From 1ee4cacbe9b58dd365e07f3711950cd2d77a128a Mon Sep 17 00:00:00 2001 From: ZacharyZcR Date: Wed, 15 Jul 2026 15:06:19 +0800 Subject: [PATCH] Merge commit from fork --- src/backend/database/routes/users.ts | 33 ++++++++++++---------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/src/backend/database/routes/users.ts b/src/backend/database/routes/users.ts index 9823b3de..c9d5eba8 100644 --- a/src/backend/database/routes/users.ts +++ b/src/backend/database/routes/users.ts @@ -1115,25 +1115,20 @@ router.get("/oidc/callback", async (req, res) => { ); if (tokenData.id_token) { - try { - userInfo = await verifyOIDCToken( - tokenData.id_token as string, - config.issuer_url, - config.client_id, - caCert, - ); - } catch { - try { - const parts = (tokenData.id_token as string).split("."); - if (parts.length === 3) { - const payload = JSON.parse( - Buffer.from(parts[1], "base64").toString(), - ); - userInfo = payload; - } - } catch (decodeError) { - authLogger.error("Failed to decode ID token payload:", decodeError); - } + userInfo = await verifyOIDCToken( + tokenData.id_token as string, + config.issuer_url, + config.client_id, + caCert, + ); + + const expectedNonce = (storedNonce as { value: string }).value; + if (userInfo.nonce !== expectedNonce) { + authLogger.warn("OIDC ID token nonce mismatch", { + operation: "oidc_nonce_mismatch", + providerId: callbackProviderId, + }); + return res.status(401).json({ error: "Invalid OIDC token nonce" }); } }