twitter-api-typescript-sdk icon indicating copy to clipboard operation
twitter-api-typescript-sdk copied to clipboard
verified publisher icon xdevplatform

Update OAuth2 URL to X

Open osiastedian opened this issue 5 months ago • 2 comments

This should solve security issue when logging in with their X account.

Issue: Even when user is logged out from Twitter when Oauth 2 Authorization URL is used the session still retains and work. In effect, it bypasses the security of being logged out.

Problem

  1. Say user logged into X and then "Sign in with X" on a Third Party App.
  2. And then they Log out their X account on x.com
  3. On the Third Party App, they try to Sign in with X using the OAuth2 Authorization Code Flow.

Result:

  1. Everything still works as if their session wasn't logged on step number 2.
  2. Third Party app will still be able to get access token

Solution

Change the authorization url to x.com so that when user logged out. The session in their browser is also revoked/invalidated.

Result

Whenever user logged out and then they try to Sign in with X on a Third Party app. They will have to sign in to X again.

osiastedian avatar Jul 23 '25 02:07 osiastedian

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jul 23 '25 02:07 CLAassistant

@refarer Good morning!

I was wondering if I could get a review on PR.

osiastedian avatar Jul 29 '25 13:07 osiastedian