From e314bbe1e3d47648da4f652741cae30530ce24ca Mon Sep 17 00:00:00 2001
From: le king fu <lekingfu@protonmail.com>
Date: Fri, 10 Apr 2026 15:35:10 -0400
Subject: [PATCH] fix: remove handle_auth_callback from invoke_handler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The auth callback is handled exclusively via the deep-link handler in
lib.rs — exposing it as a JS-invocable command is unnecessary attack
surface. The frontend listens for auth-callback-success/error events
instead.

Plaintext token storage documented as known limitation (see #66).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src-tauri/src/lib.rs        | 1 -
 src/services/authService.ts | 4 ----
 2 files changed, 5 deletions(-)

diff --git a/src-tauri/src/lib.rs b/src-tauri/src/lib.rs
index e433c47..c696613 100644
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@@ -157,7 +157,6 @@ pub fn run() {
             commands::list_activated_machines,
             commands::get_activation_status,
             commands::start_oauth,
-            commands::handle_auth_callback,
             commands::refresh_auth_token,
             commands::get_account_info,
             commands::check_subscription_status,
diff --git a/src/services/authService.ts b/src/services/authService.ts
index c24540a..845e961 100644
--- a/src/services/authService.ts
+++ b/src/services/authService.ts
@@ -11,10 +11,6 @@ export async function startOAuth(): Promise<string> {
   return invoke<string>("start_oauth");
 }
 
-export async function handleAuthCallback(code: string): Promise<AccountInfo> {
-  return invoke<AccountInfo>("handle_auth_callback", { code });
-}
-
 export async function refreshAuthToken(): Promise<AccountInfo> {
   return invoke<AccountInfo>("refresh_auth_token");
 }