From ba4bb53f0d67d0b043d05aa12647672492bb8e7b Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Sat, 25 Apr 2026 20:49:30 +0200
Subject: [PATCH] fix(oauth): unset expiresAt on access token during code
 exchange

Auth codes are created with expiresAt = now + 10min. The updateOne that
sets the access token on code exchange was missing $unset: { expiresAt: "" },
so the 10-min TTL survived onto the access token. Token middleware rejects
any token where expiresAt < now, causing Phanpy and all Mastodon clients
to be forced to re-login every 10 minutes.

The refresh_token rotation path already had this $unset correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 lib/mastodon/routes/oauth.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/mastodon/routes/oauth.js b/lib/mastodon/routes/oauth.js
index 2a31c1c..58f6c81 100644
--- a/lib/mastodon/routes/oauth.js
+++ b/lib/mastodon/routes/oauth.js
@@ -610,6 +610,7 @@ router.post("/oauth/token", async (req, res, next) => {
           refreshToken,
           refreshExpiresAt: new Date(Date.now() + REFRESH_TOKEN_TTL),
         },
+        $unset: { expiresAt: "" },
       },
     );