File: internal/controller/oidc_controller.go (lines 291)
Project: tinyauth
Severity: BUG • Confidence: high • Slug: other-misleading-log
Finding
Line 291 calls controller.oidc.DeleteTokenByCodeHash(...) (deleting an oidc_token row keyed by code_hash) but the failure log message says "Failed to delete code". This is part of the OAuth 2.1 code-reuse detection path: when the code is not found (already consumed or never existed), tokens issued for that code are revoked. The log message will mislead anyone troubleshooting token-revocation failures.
Recommendation
Change the log message to "Failed to revoke tokens for replayed code" or similar.
Revalidation
Verdict: true-positive
Verified line 290-292: if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil { controller.log.App.Error().Err(err).Msg("Failed to delete code") }. DeleteTokenByCodeHash (oidc_service.go:642-644) calls queries.DeleteOidcTokenByCodeHash, which removes the oidc_token row whose code_hash matches — this is the OAuth 2.1 code-replay-detection token revocation path (commit 6f99e7a). The log message refers to 'code' but the operation is 'revoke tokens'. Operators tracing token-revocation failures will be misled. Cosmetic correctness bug, no security impact. Correctly classified BUG.
File:
internal/controller/oidc_controller.go(lines 291)Project: tinyauth
Severity: BUG • Confidence: high • Slug:
other-misleading-logFinding
Line 291 calls
controller.oidc.DeleteTokenByCodeHash(...)(deleting an oidc_token row keyed by code_hash) but the failure log message says "Failed to delete code". This is part of the OAuth 2.1 code-reuse detection path: when the code is not found (already consumed or never existed), tokens issued for that code are revoked. The log message will mislead anyone troubleshooting token-revocation failures.Recommendation
Change the log message to "Failed to revoke tokens for replayed code" or similar.
Revalidation
Verdict: true-positive
Verified line 290-292:
if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil { controller.log.App.Error().Err(err).Msg("Failed to delete code") }.DeleteTokenByCodeHash(oidc_service.go:642-644) callsqueries.DeleteOidcTokenByCodeHash, which removes theoidc_tokenrow whosecode_hashmatches — this is the OAuth 2.1 code-replay-detection token revocation path (commit 6f99e7a). The log message refers to 'code' but the operation is 'revoke tokens'. Operators tracing token-revocation failures will be misled. Cosmetic correctness bug, no security impact. Correctly classified BUG.