fix(auth): prevent client-supplied auth params from overriding reserved OIDC fields#158
fix(auth): prevent client-supplied auth params from overriding reserved OIDC fields#158itpropro wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d5d71fa149
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (reservedAuthParameters.has(param)) { | ||
| return |
There was a problem hiding this comment.
Normalize reserved auth param names before filtering
The new denylist check only compares the raw allowedClientAuthParameters entry against camelCase names, so a reserved field can still be forwarded and override server values when configured in snake_case (for example response_type, client_id, redirect_uri, code_challenge). Because client params are later passed through convertObjectToSnakeCase(...) and merged after the server-built query, this bypass reintroduces the override path this commit is intended to close whenever a project allowlists snake_case keys.
Useful? React with 👍 / 👎.
Motivation
allowedClientAuthParametersand forwarded them after server-controlled fields, allowing forwarded names (e.g.redirectUri,responseType,clientId,codeChallenge,scope) to override critical OIDC authorization parameters.Description
reservedAuthParametersdenylist insrc/runtime/server/handler/login.get.tsand skip anyallowedClientAuthParametersthat match these reserved names to prevent override of protocol-sensitive fields.src/runtime/server/utils/provider.tsto state that reserved OAuth/OIDC parameters are always blocked.Testing
pnpm -s vitest run test/unit/utils/config.test.tsagainst the modified code and the run failed due to test environment configuration (the repositorytsconfig.jsonextends./.nuxt/tsconfig.jsonwhich is not generated in this environment), so automated unit tests could not be completed here.Codex Task