chore: reject non-UUID OAuth client states

issuedat · issuedat · commit 087323fe3109 · 2025-12-02T16:39:58.000+01:00
diff --git a/internal/api/external.go b/internal/api/external.go
@@ -580,7 +580,11 @@ func (a *API) loadExternalState(ctx context.Context, r *http.Request, db *storag
 		ctx = withFlowStateID(ctx, claims.FlowStateID)
 	}
 	if claims.OAuthClientStateID != "" {
-		ctx = withOAuthClientStateID(ctx, uuid.FromStringOrNil(claims.OAuthClientStateID))
+		oauthClientStateID, err := uuid.FromString(claims.OAuthClientStateID)
+		if err != nil {
+			return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeBadOAuthState, "OAuth callback with invalid state (oauth_client_state_id must be UUID)")
+		}
+		ctx = withOAuthClientStateID(ctx, oauthClientStateID)
 	}
 	if claims.LinkingTargetID != "" {
 		linkingTargetUserID, err := uuid.FromString(claims.LinkingTargetID)

Original file line number	Diff line number	Diff line change
`@@ -580,7 +580,11 @@ func (a API) loadExternalState(ctx context.Context, r http.Request, db *storag`
`580`	`580`	`ctx = withFlowStateID(ctx, claims.FlowStateID)`
`581`	`581`	`}`
`582`	`582`	`if claims.OAuthClientStateID != "" {`
`583`		`- ctx = withOAuthClientStateID(ctx, uuid.FromStringOrNil(claims.OAuthClientStateID))`
	`583`	`+ oauthClientStateID, err := uuid.FromString(claims.OAuthClientStateID)`
	`584`	`+ if err != nil {`
	`585`	`+ return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeBadOAuthState, "OAuth callback with invalid state (oauth_client_state_id must be UUID)")`
	`586`	`+ }`
	`587`	`+ ctx = withOAuthClientStateID(ctx, oauthClientStateID)`
`584`	`588`	`}`
`585`	`589`	`if claims.LinkingTargetID != "" {`
`586`	`590`	`linkingTargetUserID, err := uuid.FromString(claims.LinkingTargetID)`