fix: potential panics in login and return proper http 405 (#8065)

# Which Problems Are Solved We identified some parts in the code, which could panic with a nil pointer when accessed without auth request. Additionally, if a GRPC method was called with an unmapped HTTP method, e.g. POST instead of GET a 501 instead of a 405 was returned. # How the Problems Are Solved - Additional checks for existing authRequest - custom http status code mapper for gateway # Additional Changes None. # Additional Context - noted internally in OPS
2025-12-10 03:42:20 +00:00 · 2024-06-07 09:30:04 +02:00
parent 9b16c61038
commit 26c7d95c88
5 changed files with 29 additions and 6 deletions
--- a/internal/api/ui/login/init_password_handler.go
+++ b/internal/api/ui/login/init_password_handler.go
@@ -91,16 +91,18 @@ func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *dom
 func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *initPasswordFormData) {
 	userOrg := data.OrgID
 	userID := data.UserID
+	var authReqID string
 	if authReq != nil {
 		userOrg = authReq.UserOrgID
 		userID = authReq.UserID
+		authReqID = authReq.ID
 	}
 	passwordCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypePasswordResetCode, l.userCodeAlg)
 	if err != nil {
 		l.renderInitPassword(w, r, authReq, userID, "", err)
 		return
 	}
-	_, err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), userID, userOrg, domain.NotificationTypeEmail, passwordCodeGenerator, authReq.ID)
+	_, err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), userID, userOrg, domain.NotificationTypeEmail, passwordCodeGenerator, authReqID)
 	l.renderInitPassword(w, r, authReq, userID, "", err)
 }