Skip to content

fix(oauth2): persist linkAccountData during auto-link 2FA flow#38274

Open
afahey03 wants to merge 6 commits into
go-gitea:mainfrom
afahey03:fix/oauth2-auto-link-2fa-session
Open

fix(oauth2): persist linkAccountData during auto-link 2FA flow#38274
afahey03 wants to merge 6 commits into
go-gitea:mainfrom
afahey03:fix/oauth2-auto-link-2fa-session

Conversation

@afahey03

@afahey03 afahey03 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Fixes HTTP 500 when OIDC auto account linking (ACCOUNT_LINKING=auto) requires local 2FA. oauth2LinkAccount set linkAccount in the session before redirecting to 2FA but did not persist linkAccountData, so TwoFactorPost failed with not in LinkAccount session. The manual linking flow already stored both, this aligns auto-link with that behavior.

Created the test, TestOAuth2AutoLinkWithTwoFactor, which verifies that automatic account linking completes after the user passes local 2FA when an OIDC identity matches an existing account.

DISCLAIMER: I used AI to create the test

Closes #38171

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 29, 2026
@lunny lunny requested a review from Copilot June 29, 2026 19:04
@lunny lunny added outdated/backport/v1.26 This PR should be backported to Gitea 1.26 backport/v1.27 This PR should be backported to Gitea 1.26 labels Jun 29, 2026
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 29, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a session persistence bug in the OAuth2/OIDC automatic account-linking flow when the target local user must pass local 2FA/WebAuthn. It ensures the account-linking context (linkAccountData) survives the redirect into the 2FA flow, matching the already-working manual linking behavior, and adds an integration test to prevent regressions.

Changes:

  • Persist linkAccountData into the session when redirecting to the local 2FA/WebAuthn flow during OAuth2 auto-linking.
  • Add an integration test covering OIDC auto account linking when the existing user has local TOTP 2FA enabled.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
tests/integration/auth_oauth2_test.go Adds TestOAuth2AutoLinkWithTwoFactor to validate auto-link completes after local 2FA.
routers/web/auth/linkaccount.go Stores linkAccountData in session for the auto-link + 2FA redirect path to avoid “not in LinkAccount session”.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread routers/web/auth/linkaccount.go Outdated
@bircni bircni removed the outdated/backport/v1.26 This PR should be backported to Gitea 1.26 label Jun 30, 2026
@afahey03

Copy link
Copy Markdown
Contributor Author

@bircni Thanks for your changes, do you mind taking one final look?

@bircni bircni requested a review from wxiaoguang June 30, 2026 16:43
@bircni

bircni commented Jun 30, 2026

Copy link
Copy Markdown
Member

its better to let @wxiaoguang check again if its ok now

@wxiaoguang

wxiaoguang commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

It should use 3e9078f , but not make a function do more things than it should do.

If anything wrong caused by it, there must be some bugs which need to be fixed.

@wxiaoguang

Copy link
Copy Markdown
Contributor

If anything wrong caused by it, there must be some bugs which need to be fixed.

Indeed, bad design caused problems. Always fix existing bad designs, but not keep introducing more bad designs.

@afahey03

afahey03 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@wxiaoguang

3e9078f split session persistence into two calls, Oauth2SetLinkAccountData (which calls updateSession/RegenerateSession once for linkAccountData) and then a second updateSession for twofaUid, twofaRemember, and linkAccount)

Each updateSession regenerated the session, but the second regeneration didn't carry linkAccountData into the cookie that the client received, so after 2FA the sesson didn't have linkAccountData`, which was effectively re-causing 500 bug that the PR was fixing

@wxiaoguang

Copy link
Copy Markdown
Contributor

@wxiaoguang

3e9078f split session persistence into two calls, Oauth2SetLinkAccountData (which calls updateSession/RegenerateSession once for linkAccountData) and then a second updateSession for twofaUid, twofaRemember, and linkAccount)

Each updateSession regenerated the session, but the second regeneration didn't carry linkAccountData into the cookie that the client received, so after 2FA the sesson didn't have linkAccountData`, which was effectively re-causing 500 bug that the PR was fixing

See my commit and comment.

@afahey03

afahey03 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@wxiaoguang
3e9078f split session persistence into two calls, Oauth2SetLinkAccountData (which calls updateSession/RegenerateSession once for linkAccountData) and then a second updateSession for twofaUid, twofaRemember, and linkAccount)
Each updateSession regenerated the session, but the second regeneration didn't carry linkAccountData into the cookie that the client received, so after 2FA the sesson didn't have linkAccountData`, which was effectively re-causing 500 bug that the PR was fixing

See my commit and comment.

Looks good, thank you

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport/v1.27 This PR should be backported to Gitea 1.26 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OIDC auto account linking fails with HTTP 500 when the existing Gitea user has local 2FA/WebAuthn enabled.

6 participants