merge: incorporate apiBase validation security fix

Author: Braden-sui

lib/vibe-auth.js

@@ -16,6 +16,7 @@ import {
   verboseLog,
   fetchJson,
   isLikelyClerkTokenProblem,
+  validateApiBase,
 } from "./vibe-utils.js";
 
 // =============================================================================
@@ -31,6 +32,10 @@ const [vibeAuthErrors] = errorCauses({
     code: "AUTH_EXPIRED",
     message: "Token expired and refresh failed",
   },
+  SecurityBlockError: {
+    code: "SECURITY_BLOCK",
+    message: "Security validation failed",
+  },
   ConfigReadError: {
     code: "CONFIG_READ_ERROR",
     message: "Failed to read configuration file",
@@ -56,6 +61,7 @@ const {
   ConfigWriteError,
   TokenExchangeError,
   RefreshError,
+  SecurityBlockError,
 } = vibeAuthErrors;
 
 // =============================================================================
@@ -715,6 +721,17 @@ const discoverOidc = async (issuer) => {
  * @returns {Promise<object>} Vibecodr token response
  */
 const exchangeForVibecodrToken = async ({ apiBase, clerkAccessToken }) => {
+  // SECURITY: Validate apiBase before sending tokens to prevent credential exfiltration
+  // A malicious or tampered apiBase could steal the Clerk access token
+  const apiCheck = validateApiBase(apiBase);
+  if (!apiCheck.valid) {
+    throw createError({
+      ...SecurityBlockError,
+      message: `Refusing to send token to untrusted API: ${apiCheck.reason}`,
+      apiBase,
+    });
+  }
+
   const url = `${normalizeOrigin(apiBase)}/auth/cli/exchange`;
   return fetchJson(url, {
     method: "POST",
@@ -902,6 +919,12 @@ export const refreshVibecodrToken = async ({
       verbose,
     });
   } catch (exchangeErr) {
+    // SECURITY: Security errors must propagate directly - never mask them
+    // This ensures token theft attempts are clearly reported, not hidden as auth issues
+    if (exchangeErr?.cause?.code === "SECURITY_BLOCK") {
+      throw exchangeErr;
+    }
+
     const now = Math.floor(Date.now() / 1000);
 
     if (!clerkRefreshToken) {

lib/vibe-auth.test.js

@@ -378,6 +378,44 @@ describe("refreshVibecodrToken", () => {
       expected: "AUTH_EXPIRED",
     });
   });
+
+  test("rejects malicious apiBase to prevent token exfiltration", async () => {
+    // SECURITY: Ensure tokens are never sent to untrusted URLs
+    fs.mkdirSync(path.dirname(tempConfigPath), { recursive: true });
+    const testConfig = {
+      clerk: {
+        access_token: "clerk-token-to-protect",
+        refresh_token: "clerk-refresh-token",
+        expires_at: Math.floor(Date.now() / 1000) + 3600,
+      },
+    };
+    fs.writeFileSync(tempConfigPath, JSON.stringify(testConfig));
+
+    let error;
+    try {
+      await refreshVibecodrToken({
+        configPath: tempConfigPath,
+        apiBase: "https://evil-attacker.com", // Malicious apiBase
+      });
+    } catch (e) {
+      error = e;
+    }
+
+    // Should reject BEFORE making any network request
+    assert({
+      given: "malicious apiBase",
+      should: "throw SECURITY_BLOCK error to prevent token theft",
+      actual: error?.cause?.code,
+      expected: "SECURITY_BLOCK",
+    });
+
+    assert({
+      given: "malicious apiBase",
+      should: "include reason in error message",
+      actual: error?.message?.includes("untrusted"),
+      expected: true,
+    });
+  });
 });
 
 // =============================================================================