fix: validate consent action and add error check after re-parse

2026-02-19 11:09:14 +01:00 · 2026-02-19 11:09:14 +01:00 · 078892a413
commit 078892a413
parent 5c4269fd6e
1 changed files with 7 additions and 0 deletions
--- a/src/porchlight/oidc/endpoints.py
+++ b/src/porchlight/oidc/endpoints.py
@ -336,6 +336,9 @@ async def consent_submit(request: Request) -> Response:
        params = urlencode({"error": "access_denied", "state": state})
        return RedirectResponse(f"{redirect_uri}?{params}", status_code=303)

+    if action != "allow":
+        return HTMLResponse("<h1>Error</h1><p>Invalid action</p>", status_code=400)
+
    # Allow — collect approved scopes
    approved_scopes = form.getlist("scope")
    if "openid" not in approved_scopes:
@ -357,4 +360,8 @@ async def consent_submit(request: Request) -> Response:
    except Exception as exc:
        return HTMLResponse(f"<h1>Error</h1><p>{exc}</p>", status_code=400)

+    if "error" in parsed:
+        error_desc = parsed.get("error_description", parsed["error"])
+        return HTMLResponse(f"<h1>Error</h1><p>{error_desc}</p>", status_code=400)
+
    return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)