Merge pull request #45 from datum-cloud/fix/server-side-idp-validation

JoseSzycho · web-flow · commit 4b9f26568d78 · 2026-01-13T17:32:58.000-03:00
fix: prevent unauthorized IDP linking via session validation
diff --git a/README.md b/README.md
@@ -78,7 +78,6 @@ You can already use the current state, and extend it with your needs.
 - [x] Domain Discovery
 - [x] Branding
 - OIDC Standard
-
   - [x] Authorization Code Flow with PKCE
   - [x] AuthRequest `hintUserId`
   - [x] AuthRequest `loginHint`
diff --git a/apps/login/src/app/(main)/(boxed)/idp/[provider]/success/page.tsx b/apps/login/src/app/(main)/(boxed)/idp/[provider]/success/page.tsx
@@ -6,6 +6,7 @@ import { loginFailed } from "@/components/idps/pages/login-failed";
 import { loginSuccess } from "@/components/idps/pages/login-success";
 import { registrationFailed } from "@/components/idps/pages/registration-failed";
 import { Translated } from "@/components/translated";
+import { getMostRecentSessionCookie } from "@/lib/cookies";
 import { generateRouteMetadata } from "@/lib/metadata";
 import { getServiceUrlFromHeaders } from "@/lib/service-url";
 import {
@@ -15,6 +16,7 @@ import {
   getIDPByID,
   getLoginSettings,
   getOrgsByDomain,
+  getSession,
   listUsers,
   retrieveIDPIntent,
   updateHuman,
@@ -266,6 +268,29 @@ export default async function Page(props: {
     if (!resolvedUserId) {
       return linkingFailed("User context missing");
     }
+
+    try {
+      const recentCookie = await getMostRecentSessionCookie();
+      const { session } = await getSession({
+        serviceUrl,
+        sessionId: recentCookie.id,
+        sessionToken: recentCookie.token,
+      });
+
+      if (session?.factors?.user?.id !== resolvedUserId) {
+        console.error(
+          "Security Violation: Attempt to link IDP to different user",
+          {
+            sessionUserId: session?.factors?.user?.id,
+            targetUserId: resolvedUserId,
+          },
+        );
+        return linkingFailed("Access Denied");
+      }
+    } catch {
+      return linkingFailed("Error getting user session");
+    }
+
     if (!options?.isLinkingAllowed) {
       // linking was probably disallowed since the invitation was created
       return linkingFailed("Linking is no longer allowed");
