting. Minor.oxfmtignoretweak for**/_generated/**.Reviewed by Cursor Bugbot for commit 3521fa7. Bugbot is set up for automated code reviews on this repo. Configure here.