Commit Graph

3 Commits

Author SHA1 Message Date
Tink 7208694960
fix(auth): build OIDC end-session URL with RP-Initiated Logout params (#2943) 2026-06-19 18:27:33 +02:00
kolaente 5b7924b1f6 fix(auth): return ErrAccountLocked for locked accounts on login
The login status check mapped a locked account to ErrAccountDisabled,
surfacing the disabled-account error code and message even though a
dedicated ErrAccountLocked exists (and the OIDC flow already uses it). Map
the locked status to ErrAccountLocked so credential login is consistent with
OIDC across both /api/v1 and /api/v2. Disabled accounts still return
ErrAccountDisabled.

This changes the v1 login error code for locked accounts on the wire (1020 ->
1026); the change is intentional and approved.
2026-06-17 19:43:41 +00:00
kolaente 9aa0687288 test(api/v2): cover v2 login, logout and OIDC gating
Login asserts the token, the HttpOnly refresh cookie, the no-store header
and the credential/TOTP gates. Logout asserts the session is deleted and the
cookie cleared. OIDC coverage is the registrar gate (404 when disabled,
public route when enabled) — the full provider flow needs a live OIDC server,
as the existing openid package tests show.
2026-06-17 19:43:41 +00:00