fix: atomic authorization code consumption to prevent race condition (#27441)

[ousamabenyounes]

What does this PR do?

• Fixes fix: atomic authorization code consumption to prevent race condition #27441

OAuthService.exchangeCodeForTokens had a race condition — two concurrent requests with the same authorization code could both find it valid before either deleted it, violating RFC 6749 Section 4.1.2 (single-use codes).

Changes

• Added consumeCode method to AccessCodeRepository that wraps findFirst + deleteMany in a Prisma interactive transaction ($transaction)
• Updated OAuthService.exchangeCodeForTokens to call consumeCode instead of the separate findValidCode + deleteExpiredAndUsedCodes calls
• Added unit tests verifying atomic code consumption and concurrent-request rejection

Why a transaction

Without the transaction, the following race can occur:

1. Request A calls findValidCode → finds code → valid
2. Request B calls findValidCode → finds code → valid (not yet deleted)
3. Request A calls deleteExpiredAndUsedCodes → deletes code
4. Request B proceeds with the already-found code → issues tokens

With the transaction, step 2 would either not find the code (serializable) or block until step 3 completes.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

TZ=UTC yarn vitest run packages/features/oauth/services/OAuthService.test.ts

• 2 tests pass: verifies consumeCode is called atomically and that a null result (consumed by concurrent request) throws invalid_grant

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• My PR is small and focused

Generated by Claude Code
Vibe coded by ousamabenyounes

[CLAassistant]

All committers have signed the CLA.

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.