From 79a5585f91d104af3d25cfcb9a8d7d79067e15d7 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Mon, 7 Apr 2025 17:40:42 +0200 Subject: [PATCH] fix(login): handle requests without auth request correctly (#9713) # Which Problems Are Solved We found some paths in the login UI, where requests without any `AuthRequest` were not handled correctly and could potentially panic. This also includes providing the `AuthRequest` as part of `ctx` object in actions V1. # How the Problems Are Solved - Check for the existance of an `AuthRequest` were needed and return an error otherwise. - Provide correct state of the `AuthRequest` for actions V1 # Additional Changes None # Additional Context - Noticed as part of a support request - requires backport to at least 2.70.x Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> --- internal/actions/object/auth_request.go | 3 +++ internal/api/ui/login/external_provider_handler.go | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/internal/actions/object/auth_request.go b/internal/actions/object/auth_request.go index 7d4d869af1..93d842f98f 100644 --- a/internal/actions/object/auth_request.go +++ b/internal/actions/object/auth_request.go @@ -18,6 +18,9 @@ func AuthRequestField(authRequest *domain.AuthRequest) func(c *actions.FieldConf } func AuthRequestFromDomain(c *actions.FieldConfig, request *domain.AuthRequest) goja.Value { + if request == nil { + return c.Runtime.ToValue(nil) + } var maxAuthAge *time.Duration if request.MaxAuthAge != nil { maxAuthAgeCopy := *request.MaxAuthAge diff --git a/internal/api/ui/login/external_provider_handler.go b/internal/api/ui/login/external_provider_handler.go index 1c421a7743..d198978f1a 100644 --- a/internal/api/ui/login/external_provider_handler.go +++ b/internal/api/ui/login/external_provider_handler.go @@ -633,6 +633,10 @@ func (l *Login) autoCreateExternalUser(w http.ResponseWriter, r *http.Request, a // renderExternalNotFoundOption renders a page, where the user is able to edit the IDP data, // create a new externalUser of link to existing on (based on the IDP template) func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, orgIAMPolicy *query.DomainPolicy, human *domain.Human, idpLink *domain.UserIDPLink, err error) { + if authReq == nil { + l.renderError(w, r, nil, err) + return + } resourceOwner := determineResourceOwner(r.Context(), authReq) if orgIAMPolicy == nil { orgIAMPolicy, err = l.getOrgDomainPolicy(r, resourceOwner)