sprmn24 7957da7a1d fix(web_server): hold _oauth_sessions_lock during PKCE session state writes ...

_submit_anthropic_pkce() retrieved sess under _oauth_sessions_lock but
wrote back to sess["status"] and sess["error_message"] outside the lock.
A concurrent session GC or cancel could race with these writes, producing
inconsistent session state.

Wrap all 4 sess write sites in _oauth_sessions_lock:
- network exception path (Token exchange failed)
- missing access_token path
- credential save failure path
- success path (approved)

2026-04-24 15:22:04 -07:00

118 KiB

Raw Blame History

View Raw