Skip to content

[OAuth2] Login hint support #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
24c02 merged 1 commit into from
Dec 8, 2025
Merged

[OAuth2] Login hint support #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions app/components/auth_welcome.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
class Components::AuthWelcome < Components::Base
include Phlex::Rails::Helpers::DistanceOfTimeInWordsToNow

def initialize(headline:, subtitle:, return_to: nil)
def initialize(headline:, subtitle:, return_to: nil, login_hint: nil)
@headline = headline
@subtitle = subtitle
@return_to = return_to
@login_hint = login_hint
end

def view_template
Expand Down Expand Up @@ -43,7 +44,8 @@ def render_actions
placeholder: t("identities.email_placeholder"),
required: true,
autocomplete: "email",
style: "width: 100%;"
style: "width: 100%;",
value: @login_hint
)

small(style: "color: var(--muted-color); display: block; margin-top: 0.5rem;") do
Expand Down
3 changes: 2 additions & 1 deletion app/controllers/static_pages_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,14 @@ def welcome
end

def oauth_welcome
# Extract client_id from the return_to URL
# Extract client_id and login_hint from the return_to URL
@return_to = params[:return_to]
if @return_to.present?
uri = URI.parse(@return_to)
Copy link

@sentry sentry bot Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: URI.parse(@return_to) lacks error handling for malformed URLs, leading to an unrescued URI::InvalidURIError and application crash.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

If a malformed URL is passed as the return_to parameter, the URI.parse(@return_to) call on line 17 will raise an unrescued URI::InvalidURIError, causing the application to crash. This creates a denial-of-service vulnerability, disrupting the authentication flow.

💡 Suggested Fix

Wrap URI.parse(@return_to) in a begin...rescue URI::InvalidURIError block to handle malformed URLs gracefully, preventing application crashes.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: app/controllers/static_pages_controller.rb#L17

Potential issue: If a malformed URL is passed as the `return_to` parameter, the
`URI.parse(@return_to)` call on line 17 will raise an unrescued `URI::InvalidURIError`,
causing the application to crash. This creates a denial-of-service vulnerability,
disrupting the authentication flow.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 6251664

params_hash = URI.decode_www_form(uri.query || "").to_h
client_id = params_hash["client_id"]
@program = Program.find_by(uid: client_id) if client_id
@login_hint = params_hash["login_hint"]
end

@program ||= nil
Expand Down
3 changes: 2 additions & 1 deletion app/views/static_pages/oauth_welcome.html.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@
<%= render Components::AuthWelcome.new(
headline: "Continue to #{service_name}",
subtitle: "Sign in or create an account to continue",
return_to: @return_to
return_to: @return_to,
login_hint: @login_hint
) %>