vikunja/pkg/modules/auth
kolaente f04b5a43f9 fix(auth): don't link OIDC login to an arbitrary local user when the email claim is empty
The email-only fallback built &user.User{Issuer: IssuerLocal, Email: cl.Email}.
GetUserWithEmail ANDs only non-zero fields, so an empty cl.Email degenerated the
lookup to issuer-only, matching an arbitrary local user and wrongly linking the
OIDC login to that account (account-takeover / wrong-link).

Guard the email-only branch to only run when cl.Email != "" so an empty email
falls through to user creation (nothing to safely match on). As defense in depth,
skip empty username candidates too, so no fallback search can ever degenerate to
issuer-only ({Issuer, Username:"", Email:""}).

This is a latent pre-existing issue (the pre-#2945 code had the same
searchUser.Email = cl.Email with no empty guard); the #2945 refactor only
surfaced it. Adds a regression test.
2026-06-19 20:35:22 +02:00
..
ldap fix(auth): skip profile updates for disabled LDAP users 2026-03-23 16:37:26 +00:00
oauth2server feat(audit): emit the login event for the OAuth code exchange 2026-06-12 08:56:08 +00:00
openid fix(auth): don't link OIDC login to an arbitrary local user when the email claim is empty 2026-06-19 20:35:22 +02:00
auth.go refactor(auth): extract transport-agnostic login, logout and OIDC cores 2026-06-17 19:43:41 +00:00
auth_test.go feat(auth): add GetAuthFromContext for Huma handlers 2026-05-31 12:56:57 +00:00