fix(oauth2): persist linkAccountData during auto-link 2FA flow#38274
fix(oauth2): persist linkAccountData during auto-link 2FA flow#38274afahey03 wants to merge 6 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes a session persistence bug in the OAuth2/OIDC automatic account-linking flow when the target local user must pass local 2FA/WebAuthn. It ensures the account-linking context (linkAccountData) survives the redirect into the 2FA flow, matching the already-working manual linking behavior, and adds an integration test to prevent regressions.
Changes:
- Persist
linkAccountDatainto the session when redirecting to the local 2FA/WebAuthn flow during OAuth2 auto-linking. - Add an integration test covering OIDC auto account linking when the existing user has local TOTP 2FA enabled.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| tests/integration/auth_oauth2_test.go | Adds TestOAuth2AutoLinkWithTwoFactor to validate auto-link completes after local 2FA. |
| routers/web/auth/linkaccount.go | Stores linkAccountData in session for the auto-link + 2FA redirect path to avoid “not in LinkAccount session”. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@bircni Thanks for your changes, do you mind taking one final look? |
|
its better to let @wxiaoguang check again if its ok now |
|
It should use 3e9078f , but not make a function do more things than it should do. If anything wrong caused by it, there must be some bugs which need to be fixed. |
Indeed, bad design caused problems. Always fix existing bad designs, but not keep introducing more bad designs. |
|
3e9078f split session persistence into two calls, Each |
See my commit and comment. |
Looks good, thank you |
Fixes HTTP 500 when OIDC auto account linking (
ACCOUNT_LINKING=auto) requires local 2FA.oauth2LinkAccountsetlinkAccountin the session before redirecting to 2FA but did not persistlinkAccountData, soTwoFactorPostfailed withnot in LinkAccount session. The manual linking flow already stored both, this aligns auto-link with that behavior.Created the test,
TestOAuth2AutoLinkWithTwoFactor, which verifies that automatic account linking completes after the user passes local 2FA when an OIDC identity matches an existing account.DISCLAIMER: I used AI to create the test
Closes #38171