refactor(auth): add TOTPPasscode to OIDC Callback payload

Prepares the OIDC callback struct to carry a TOTP passcode so the
handler can enforce 2FA for users with TOTP enabled. No behaviour
change yet.

Refs GHSA-8jvc-mcx6-r4cg
This commit is contained in:
kolaente 2026-04-09 13:08:32 +02:00 committed by kolaente
parent c03d682f48
commit 2b980be20d
1 changed files with 4 additions and 0 deletions

View File

@ -47,6 +47,10 @@ type Callback struct {
Code string `query:"code" json:"code"`
Scope string `query:"scope" json:"scope"`
RedirectURL string `json:"redirect_url"`
// TOTPPasscode is required when the resolved user has TOTP enabled.
// Clients must restart the OIDC flow and populate this field after
// receiving a 412 with error code 1017. See GHSA-8jvc-mcx6-r4cg.
TOTPPasscode string `json:"totp_passcode"`
}
// Provider is the structure of an OpenID Connect provider