fix(chutes): validate oauth token lifetimes

steipete · steipete · commit 8c0aaee88237 · 2026-05-29T12:19:29.000-04:00
diff --git a/extensions/chutes/oauth.test.ts b/extensions/chutes/oauth.test.ts
@@ -0,0 +1,35 @@
+import { describe, expect, it, vi } from "vitest";
+import { loginChutes } from "./oauth.js";
+
+describe("chutes plugin OAuth", () => {
+  it("rejects unsafe token lifetimes before storing credentials", async () => {
+    const fetchFn = vi.fn(async (input: RequestInfo | URL) => {
+      const url =
+        typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+      if (url === "https://api.chutes.ai/idp/token") {
+        return new Response(
+          '{"access_token":"at_unsafe","refresh_token":"rt_unsafe","expires_in":1e309}',
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      return new Response("not found", { status: 404 });
+    });
+
+    await expect(
+      loginChutes({
+        app: {
+          clientId: "cid_test",
+          redirectUri: "http://127.0.0.1:1456/oauth-callback",
+          scopes: ["openid"],
+        },
+        manual: true,
+        createState: () => "state_test",
+        onAuth: vi.fn(async () => {}),
+        onPrompt: vi.fn(
+          async () => "http://127.0.0.1:1456/oauth-callback?code=code_test&state=state_test",
+        ),
+        fetchFn,
+      }),
+    ).rejects.toThrow("Chutes token exchange returned invalid expires_in");
+  });
+});
diff --git a/extensions/chutes/oauth.ts b/extensions/chutes/oauth.ts
@@ -1,4 +1,5 @@
 import { randomBytes } from "node:crypto";
+import { parseStrictPositiveInteger } from "openclaw/plugin-sdk/number-runtime";
 import { generatePkceVerifierChallenge, toFormUrlEncoded } from "openclaw/plugin-sdk/provider-auth";
 import {
   parseOAuthCallbackInput,
@@ -97,9 +98,17 @@ function buildAuthorizeUrl(params: {
   return `${CHUTES_AUTHORIZE_ENDPOINT}?${qs.toString()}`;
 }
 
-function coerceExpiresAt(expiresInSeconds: number, now: number): number {
-  const value = now + Math.max(0, Math.floor(expiresInSeconds)) * 1000 - 5 * 60 * 1000;
-  return Math.max(value, now + 30_000);
+function resolveChutesExpiresAt(value: unknown, now: number): number | undefined {
+  const expiresInSeconds = parseStrictPositiveInteger(value);
+  if (expiresInSeconds === undefined) {
+    return undefined;
+  }
+  const lifetimeMs = expiresInSeconds * 1000;
+  const expiresAt = now + lifetimeMs - 5 * 60 * 1000;
+  if (!Number.isSafeInteger(lifetimeMs) || !Number.isSafeInteger(expiresAt)) {
+    return undefined;
+  }
+  return Math.max(expiresAt, now + 30_000);
 }
 
 async function fetchChutesUserInfo(params: {
@@ -155,18 +164,22 @@ async function exchangeChutesCodeForTokens(params: {
   };
   const access = normalizeOptionalString(data.access_token);
   const refresh = normalizeOptionalString(data.refresh_token);
+  const expires = resolveChutesExpiresAt(data.expires_in, now);
   if (!access) {
     throw new Error("Chutes token exchange returned no access_token");
   }
   if (!refresh) {
     throw new Error("Chutes token exchange returned no refresh_token");
   }
+  if (expires === undefined) {
+    throw new Error("Chutes token exchange returned invalid expires_in");
+  }
 
   const info = await fetchChutesUserInfo({ accessToken: access, fetchFn });
   return {
     access,
     refresh,
-    expires: coerceExpiresAt(data.expires_in ?? 0, now),
+    expires,
     email: info?.username,
     accountId: info?.sub,
     clientId: params.app.clientId,
diff --git a/src/agents/chutes-oauth.flow.test.ts b/src/agents/chutes-oauth.flow.test.ts
@@ -86,6 +86,33 @@ describe("chutes-oauth", () => {
     expect(creds.expires).toBe(now + 3600 * 1000 - 5 * 60 * 1000);
   });
 
