WhisperX Intel: Critical OAuth Session Token Exposure in URL Parameters Sparks Urgent Security Review

A critical security vulnerability has been identified where session tokens are being passed directly in URL parameters during an OAuth authentication flow. This flaw, classified as OWASP A02 and rated Critical, exposes sensitive credentials to browser history, server access logs, and HTTP Referer headers. The finding is part of a broader security audit that has flagged a total of 3 Critical, 8 High, 9 Medium, and 2 Low severity issues across the OWASP Top 10 spectrum, indicating systemic security weaknesses.

The specific vulnerability occurs when the OAuth flow redirects the user's browser back to the frontend application with a `?session_token=...` parameter visibly appended to the URL. This practice fundamentally violates secure credential handling. The correct implementation requires the backend to set an `HttpOnly`, `SameSite=Strict`, and `Secure` cookie directly in the response header during the OAuth callback, followed by a redirect that carries no credentials in the URL. Frontend code must be explicitly prohibited from reading any authentication tokens from URL parameters. Key files implicated in this pattern include `auth.py` and `useAuth.ts`.

This issue is the first of three designated for immediate remediation in 'Phase 1' of the audit. The presence of multiple critical and high-severity findings suggests significant underlying architectural risks. The audit's methodology focuses on describing vulnerable patterns and behaviors rather than tying them to specific line numbers, pointing to a need for foundational security refactoring. The failure to implement basic session management safeguards creates immediate exposure for user accounts and sensitive data, demanding urgent developer attention and a comprehensive fix strategy beyond this single flaw.