vikunja/pkg/modules/auth/openid
kolaente f04b5a43f9 fix(auth): don't link OIDC login to an arbitrary local user when the email claim is empty
The email-only fallback built &user.User{Issuer: IssuerLocal, Email: cl.Email}.
GetUserWithEmail ANDs only non-zero fields, so an empty cl.Email degenerated the
lookup to issuer-only, matching an arbitrary local user and wrongly linking the
OIDC login to that account (account-takeover / wrong-link).

Guard the email-only branch to only run when cl.Email != "" so an empty email
falls through to user creation (nothing to safely match on). As defense in depth,
skip empty username candidates too, so no fallback search can ever degenerate to
issuer-only ({Issuer, Username:"", Email:""}).

This is a latent pre-existing issue (the pre-#2945 code had the same
searchUser.Email = cl.Email with no empty guard); the #2945 refactor only
surfaced it. Adds a regression test.
2026-06-19 20:35:22 +02:00
..
cron.go fix: add missing Commit() to write callers 2026-02-25 11:03:02 +01:00
main_test.go feat: move to slog for logging 2025-07-21 18:15:39 +02:00
openid.go fix(auth): don't link OIDC login to an arbitrary local user when the email claim is empty 2026-06-19 20:35:22 +02:00
openid_test.go fix(auth): don't link OIDC login to an arbitrary local user when the email claim is empty 2026-06-19 20:35:22 +02:00
providers.go fix(auth): tolerate string booleans in oidc provider config (#2599) 2026-04-11 19:10:26 +00:00
providers_test.go test(auth): cover env-var string booleans for oidc providers (#2599) 2026-04-11 19:10:26 +00:00