+  it("rejects unsafe exchange token lifetimes", async () => {
+    const fetchFn = withFetchPreconnect(async (input: RequestInfo | URL) => {
+      const url = urlToString(input);
+      if (url !== CHUTES_TOKEN_ENDPOINT) {
+        return new Response("not found", { status: 404 });
+      }
+      return new Response(
+        '{"access_token":"at_unsafe","refresh_token":"rt_unsafe","expires_in":1e309}',
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    });
+
+    await expect(
+      exchangeChutesCodeForTokens({
+        app: {
+          clientId: "cid_test",
+          redirectUri: "http://127.0.0.1:1456/oauth-callback",
+          scopes: ["openid"],
+        },
+        code: "code_unsafe",
+        codeVerifier: "verifier_unsafe",
+        fetchFn,
+        now: 1_000_000,
+      }),
+    ).rejects.toThrow("Chutes token exchange returned invalid expires_in");
+  });
+
   it("refreshes tokens using stored client id and falls back to old refresh token", async () => {
     const fetchFn = withFetchPreconnect(async (input: RequestInfo | URL, init?: RequestInit) => {
       const url = urlToString(input);
@@ -142,4 +169,25 @@ describe("chutes-oauth", () => {
 
     expectRefreshedCredential(refreshed, now);
   });
+
+  it("rejects unsafe refresh token lifetimes", async () => {
+    const fetchFn = withFetchPreconnect(async (input: RequestInfo | URL) => {
+      const url = urlToString(input);
+      if (url !== CHUTES_TOKEN_ENDPOINT) {
+        return new Response("not found", { status: 404 });
+      }
+      return new Response('{"access_token":"at_new","expires_in":1e309}', {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      });
+    });
+
+    await expect(
+      refreshChutesTokens({
+        credential: createStoredCredential(4_000_000),
+        fetchFn,
+        now: 4_000_000,
+      }),
+    ).rejects.toThrow("Chutes token refresh returned invalid expires_in");
+  });
 });
diff --git a/src/agents/chutes-oauth.ts b/src/agents/chutes-oauth.ts
@@ -1,4 +1,5 @@
 import { createHash, randomBytes } from "node:crypto";
+import { parseStrictPositiveInteger } from "../infra/parse-finite-number.js";
 import type { OAuthCredentials } from "../llm/oauth.js";
 import { normalizeOptionalString } from "../shared/string-coerce.js";
 
@@ -81,9 +82,17 @@ export function parseOAuthCallbackInput(
   return { code, state };
 }
 
-function coerceExpiresAt(expiresInSeconds: number, now: number): number {
-  const value = now + Math.max(0, Math.floor(expiresInSeconds)) * 1000 - DEFAULT_EXPIRES_BUFFER_MS;
-  return Math.max(value, now + 30_000);
+function resolveChutesExpiresAt(value: unknown, now: number): number | undefined {
+  const expiresInSeconds = parseStrictPositiveInteger(value);
+  if (expiresInSeconds === undefined) {
+    return undefined;
+  }
+  const lifetimeMs = expiresInSeconds * 1000;
+  const expiresAt = now + lifetimeMs - DEFAULT_EXPIRES_BUFFER_MS;
+  if (!Number.isSafeInteger(lifetimeMs) || !Number.isSafeInteger(expiresAt)) {
+    return undefined;
+  }
+  return Math.max(expiresAt, now + 30_000);
 }
 
 async function fetchChutesUserInfo(params: {
@@ -144,21 +153,24 @@ export async function exchangeChutesCodeForTokens(params: {
 
   const access = data.access_token?.trim();
   const refresh = data.refresh_token?.trim();
-  const expiresIn = data.expires_in ?? 0;
+  const expires = resolveChutesExpiresAt(data.expires_in, now);
 
   if (!access) {
     throw new Error("Chutes token exchange returned no access_token");
   }
   if (!refresh) {
     throw new Error("Chutes token exchange returned no refresh_token");
   }
+  if (expires === undefined) {
+    throw new Error("Chutes token exchange returned invalid expires_in");
+  }
 
   const info = await fetchChutesUserInfo({ accessToken: access, fetchFn });
 
   return {
     access,
     refresh,
-    expires: coerceExpiresAt(expiresIn, now),
+    expires,
     email: info?.username,
     accountId: info?.sub,
     clientId: params.app.clientId,
@@ -210,18 +222,21 @@ export async function refreshChutesTokens(params: {
   };
   const access = data.access_token?.trim();
   const newRefresh = data.refresh_token?.trim();
-  const expiresIn = data.expires_in ?? 0;
+  const expires = resolveChutesExpiresAt(data.expires_in, now);
 
   if (!access) {
     throw new Error("Chutes token refresh returned no access_token");
   }
+  if (expires === undefined) {
+    throw new Error("Chutes token refresh returned invalid expires_in");
+  }
 
   return {
     ...params.credential,
     access,
     // RFC 6749 section 6: new refresh token is optional; if present, replace old.
     refresh: newRefresh || refreshToken,
-    expires: coerceExpiresAt(expiresIn, now),
+    expires,
     clientId,
   } as unknown as ChutesStoredOAuth;
 }
