The OIDC callback handler previously issued a JWT without ever checking TOTP state. For installations with EmailFallback (or UsernameFallback) enabled, this allowed an attacker who could authenticate at the IdP with a matching email to log in as a local user with TOTP enrolled, bypassing the second factor entirely. HandleCallback now runs enforceTOTPIfRequired after resolving the user and before any team sync writes, returning 412/1017 when the passcode is missing or invalid. Clients resubmit the OIDC flow with the totp_passcode field populated. Fixes GHSA-8jvc-mcx6-r4cg |
||
|---|---|---|
| .. | ||
| ldap | ||
| oauth2server | ||
| openid | ||
| auth.go | ||