From 6f8dc26111ef6a3ff567e5fd460c009d9ab03d73 Mon Sep 17 00:00:00 2001
From: Nathan Flurry <developer@nathanflurry.com>
Date: Thu, 12 Mar 2026 22:54:44 -0700
Subject: [PATCH] Fix GitHub OAuth callback by removing retry wrapper

OAuth authorization codes are single-use. The appWorkspaceAction wrapper
retries failed calls up to 20 times, but if the code exchange succeeds
and a later step fails, every retry sends the already-consumed code,
producing "bad_verification_code" from GitHub.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 foundry/packages/backend/src/index.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/foundry/packages/backend/src/index.ts b/foundry/packages/backend/src/index.ts
index 335bb42..866a288 100644
--- a/foundry/packages/backend/src/index.ts
+++ b/foundry/packages/backend/src/index.ts
@@ -169,7 +169,11 @@ export async function startBackend(options: BackendStartOptions = {}): Promise<v
     if (!code || !state) {
       return c.text("Missing GitHub OAuth callback parameters", 400);
     }
-    const result = await appWorkspaceAction(async (workspace) => await workspace.completeAppGithubAuth({ code, state }));
+    // Do not use appWorkspaceAction here — OAuth codes are single-use,
+    // so retrying with the same code after a partial failure will always
+    // produce "bad_verification_code".
+    const workspace = await appWorkspace();
+    const result = await workspace.completeAppGithubAuth({ code, state });
     c.header("x-foundry-session", result.sessionId);
     return Response.redirect(result.redirectTo, 302);
   };