Bug: DELETE /api/connect/:platform cannot remove github_follow token, leaving follow-capable OAuth credentials permanently in the database

[anshul23102]

Problem Statement

apps/backend/src/routes/connect.ts defines a GITHUB_FOLLOW_PLATFORM constant with value 'github_follow' for the OAuth token that carries the user:follow scope. However, the DELETE /api/connect/:platform endpoint only accepts platforms in a hardcoded allowlist that does not include 'github_follow':

const SUPPORTED_PLATFORMS = ['github', 'google', 'twitter', 'linkedin'];
if (!SUPPORTED_PLATFORMS.includes(platform)) {
    return reply.status(400).send({ error: `Unsupported platform: ${platform}` });
}

GITHUB_FOLLOW_PLATFORM = 'github_follow' is never in this list, so there is no way to delete the follow-capable token through the API. When a user disconnects GitHub from the settings page, only their 'github' read-only token is removed. The 'github_follow' token with user:follow scope remains permanently in the OAuthToken table.

Steps to Reproduce

1. Connect a GitHub account through Settings (triggers GET /api/connect/github).
2. After callback, the OAuthToken table contains a row with platform = 'github_follow'.
3. Call DELETE /api/connect/github_follow with a valid JWT.
4. Receive 400 Bad Request: "Unsupported platform: github_follow".
5. Inspect the database - the github_follow token still exists.
6. Disconnecting via DELETE /api/connect/github removes only the 'github' login token and leaves 'github_follow' untouched.

Expected Behavior

A user who disconnects their GitHub account should have all associated OAuth tokens removed, including the 'github_follow' credential. At minimum, 'github_follow' should be deletable as a supported platform.

Actual Behavior

The 'github_follow' token cannot be deleted via the disconnect endpoint. It persists in the database indefinitely, granting unused user:follow access to the stored GitHub account even after the user believes they have fully disconnected.

Root Cause Analysis

The SUPPORTED_PLATFORMS list was created before GITHUB_FOLLOW_PLATFORM was introduced as a separate token to avoid overwrite collisions between the login flow and the follow-connect flow. The list was never updated to include 'github_follow'.

Suggested Fix

Two options:

Option A - Add 'github_follow' to SUPPORTED_PLATFORMS:

const SUPPORTED_PLATFORMS = ['github', 'google', 'twitter', 'linkedin', 'github_follow'];

Option B - When deleting 'github', also delete 'github_follow' in the same transaction:

if (platform === 'github') {
    await app.prisma.oAuthToken.deleteMany({
        where: { userId, platform: { in: ['github', GITHUB_FOLLOW_PLATFORM] } },
    });
} else {
    await app.prisma.oAuthToken.delete({ where: { userId_platform: { userId, platform } } });
}

Option B is more user-friendly since users see a single "GitHub" connection in the UI and expect one disconnect to remove all GitHub tokens.

Environment

• File: apps/backend/src/routes/connect.ts
• Constant: GITHUB_FOLLOW_PLATFORM = 'github_follow' (line 16)
• Endpoint: DELETE /api/connect/:platform
• Affected field: SUPPORTED_PLATFORMS array

Checklist

• Searched existing issues, not a duplicate
• Read CONTRIBUTING.md guidelines
• Provided clear reproduction steps
• Described expected vs. actual clearly
• No em dashes or double hyphens
• Repository verified as GSSoC

[anshul23102]

@Dev-Card could you please assign/ this issue to me? I would like to work on it under GSSoC '26. Thank you.

[Harxhit]

@anshul23102 I have assigned this issue to you.